matson Posted April 30, 2011 ID:423046 Share Posted April 30, 2011 Hi,Spybot sees the click.giftload but does not remove it. malware byte says there is nothing. I read many thread about this thing after d/l tdsskillerI did a scan by forcing him to start in the run as mode. no result and no log.Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 6474Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187022011-04-29 21:12:26mbam-log-2011-04-29 (21-12-26).txtScan type: Quick scanObjects scanned: 147828Time elapsed: 2 minute(s), 3 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected).DDS (Ver_11-03-05.01) - NTFSx86 Run by NICOU at 22:21:45,48 on 2011-04-29Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1482 [GMT -3:00].AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}.============== Running Processes ===============.C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exe -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\McAfee\Common Framework\UdaterUI.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\McAfee\Common Framework\McTray.exesvchost.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exeC:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exeC:\WINDOWS\system32\HPZipm12.exeF:\Programmes\Alcohol 52\StarWind\StarWindServiceAE.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\system32\wuauclt.exeC:\PROGRA~1\hpq\Shared\HPQTOA~1.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\NICOU\Desktop\dds.scr.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.bigseekpro.com/anyvideo2dvd/{72451267-22A7-4C23-9DCE-A7E772A37893}mStart Page = hxxp://www.bigseekpro.com/anyvideo2dvd/{72451267-22A7-4C23-9DCE-A7E772A37893}uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=laptopuInternet Settings,ProxyOverride = *.localBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dllBHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: SMTTB2009 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\any video to dvd db toolbar\tbcore3.dllTB: {C4069E3A-68F1-403E-B40E-20066696354B} - No FileTB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No FilemRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exemRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONEmRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKeymRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exemRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /StartmRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cabNotify: AtiExtEvent - Ati2evxx.dll.================= FIREFOX ===================.FF - ProfilePath - c:\docume~1\nicou\applic~1\mozilla\firefox\profiles\mtc5e0vx.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/anyvideo2dvd/{5BC4B17D-66A1-4F00-BE33-AF17ECDA68F1}?q=FF - plugin: c:\documents and settings\nicou\application data\mozilla\firefox\profiles\mtc5e0vx.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dllFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll.============= SERVICES / DRIVERS ===============.R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-4-2 103744]R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-1-24 144704]R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-1-24 54608]R2 StarWindServiceAE;StarWind AE Service;f:\programmes\alcohol 52\starwind\StarWindServiceAE.exe [2009-12-23 370688]R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2011-4-2 72936]R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2011-4-2 33960]R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2011-4-2 171400]S2 Cubase32;Cubase32;c:\windows\system32\drivers\Cubase32.sys [2011-4-11 11808]S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-4-5 13192]S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-4-5 8456]S3 RDID1044;Roland SP-606;c:\windows\system32\drivers\rdwm1044.sys [2011-4-11 161422].=============== Created Last 30 ================.2011-04-29 23:45:13 -------- d-sha-r- C:\cmdcons2011-04-29 23:41:53 98816 ----a-w- c:\windows\sed.exe2011-04-29 23:41:53 89088 ----a-w- c:\windows\MBR.exe2011-04-29 23:41:53 256512 ----a-w- c:\windows\PEV.exe2011-04-29 23:41:53 161792 ----a-w- c:\windows\SWREG.exe2011-04-29 20:28:09 0 ----a-w- c:\documents and settings\nicou\ntuser.tmp2011-04-29 01:26:11 -------- d-----w- c:\program files\Spybot - Search & Destroy2011-04-29 01:26:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy2011-04-28 20:20:08 -------- d-----w- c:\program files\CCleaner2011-04-28 03:21:56 0 ----a-w- c:\windows\Xgihetiy.bin2011-04-28 03:20:39 157184 --sha-r- c:\windows\system32\MsPMSPU.dll2011-04-28 03:20:39 157184 --sha-r- c:\windows\system32\dispexv.dll2011-04-28 03:20:39 157184 --sha-r- c:\windows\system32\confmspl.dll2011-04-21 06:22:57 -------- d-----w- c:\docume~1\nicou\applic~1\Toolbar42011-04-21 06:22:53 -------- d-----w- c:\docume~1\nicou\locals~1\applic~1\Somoto2011-04-21 06:22:48 -------- d-----w- c:\program files\Any Video To DVD DB Toolbar2011-04-12 17:32:59 -------- d-sh--w- c:\documents and settings\nicou\IECompatCache2011-04-12 04:49:18 -------- d-----w- c:\docume~1\nicou\applic~1\OpenOffice.org2011-04-12 04:43:50 -------- d-----w- c:\program files\OpenOffice.org 32011-04-11 18:51:08 38401 ----a-r- c:\windows\system32\RdCi1044.dll2011-04-11 18:51:07 81920 ----a-r- c:\windows\system32\rdas1044.dll2011-04-11 18:51:07 161422 ----a-r- c:\windows\system32\drivers\rdwm1044.sys2011-04-11 18:51:06 57344 ----a-r- c:\windows\system32\RDCP1044.CPL2011-04-11 18:51:06 229376 ----a-r- c:\windows\system32\RDDP1044.DAT2011-04-11 18:51:05 51644 ----a-r- c:\windows\system32\rddv1044.dll2011-04-11 18:09:54 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys2011-04-11 18:09:54 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys2011-04-11 18:08:30 85504 ----a-w- c:\windows\system32\ma_cmidn.dll2011-04-11 18:08:29 7282 ----a-w- c:\windows\system32\MA_CMIDI.VXD2011-04-11 18:08:29 21888 ----a-w- c:\windows\system32\drivers\ma_cmidi.sys2011-04-11 18:08:29 17920 ----a-w- c:\windows\system32\MA_CMIDI.DLL2011-04-11 18:08:29 14176 ----a-w- c:\windows\system32\MA_CMIDI.DRV2011-04-11 18:08:10 -------- d-----w- c:\program files\M-Audio MA_CMIDI2011-04-11 09:00:56 -------- d-----w- c:\program files\D16 Group2011-04-11 08:51:41 -------- d-----w- c:\program files\Solid State Logic2011-04-11 08:16:48 765952 ----a-w- c:\windows\system32\msvcp71d.dll2011-04-11 08:16:48 544768 ----a-w- c:\windows\system32\msvcr71d.dll2011-04-11 08:16:44 -------- d-----w- c:\program files\Nomad Factory2011-04-11 07:42:37 129024 ----a-w- c:\windows\UNWISE.EXE2011-04-11 07:35:09 24576 ----a-w- c:\windows\system32\wavlbsys.dll2011-04-11 07:35:09 11808 ----a-w- c:\windows\system32\drivers\Cubase32.sys2011-04-11 05:23:45 -------- d-----w- c:\docume~1\nicou\applic~1\Blue Cat Audio2011-04-11 04:08:03 -------- d-----w- c:\docume~1\nicou\applic~1\Daichi2011-04-11 00:29:07 -------- d-----w- c:\program files\FXpansion2011-04-11 00:29:07 -------- d-----w- c:\docume~1\nicou\applic~1\FXpansion2011-04-10 21:36:12 2240 ----a-w- c:\windows\LENDIG.sys2011-04-10 20:45:07 -------- d-----w- c:\docume~1\nicou\locals~1\applic~1\Identities2011-04-10 08:19:44 -------- d-sh--w- c:\documents and settings\nicou\PrivacIE2011-04-10 07:32:20 691551 ----a-w- c:\program files\uninstall information\{abaf1232-6213-4062-9d52-04e04a730cea}\unins000.exe2011-04-10 07:28:47 691551 ----a-w- c:\program files\uninstall information\{842c6afc-7856-4fd9-99af-8900554acaa2}\unins000.exe2011-04-10 06:50:29 -------- d-----w- c:\docume~1\nicou\applic~1\Smartelectronix2011-04-10 04:02:20 -------- d-----w- c:\program files\GForce2011-04-10 00:55:01 1025 ----a-w- c:\windows\system32\sysprs7.dll2011-04-10 00:55:01 1025 ----a-w- c:\windows\system32\clauth2.dll2011-04-10 00:55:01 1025 ----a-w- c:\windows\system32\clauth1.dll2011-04-10 00:54:55 -------- d-----w- c:\docume~1\nicou\locals~1\applic~1\Native Instruments2011-04-10 00:43:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\IK Multimedia2011-04-08 05:51:33 319487 ----a-w- c:\windows\LOOP.exe2011-04-08 05:37:13 -------- d-----w- c:\program files\common files\KORG2011-04-08 05:28:06 233472 ----a-w- c:\windows\system32\REX Shared Library.dll2011-04-08 05:28:06 -------- d-----w- c:\program files\common files\iZotope2011-04-08 04:22:27 393216 ----a-w- c:\windows\system32\NI_IRC_1_2.dll2011-04-08 04:22:12 61440 ----a-w- c:\windows\system32\NI_DFD_1_5.dll2011-04-08 04:22:12 1870336 ----a-w- c:\windows\system32\bconvert.dll2011-04-08 04:22:11 -------- d-----w- c:\program files\Native Instruments2011-04-08 04:22:11 -------- d-----w- c:\program files\common files\Native Instruments2011-04-08 04:06:08 86016 ----a-w- c:\windows\unvise32.exe2011-04-08 03:20:08 151552 ----a-w- c:\windows\system32\FDlg.dll2011-04-08 01:41:58 665424 ----a-w- c:\windows\system32\wmv8dmoe.dll2011-04-08 01:41:58 566272 ----a-w- c:\windows\system32\wmvdmoe.dll2011-04-08 01:41:58 438608 ----a-w- c:\windows\system32\wmv8dmod.dll2011-04-08 01:41:58 285184 ----a-w- c:\windows\system32\wmidx2.ocx2011-04-08 01:41:58 1683792 ----a-w- c:\windows\system32\wmvcore2.dll2011-04-08 01:34:10 1294336 ----a-w- c:\windows\system32\vorbis.acm2011-04-07 00:07:58 -------- d-----w- C:\QUARANTINE2011-04-06 22:39:52 -------- d-----w- c:\docume~1\nicou\locals~1\applic~1\Microsoft Help2011-04-06 22:07:29 436792 ----a-w- c:\windows\system32\drivers\sptd.sys2011-04-06 21:46:46 -------- d-----w- c:\docume~1\nicou\applic~1\NetMedia Providers2011-04-06 21:46:43 -------- d-----w- c:\docume~1\nicou\locals~1\applic~1\Sony2011-04-06 21:36:12 33340 ------w- c:\windows\system32\dbmsqlgc.dll2011-04-06 21:36:12 24576 ------w- c:\windows\system32\dbmsgnet.dll2011-04-06 21:35:32 -------- d-----w- c:\program files\Microsoft SQL Server2011-04-06 21:12:06 -------- d-----w- c:\docume~1\nicou\locals~1\applic~1\Installer21842011-04-06 20:57:05 -------- d-----w- c:\docume~1\nicou\locals~1\applic~1\Installer3762011-04-06 20:54:31 -------- d-----w- c:\program files\VideoLAN2011-04-06 20:35:11 -------- d-----w- c:\program files\common files\Control Panels2011-04-06 20:31:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\ALM2011-04-06 20:30:38 2463976 ----a-w- c:\windows\system32\NPSWF32.dll2011-04-06 20:30:38 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe2011-04-06 20:18:24 -------- d-----w- c:\program files\Bonjour2011-04-06 20:07:52 -------- d-----w- c:\program files\common files\Macrovision Shared2011-04-06 19:49:57 23376 ----a-w- c:\windows\system32\dopdfmn7.dll2011-04-06 19:49:57 20304 ----a-w- c:\windows\system32\dopdfmi7.dll2011-04-06 19:22:25 -------- d-----w- c:\docume~1\nicou\applic~1\Serif2011-04-06 18:41:46 -------- d-----w- c:\docume~1\nicou\applic~1\Softland2011-04-06 18:34:59 119568 ----a-w- c:\windows\system32\VB6FR.DLL2011-04-06 18:34:58 -------- d-----w- c:\docume~1\nicou\applic~1\FreeVideoConverter2011-04-05 06:19:02 86408 ----a-w- c:\windows\system32\setupempdrv03.exe2011-04-05 06:19:02 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys2011-04-05 06:19:02 2340992 ----a-w- c:\windows\system32\BootMan.exe2011-04-05 06:19:02 18048 ----a-w- c:\windows\system32\EuEpmGdi.dll2011-04-05 06:19:01 13192 ----a-w- c:\windows\system32\epmntdrv.sys2011-04-05 06:10:35 -------- d-----w- c:\program files\EASEUS2011-04-05 03:59:14 -------- d-----w- c:\docume~1\nicou\applic~1\QuickScan2011-04-04 23:03:44 -------- d-----w- c:\windows\system32\LogFiles2011-04-04 23:03:42 -------- d-----w- c:\docume~1\nicou\applic~1\Malwarebytes2011-04-04 23:03:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-04-04 23:03:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes2011-04-04 23:03:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2011-04-04 23:03:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-04-04 21:13:56 -------- d-----w- C:\bin2011-04-04 21:00:50 -------- d-----w- c:\program files\common files\Hewlett-Packard2011-04-04 20:59:43 94208 ----a-w- c:\windows\system32\HPZipt12.dll2011-04-04 20:59:43 57344 ----a-w- c:\windows\system32\HPZisn12.dll2011-04-04 20:59:43 204800 ----a-w- c:\windows\system32\HPZipr12.dll2011-04-04 20:59:42 69632 ----a-w- c:\windows\system32\HPZipm12.exe2011-04-04 20:59:42 65536 ----a-w- c:\windows\system32\HPZinw12.exe2011-04-04 20:59:42 278584 ----a-w- c:\windows\system32\HPZidr12.dll2011-04-04 20:56:23 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys2011-04-04 20:56:18 49664 ----a-r- c:\windows\system32\drivers\HPZid412.sys2011-04-04 20:55:47 77824 ----a-r- c:\windows\system32\HPZIDS01.dll2011-04-04 20:55:42 74240 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp054.dll2011-04-04 20:55:40 38400 ----a-w- c:\windows\system32\hpz3l054.dll2011-04-04 20:53:12 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys2011-04-04 20:53:12 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys2011-04-04 20:52:53 827392 ----a-r- c:\windows\system32\hpotiop2.dll2011-04-04 20:52:53 254026 ----a-r- c:\windows\system32\hpovst09.dll2011-04-04 20:52:52 659456 ----a-r- c:\windows\system32\hpowiax2.dll2011-04-04 20:52:49 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys2011-04-04 20:52:49 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys2011-04-04 20:50:17 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys2011-04-04 20:50:17 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys2011-04-04 06:01:53 -------- d-----w- c:\windows\pss2011-04-04 05:41:20 -------- d-----w- c:\docume~1\nicou\locals~1\applic~1\Temp2011-04-03 21:26:45 -------- d-sh--w- c:\documents and settings\nicou\IETldCache2011-04-03 20:06:39 7680 ------w- c:\windows\system32\dllcache\iecompat.dll2011-04-03 20:06:22 -------- d-----w- c:\windows\ie8updates2011-04-03 20:05:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll2011-04-03 20:05:44 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll2011-04-03 20:05:44 602112 ------w- c:\windows\system32\dllcache\msfeeds.dll2011-04-03 20:05:44 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll2011-04-03 20:05:44 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll2011-04-03 20:05:44 1991680 ------w- c:\windows\system32\dllcache\iertutil.dll2011-04-03 20:05:44 11080704 ------w- c:\windows\system32\dllcache\ieframe.dll2011-04-03 20:04:24 -------- dc-h--w- c:\windows\ie82011-04-03 04:36:19 -------- d-----w- c:\docume~1\nicou\applic~1\VSRevoGroup2011-04-03 03:23:05 -------- d-----w- c:\program files\VS Revo Group2011-04-03 03:07:51 -------- d-----w- c:\windows\system32\scripting2011-04-03 03:07:51 -------- d-----w- c:\windows\l2schemas2011-04-03 03:07:50 -------- d-----w- c:\windows\system32\en2011-04-03 03:07:50 -------- d-----w- c:\windows\system32\bits2011-04-03 03:04:04 -------- d-----w- c:\windows\network diagnostic2011-04-03 03:01:00 -------- d-----w- c:\windows\EHome2011-04-03 02:41:55 -------- d-----w- c:\windows\ServicePackFiles2011-04-03 02:40:48 -------- d-----w- c:\program files\MSXML 4.02011-04-03 02:37:57 685056 ------w- c:\windows\system32\drivers\hsfcxts2.sys2011-04-03 02:29:27 272128 ------w- c:\windows\system32\dllcache\bthport.sys2011-04-03 02:29:26 272128 ------w- c:\windows\system32\drivers\bthport.sys2011-04-03 02:29:15 357248 ------w- c:\windows\system32\dllcache\srv.sys2011-04-03 02:29:00 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys2011-04-03 02:28:56 471552 ------w- c:\windows\system32\dllcache\aclayers.dll2011-04-03 02:28:49 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe2011-04-03 02:27:31 81920 ------w- c:\windows\system32\dllcache\fontsub.dll2011-04-03 02:27:30 119808 ------w- c:\windows\system32\dllcache\t2embed.dll2011-04-03 02:27:24 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe2011-04-03 02:27:16 153088 ------w- c:\windows\system32\dllcache\triedit.dll2011-04-03 02:25:41 331776 ------w- c:\windows\system32\dllcache\msadce.dll2011-04-03 02:25:39 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll2011-04-03 02:24:41 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll2011-04-03 02:24:16 337408 ------w- c:\windows\system32\dllcache\netapi32.dll2011-04-03 02:23:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll2011-04-03 02:23:24 218112 ------w- c:\windows\system32\dllcache\wordpad.exe2011-04-03 02:22:36 -------- d-----w- c:\windows\system32\PreInstall2011-04-03 02:11:39 -------- d-----w- c:\windows\system32\SoftwareDistribution2011-04-03 00:00:59 72936 ----a-w- c:\windows\system32\drivers\mfeavfk.sys2011-04-03 00:00:59 64232 ----a-w- c:\windows\system32\drivers\mfeapfk.sys2011-04-03 00:00:59 52104 ----a-w- c:\windows\system32\drivers\mfetdik.sys2011-04-03 00:00:59 33960 ----a-w- c:\windows\system32\drivers\mfebopk.sys2011-04-03 00:00:59 171400 ----a-w- c:\windows\system32\drivers\mfehidk.sys2011-04-03 00:00:42 -------- d-----w- c:\program files\McAfee2011-04-03 00:00:42 -------- d-----w- c:\program files\common files\McAfee2011-04-02 23:51:42 73728 ----a-w- c:\windows\system32\javacpl.cpl2011-04-02 23:51:41 472808 ----a-w- c:\windows\system32\deployJava1.dll2011-04-02 21:08:39 -------- d-----w- c:\docume~1\nicou\locals~1\applic~1\Adobe2011-04-02 09:24:56 -------- d-----w- c:\docume~1\nicou\locals~1\applic~1\PCHealth2011-04-02 08:21:23 954368 ------w- c:\windows\system32\dllcache\mfc40.dll2011-04-02 08:21:22 974848 ------w- c:\windows\system32\dllcache\mfc42.dll2011-04-02 08:21:22 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll2011-04-02 08:21:03 617472 ------w- c:\windows\system32\dllcache\comctl32.dll2011-04-02 08:20:25 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys2011-04-02 08:17:55 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll2011-04-02 08:17:53 45568 ------w- c:\windows\system32\dllcache\wab.exe2011-04-02 06:01:01 -------- d-----w- c:\docume~1\nicou\locals~1\applic~1\Mozilla2011-04-02 05:57:05 -------- d-sh--w- c:\documents and settings\nicou\UserData2011-04-02 05:03:25 47104 ----a-w- c:\windows\system32\WACntlPnl.cpl2011-04-02 05:01:59 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys2011-04-02 05:01:59 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys2011-04-02 05:01:53 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys2011-04-02 03:49:14 1495552 ----a-w- c:\windows\system32\epoPGPsdk.dll2011-04-02 03:49:14 -------- d-----w- c:\program files\common files\Cisco Systems2011-04-02 03:42:19 26368 ----a-w- c:\windows\system32\dllcache\usbstor.sys.==================== Find3M ====================.2011-04-28 21:20:24 372736 ----a-w- c:\windows\eqoyafisequpal.dl2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll.=================== ROOTKIT ====================.Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.netWindows 5.1.2600 Disk: ST9120824A rev.3.05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 .device: opened successfullyuser: MBR read successfully.Disk trace:called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D7B730]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d81a10]; MOV EAX, [0x89d81a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x89DD6AB8]3 CLASSPNP[0xF74E7FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000075[0x89E059E8]5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89DC3940]\Driver\atapi[0x89E11AE8] -> IRP_MJ_CREATE -> 0x89D7B730error: Read A device attached to the system is not functioning.kernel: MBR read successfully_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }detected disk devices:detected hooks:\Driver\atapi DriverStartIo -> 0x89D7B57Buser & kernel MBR OK Warning: possible TDL3 rootkit infection !.============= FINISH: 22:23:58,34 ===============Attach.zip Link to post Share on other sites More sharing options...
matson Posted April 30, 2011 Author ID:423055 Share Posted April 30, 2011 the GMER logGMER 1.0.15.15572 - http://www.gmer.netRootkit scan 2011-04-29 22:36:54Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST9120824A rev.3.05Running: 2b4tegls.exe; Driver: C:\DOCUME~1\NICOU\LOCALS~1\Temp\pwldypod.sys---- System - GMER 1.0.15 ----Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB70378BB]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB703783B]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB70378E5]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB703784F]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB703787B]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB703790F]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB7037827]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB70378CF]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB7037865]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB7037891]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB70378A7]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB7037925]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB70378F9]Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFileCode \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection---- Kernel code sections - GMER 1.0.15 ----.text ntkrnlpa.exe!ZwYieldExecution 8050225C 7 Bytes JMP B70378FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)PAGE ntkrnlpa.exe!NtCreateFile 8056E38C 5 Bytes JMP B70378BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)PAGE ntkrnlpa.exe!NtMapViewOfSection 805A75C4 7 Bytes JMP B7037913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A83DA 5 Bytes JMP B7037929 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADB5C 7 Bytes JMP B70378D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)PAGE ntkrnlpa.exe!ZwCreateProcess 805C7582 5 Bytes JMP B70378E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8DA6 5 Bytes JMP B70378AB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)PAGE ntkrnlpa.exe!ZwSetValueKey 8061925E 7 Bytes JMP B7037895 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)PAGE ntkrnlpa.exe!ZwRenameKey 8061A70E 7 Bytes JMP B7037869 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)PAGE ntkrnlpa.exe!ZwCreateKey 8061ACEC 5 Bytes JMP B703783F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)PAGE ntkrnlpa.exe!ZwDeleteKey 8061B188 7 Bytes JMP B7037853 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061B358 7 Bytes JMP B703787F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)PAGE ntkrnlpa.exe!ZwOpenKey 8061C0CA 5 Bytes JMP B703782B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF5C50EBF]? C:\DOCUME~1\NICOU\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !---- User code sections - GMER 1.0.15 ----.text C:\WINDOWS\Explorer.EXE[144] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD000A .text C:\WINDOWS\Explorer.EXE[144] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BE000A .text C:\WINDOWS\Explorer.EXE[144] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90000 .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90095 .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90084 .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F90FB6 .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90073 .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90FDB .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F900DE .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F900C1 .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F900EF .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F90F56 .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F9010A .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F90058 .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F90025 .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F900A6 .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F90047 .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F90036 .text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F90F71 .text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80025 .text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F80F8D .text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F80014 .text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F80FD4 .text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F8004A .text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80FEF .text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F80FA8 .text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [18, 89].text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F80FB9 .text C:\WINDOWS\Explorer.EXE[144] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70FA6 .text C:\WINDOWS\Explorer.EXE[144] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F70FB7 .text C:\WINDOWS\Explorer.EXE[144] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F7001D .text C:\WINDOWS\Explorer.EXE[144] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70FEF .text C:\WINDOWS\Explorer.EXE[144] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F70FD2 .text C:\WINDOWS\Explorer.EXE[144] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F7000C .text C:\WINDOWS\Explorer.EXE[144] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EA0FEF .text C:\WINDOWS\Explorer.EXE[144] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EA0FCA .text C:\WINDOWS\Explorer.EXE[144] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EA0000 .text C:\WINDOWS\Explorer.EXE[144] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00EA001B .text C:\WINDOWS\Explorer.EXE[144] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DD0FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DD0F55 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DD0F66 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DD0040 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DD0F8D .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DD0FA8 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DD0F3A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DD0080 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DD0F18 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DD00A7 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DD00CC .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DD002F .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DD0FDE .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DD006F .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DD0FC3 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DD0014 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DD0F29 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DC0FC0 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DC0F83 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DC0FE5 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DC0011 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DC0040 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DC0000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DC0F9E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FC, 88].text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DC0FAF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006D0F90 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] msvcrt.dll!system 77C293C7 5 Bytes JMP 006D0025 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006D0FC6 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006D0FE3 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006D0FB5 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006D0000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006B000A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006B001B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006B002C .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[532] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 006B0FD1 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FE5 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F70 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0F8B .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0065 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0054 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0039 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F49 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0091 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0F02 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F1D .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF00C0 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0FB2 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FD4 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0080 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0014 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FC3 .text C:\WINDOWS\system32\services.exe[864] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F2E .text C:\WINDOWS\system32\services.exe[864] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070040 .text C:\WINDOWS\system32\services.exe[864] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070FC3 .text C:\WINDOWS\system32\services.exe[864] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FEF .text C:\WINDOWS\system32\services.exe[864] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070025 .text C:\WINDOWS\system32\services.exe[864] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070FD4 .text C:\WINDOWS\system32\services.exe[864] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0007000A .text C:\WINDOWS\system32\services.exe[864] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007006C .text C:\WINDOWS\system32\services.exe[864] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0007005B .text C:\WINDOWS\system32\services.exe[864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060075 .text C:\WINDOWS\system32\services.exe[864] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060064 .text C:\WINDOWS\system32\services.exe[864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060038 .text C:\WINDOWS\system32\services.exe[864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000 .text C:\WINDOWS\system32\services.exe[864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060049 .text C:\WINDOWS\system32\services.exe[864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060011 .text C:\WINDOWS\system32\services.exe[864] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00040FEF .text C:\WINDOWS\system32\services.exe[864] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0004000A .text C:\WINDOWS\system32\services.exe[864] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00040FD4 .text C:\WINDOWS\system32\services.exe[864] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 0004001B .text C:\WINDOWS\system32\services.exe[864] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FE5 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0F83 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0F94 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0062 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0FA5 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0FB6 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE00A9 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0F57 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00D5 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE00C4 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0F17 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE003D .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0000 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F68 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0022 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0011 .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F46 .text C:\WINDOWS\system32\lsass.exe[876] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D40FAF .text C:\WINDOWS\system32\lsass.exe[876] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D40043 .text C:\WINDOWS\system32\lsass.exe[876] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D4000A .text C:\WINDOWS\system32\lsass.exe[876] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D40FD4 .text C:\WINDOWS\system32\lsass.exe[876] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D40F7C .text C:\WINDOWS\system32\lsass.exe[876] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D40FEF .text C:\WINDOWS\system32\lsass.exe[876] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D40F8D .text C:\WINDOWS\system32\lsass.exe[876] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F4, 88].text C:\WINDOWS\system32\lsass.exe[876] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D40F9E .text C:\WINDOWS\system32\lsass.exe[876] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30F9C .text C:\WINDOWS\system32\lsass.exe[876] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30FB7 .text C:\WINDOWS\system32\lsass.exe[876] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30027 .text C:\WINDOWS\system32\lsass.exe[876] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D30FEF .text C:\WINDOWS\system32\lsass.exe[876] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FD2 .text C:\WINDOWS\system32\lsass.exe[876] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D3000C .text C:\WINDOWS\system32\lsass.exe[876] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D20000 .text C:\WINDOWS\system32\lsass.exe[876] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D10FEF .text C:\WINDOWS\system32\lsass.exe[876] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D1000A .text C:\WINDOWS\system32\lsass.exe[876] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D1002F .text C:\WINDOWS\system32\lsass.exe[876] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00D10FDE .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E60000 .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E60F83 .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E60082 .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E60065 .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E60FB2 .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E6004A .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E600CB .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E600BA .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E600FE .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E600ED .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E60119 .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E60FC3 .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E60FEF .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E60093 .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E60FD4 .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E60025 .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E600DC .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E50FD4 .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E50051 .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E50FE5 .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E5001B .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E50040 .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E50000 .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E50FA8 .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [05, 89].text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E50FC3 .text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E40064 .text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E40049 .text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E40038 .text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40000 .text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E40FE3 .text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E4001D .text C:\WINDOWS\system32\svchost.exe[1060] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0070000A .text C:\WINDOWS\system32\svchost.exe[1060] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00700FEF .text C:\WINDOWS\system32\svchost.exe[1060] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00700FD4 .text C:\WINDOWS\system32\svchost.exe[1060] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00700025 .text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00710000 .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0FEF .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0F57 .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD004C .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD003B .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0F72 .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD000A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0084 .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0F3C .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD00B0 .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0F17 .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD00C1 .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0F8D .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD0FDE .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD0067 .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0F9E .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0FC3 .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0095 .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FC0FCD .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FC0F9E .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FC0FDE .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FC0FEF .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FC0051 .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FC000A .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FC0040 .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FC002F .text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FB0042 .text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FB0FC1 .text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FB0FE3 .text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FB0000 .text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FB0FD2 .text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FB001D .text C:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F90FEF .text C:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F90014 .text C:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F90025 .text C:\WINDOWS\system32\svchost.exe[1160] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00F90040 .text C:\WINDOWS\system32\svchost.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FA0000 .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF000A .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF00A7 .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0FB2 .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0FC3 .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0FD4 .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0051 .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F8D .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF00D5 .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F4D .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00E6 .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F28 .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF006C .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF001B .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF00B8 .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FE5 .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0036 .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F72 .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0036 .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F9E .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FE5 .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE001B .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE005B .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE000A .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BE0FB9 .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DE, 88].text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FD4 .text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0F90 .text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0FAB .text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FC6 .text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FEF .text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD001B .text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0000 .text C:\WINDOWS\system32\svchost.exe[1232] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001D0000 .text C:\WINDOWS\system32\svchost.exe[1232] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001D001B .text C:\WINDOWS\system32\svchost.exe[1232] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001D002C .text C:\WINDOWS\system32\svchost.exe[1232] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 001D003D .text C:\WINDOWS\system32\svchost.exe[1232] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF .text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0094000A .text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0095000A .text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0093000C .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03080FE5 .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03080067 .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0308004C .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03080F72 .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03080F83 .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03080FB9 .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03080F4B .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03080093 .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03080F15 .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03080F30 .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 030800C9 .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03080FA8 .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03080FD4 .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03080082 .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03080025 .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0308000A .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 030800AE .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03070036 .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03070F94 .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03070025 .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03070FEF .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0307005B .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03070000 .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03070FB9 .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 8B].text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03070FD4 .text C:\WINDOWS\System32\svchost.exe[1308] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0105000A .text C:\WINDOWS\System32\svchost.exe[1308] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00B2000A .text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02BE000A .text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!system 77C293C7 5 Bytes JMP 02BE0F7F .text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02BE0FB5 .text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02BE0FEF .text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02BE0F9A .text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02BE0FC6 .text C:\WINDOWS\System32\svchost.exe[1308] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02BC0FE5 .text C:\WINDOWS\System32\svchost.exe[1308] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02BC000A .text C:\WINDOWS\System32\svchost.exe[1308] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02BC001B .text C:\WINDOWS\System32\svchost.exe[1308] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 02BC002C .text C:\WINDOWS\System32\svchost.exe[1308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02BD0FEF .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10000 .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10F7A .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A10F8B .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10F9C .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A1005B .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10FC3 .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A10F5D .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A100A5 .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A100E5 .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A100CA .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A10F31 .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A1004A .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A10FEF .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A10094 .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10025 .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10FD4 .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A10F4C .text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A00025 .text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A00F97 .text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A00014 .text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A00FD4 .text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A0005E .text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A00FE5 .text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A00FB2 .text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C0, 88].text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A00FC3 .text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009F0016 .text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!system 77C293C7 5 Bytes JMP 009F0F95 .text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009F0FC1 .text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009F0FEF .text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009F0FA6 .text C:\WINDOWS\system32\svchost.exe[1408] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009F0FDE .text C:\WINDOWS\system32\svchost.exe[1408] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B0FEF .text C:\WINDOWS\system32\svchost.exe[1408] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B0FDE .text C:\WINDOWS\system32\svchost.exe[1408] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0014 .text C:\WINDOWS\system32\svchost.exe[1408] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 001B0039 .text C:\WINDOWS\system32\svchost.exe[1408] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001D0000 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60FEF .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C6004C .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60031 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60F57 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60F68 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60F83 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60F2B .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C60F3C .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C600A9 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60F06 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C600BA .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C6000A .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C60FCA .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C6005D .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60F94 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C60FB9 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C6008E .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C50FBC .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C50057 .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C50FCD .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C50FDE .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C50F90 .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C50FEF .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C50032 .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C50FA1 .text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C40FCA .text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C40FE5 .text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C4003A .text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C40000 .text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C40055 .text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C4001D .text C:\WINDOWS\system32\svchost.exe[1580] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B0000 .text C:\WINDOWS\system32\svchost.exe[1580] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B0FE5 .text C:\WINDOWS\system32\svchost.exe[1580] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0FCA .text C:\WINDOWS\system32\svchost.exe[1580] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 001B0011 .text C:\WINDOWS\system32\svchost.exe[1580] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001D0000 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D80FEF .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D80096 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D80FA1 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D8006F .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80FB2 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D80040 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D80F90 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D800CC .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D80104 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D80F75 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D80115 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D80FC3 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D8000A .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D800B1 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D80025 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D80FD4 .text C:\WINDOWS\system32\svchost.exe[1704] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D800F3 .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D70051 .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D70098 .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D70040 .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D7001B .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D70FE5 .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D70000 .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D70087 .text C:\WINDOWS\system32\svchost.exe[1704] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D7006C .text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D60081 .text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D60066 .text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D6003A .text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D6000C .text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D6004B .text C:\WINDOWS\system32\svchost.exe[1704] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D6001D .text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D40FEF .text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D40FDE .text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D40014 .text C:\WINDOWS\system32\svchost.exe[1704] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00D40025 .text C:\WINDOWS\system32\svchost.exe[1704] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D50000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013E0FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013E0F63 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013E0F7E .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013E0058 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013E0047 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013E0036 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013E00A1 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013E0090 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013E0F37 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013E00D0 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013E0F1C .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 013E0FA5 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 013E000A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 013E0073 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 013E0FCA .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 013E001B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 013E0F48 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013D001B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013D0F83 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013D000A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013D0FD4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 013D0F94 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 013D0FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 013D0040 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 013D0FB9 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013C0FC1 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] msvcrt.dll!system 77C293C7 5 Bytes JMP 013C0FD2 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013C0027 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013C000C .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013C0038 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013C0FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] WS2_32.dll!socket 71AB4211 5 Bytes JMP 013B0000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 013A0000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 013A0011 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 013A0FE5 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1824] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 013A0FD4 .text C:\Program Files\Mozilla Firefox\firefox.exe[3580] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 014A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3580] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 014B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3580] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0149000C .text C:\Program Files\Mozilla Firefox\firefox.exe[3580] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation).text C:\Program Files\Mozilla Firefox\firefox.exe[3580] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 10499437 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)---- Devices - GMER 1.0.15 ----AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89D7B57BDevice \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 89D7B57BDevice \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89D7B57BDevice \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 89D7B57BAttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 F:\Programmes\Alcohol 52\Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x23 0x44 0x13 0x59 ...Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ...Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 F:\Programmes\Alcohol 52\Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x23 0x44 0x13 0x59 ...Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ...---- Disk sectors - GMER 1.0.15 ----Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior---- EOF - GMER 1.0.15 ---- Link to post Share on other sites More sharing options...
matson Posted April 30, 2011 Author ID:423270 Share Posted April 30, 2011 anybody wants to help me get rid of these bad programs please?!!!!!I can't use my computer, please help me!!!!!! Link to post Share on other sites More sharing options...
matson Posted April 30, 2011 Author ID:423274 Share Posted April 30, 2011 anybody wants to help me get rid of these bad programs please?!!!!!I can't use my computer, please help me!!!!!!the process svchost.exe is killing the computer!!!!he is taking all the memory and nothing is open except the firefox window where i type this message. my computer is badly sick and I can't loose him. it's my portable studio!!!!!!please help me solve my problem!!!! Link to post Share on other sites More sharing options...
SpySentinel Posted May 2, 2011 ID:424116 Share Posted May 2, 2011 Hi matson,Welcome to the Malwarebytes Support Forum My name is Matt and I will be assisting you.Download OTL to your desktop.Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.When the window appears, underneath Output at the top change it to Minimal Output.Check the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. Link to post Share on other sites More sharing options...
matson Posted May 2, 2011 Author ID:424120 Share Posted May 2, 2011 HI!!!!!!Thank you very much. I am starting the comp while answering you from another computer.I am following your order. the next answer will be the log. Link to post Share on other sites More sharing options...
SpySentinel Posted May 2, 2011 ID:424122 Share Posted May 2, 2011 You're welcome. Thanks for letting me know. Link to post Share on other sites More sharing options...
matson Posted May 2, 2011 Author ID:424127 Share Posted May 2, 2011 I am having trouble posting the log, I loose the connection, it seems like it Link to post Share on other sites More sharing options...
SpySentinel Posted May 2, 2011 ID:424128 Share Posted May 2, 2011 You lose internet connection? Link to post Share on other sites More sharing options...
matson Posted May 2, 2011 Author ID:424129 Share Posted May 2, 2011 OTL logOTL logfile created on: 2011-05-02 15:50:23 - Run 1OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\NICOU\DesktopWindows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstationInternet Explorer (Version = 8.0.6001.18702)Locale: 00000C0C | Country: Canada | Language: FRC | Date Format: yyyy-MM-dd2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 75,00% Memory free4,00 Gb Paging File | 4,00 Gb Available in Paging File | 92,00% Paging File freePaging file location(s): C:\pagefile.sys 2046 4092 [binary data]%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program FilesDrive C: | 35,01 Gb Total Space | 19,06 Gb Free Space | 54,44% Space Free | Partition Type: NTFSDrive D: | 8,26 Gb Total Space | 1,25 Gb Free Space | 15,10% Space Free | Partition Type: FAT32Drive F: | 19,53 Gb Total Space | 17,97 Gb Free Space | 91,98% Space Free | Partition Type: NTFSDrive G: | 47,97 Gb Total Space | 13,82 Gb Free Space | 28,81% Space Free | Partition Type: NTFSComputer Name: MOHICAN | User Name: NICOU | Logged in as Administrator.Boot Mode: Normal | Scan Mode: Current userCompany Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days========== Processes (SafeList) ==========PRC - C:\Documents and Settings\NICOU\Desktop\OTL.exe (OldTimer Tools)PRC - F:\Programmes\Alcohol 52\StarWind\StarWindServiceAE.exe (StarWind Software)PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)PRC - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)PRC - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)PRC - C:\Program Files\McAfee\Common Framework\Mctray.exe (McAfee, Inc.)PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)PRC - C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)PRC - C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe (Hewlett-Packard )PRC - C:\Program Files\HPQ\shared\HpqToaster.exe ()PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)PRC - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe ()========== Modules (SafeList) ==========MOD - C:\Documents and Settings\NICOU\Desktop\OTL.exe (OldTimer Tools)MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)MOD - C:\WINDOWS\system32\netui1.dll (Microsoft Corporation)MOD - C:\WINDOWS\system32\netui0.dll (Microsoft Corporation)MOD - C:\WINDOWS\system32\ntlanman.dll (Microsoft Corporation)MOD - C:\WINDOWS\system32\netrap.dll (Microsoft Corporation)MOD - C:\WINDOWS\system32\drprov.dll (Microsoft Corporation)MOD - C:\WINDOWS\system32\davclnt.dll (Microsoft Corporation)========== Win32 Services (SafeList) ==========SRV - (HidServ) -- File not foundSRV - (AppMgmt) -- File not foundSRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)SRV - (StarWindServiceAE) -- F:\Programmes\Alcohol 52\StarWind\StarWindServiceAE.exe (StarWind Software)SRV - (McShield) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)SRV - (McTaskManager) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)SRV - (McAfeeFramework) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)SRV - (MA_CMIDI_InstallerService) -- C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe ()SRV - (MSSQL$SONY_MEDIAMGR) -- G:\Sony\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (Microsoft Corporation)SRV - (SQLAgent$SONY_MEDIAMGR) -- G:\Sony\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (Microsoft Corporation)========== Driver Services (SafeList) ==========DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys (Duplex Secure Ltd.)DRV - (epmntdrv) -- C:\WINDOWS\system32\epmntdrv.sys ()DRV - (EuGdiDrv) -- C:\WINDOWS\system32\EuGdiDrv.sys ()DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)DRV - (mferkdk) -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys (McAfee, Inc.)DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)DRV - (HSFHWATI) -- C:\WINDOWS\system32\drivers\HSFHWATI.sys (Conexant Systems, Inc.)DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)DRV - (CAMCHALA) -- C:\WINDOWS\system32\drivers\camc6hal.sys (Conexant Systems Inc.)DRV - (CAMCAUD) -- C:\WINDOWS\system32\drivers\camc6aud.sys (Conexant Systems Inc.)DRV - (MA_CMIDI) -- C:\WINDOWS\system32\drivers\ma_cmidi.sys (M-Audio)DRV - (eabfiltr) -- C:\WINDOWS\system32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)DRV - (eabusb) -- C:\WINDOWS\system32\drivers\EabUsb.sys (Hewlett-Packard Development Company, L.P.)DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)DRV - (RDID1044) -- C:\WINDOWS\system32\drivers\rdwm1044.sys (Roland Corporation)DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)DRV - (Cubase32) -- C:\WINDOWS\System32\drivers\Cubase32.sys (Microsoft Corporation)========== Standard Registry (SafeList) ==================== Internet Explorer ==========IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/anyvideo2dvd/{72451267-22A7-4C23-9DCE-A7E772A37893}IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/anyvideo2dvd/{72451267-22A7-4C23-9DCE-A7E772A37893}IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local========== FireFox ==========FF - prefs.js..browser.search.useDBForOrder: trueFF - prefs.js..browser.startup.homepage: "http://www.google.ca/"FF - prefs.js..keyword.URL: "http://www.bigseekpro.com/search/toolbar/anyvideo2dvd/{5BC4B17D-66A1-4F00-BE33-AF17ECDA68F1}?q="FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011-04-29 02:18:44 | 000,000,000 | ---D | M]FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins[2011-04-02 03:01:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\NICOU\Application Data\Mozilla\Extensions[2011-04-28 23:43:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\NICOU\Application Data\Mozilla\Firefox\Profiles\mtc5e0vx.default\extensions[2011-04-28 23:43:08 | 000,000,000 | ---D | M] (BitDefender QuickScan) -- C:\Documents and Settings\NICOU\Application Data\Mozilla\Firefox\Profiles\mtc5e0vx.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}[2011-04-21 13:39:04 | 000,002,382 | ---- | M] () -- C:\Documents and Settings\NICOU\Application Data\Mozilla\Firefox\Profiles\mtc5e0vx.default\searchplugins\search.xml[2011-04-02 20:51:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions[2011-04-02 20:51:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}File not found (No name found) -- [2011-04-02 20:51:30 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF[2011-04-29 02:18:39 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll[2010-01-01 05:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xmlHosts file not foundO2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)O2 - BHO: (SMTTB2009 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Any Video To DVD DB Toolbar\tbcore3.dll ()O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)O4 - HKLM..\Run: [shStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.2.1O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)O24 - Desktop WallPaper: C:\WINDOWS\Blue Sonic.bmpO24 - Desktop BackupWallPaper: C:\WINDOWS\Blue Sonic.bmpO32 - HKLM CDRom: AutoRun - 1O32 - AutoRun File - [2001-07-28 02:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]O34 - HKLM BootExecute: (autocheck autochk *) - File not foundO35 - HKLM\..comfile [open] -- "%1" %*O35 - HKLM\..exefile [open] -- "%1" %*O37 - HKLM\...com [@ = ComFile] -- "%1" %*O37 - HKLM\...exe [@ = exefile] -- "%1" %*========== Files/Folders - Created Within 30 Days ==========[2011-05-02 15:43:58 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\NICOU\Desktop\OTL.exe[2011-04-29 21:10:12 | 000,000,000 | -HSD | C] -- C:\RECYCLER[2011-04-29 20:58:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp[2011-04-29 20:45:13 | 000,000,000 | RHSD | C] -- C:\cmdcons[2011-04-29 20:41:53 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe[2011-04-29 20:41:53 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe[2011-04-29 20:41:53 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe[2011-04-29 20:41:53 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe[2011-04-29 20:41:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT[2011-04-29 20:40:57 | 000,000,000 | ---D | C] -- C:\Qoobox[2011-04-29 19:31:56 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\NICOU\Desktop\ATF_Cleaner.exe[2011-04-29 18:43:10 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\NICOU\Desktop\tdsskiller.exe[2011-04-29 14:41:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun[2011-04-28 22:26:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy[2011-04-28 22:26:11 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy[2011-04-28 22:26:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy[2011-04-28 22:19:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun[2011-04-28 21:47:50 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\NICOU\Recent[2011-04-28 17:20:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner[2011-04-28 17:20:08 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner[2011-04-28 09:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Toolbar4[2011-04-28 09:05:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities[2011-04-28 01:50:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia[2011-04-28 00:43:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump[2011-04-28 00:30:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia[2011-04-21 03:22:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\Toolbar4[2011-04-21 03:22:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Local Settings\Application Data\Somoto[2011-04-21 03:22:48 | 000,000,000 | ---D | C] -- C:\Program Files\Any Video To DVD DB Toolbar[2011-04-20 01:04:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Desktop\AVIAddXSubs[2011-04-12 14:32:59 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NICOU\IECompatCache[2011-04-12 01:49:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\OpenOffice.org[2011-04-12 01:46:20 | 000,000,000 | --SD | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\OpenOffice.org 3.3[2011-04-12 01:43:50 | 000,000,000 | ---D | C] -- C:\Program Files\OpenOffice.org 3[2011-04-11 15:51:07 | 000,161,422 | R--- | C] (Roland Corporation) -- C:\WINDOWS\System32\drivers\rdwm1044.sys[2011-04-11 15:51:07 | 000,081,920 | R--- | C] (Roland Corporation) -- C:\WINDOWS\System32\rdas1044.dll[2011-04-11 15:51:06 | 000,229,376 | R--- | C] (Roland Corporation) -- C:\WINDOWS\System32\RDDP1044.DAT[2011-04-11 15:51:05 | 000,051,644 | R--- | C] (Roland Corporation) -- C:\WINDOWS\System32\rddv1044.dll[2011-04-11 15:09:54 | 000,060,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbaudio.sys[2011-04-11 15:08:30 | 000,085,504 | ---- | C] (M-Audio) -- C:\WINDOWS\System32\ma_cmidn.dll[2011-04-11 15:08:29 | 000,021,888 | ---- | C] (M-Audio) -- C:\WINDOWS\System32\drivers\ma_cmidi.sys[2011-04-11 15:08:29 | 000,017,920 | ---- | C] (M-Audio) -- C:\WINDOWS\System32\MA_CMIDI.DLL[2011-04-11 15:08:29 | 000,014,176 | ---- | C] (M-Audio) -- C:\WINDOWS\System32\MA_CMIDI.DRV[2011-04-11 15:08:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\M-Audio MA_CMIDI[2011-04-11 15:08:10 | 000,000,000 | ---D | C] -- C:\Program Files\M-Audio MA_CMIDI[2011-04-11 06:04:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\AAY-Audio[2011-04-11 06:00:56 | 000,000,000 | ---D | C] -- C:\Program Files\D16 Group[2011-04-11 05:51:41 | 000,000,000 | ---D | C] -- C:\Program Files\Solid State Logic[2011-04-11 05:49:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Solid State Logic[2011-04-11 05:44:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Leslie Sanford[2011-04-11 05:33:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PSPaudioware[2011-04-11 05:28:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\G-Sonique[2011-04-11 05:19:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\DubStation VST plug-in[2011-04-11 05:16:48 | 000,765,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp71d.dll[2011-04-11 05:16:48 | 000,544,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr71d.dll[2011-04-11 05:16:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Nomad Factory[2011-04-11 05:16:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\My Documents\Nomad Factory[2011-04-11 05:16:44 | 000,000,000 | ---D | C] -- C:\Program Files\Nomad Factory[2011-04-11 05:08:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\SoundFonts.it GS-201 Tape Echo v1.0[2011-04-11 04:42:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Spectral Design[2011-04-11 04:35:09 | 000,011,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\Cubase32.sys[2011-04-11 04:30:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\WOK[2011-04-11 04:07:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\discoDSP[2011-04-11 04:03:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Steinberg[2011-04-11 04:00:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Bias[2011-04-11 02:23:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\Blue Cat Audio[2011-04-11 02:01:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\My Documents\KeyToSound Preferences[2011-04-11 01:08:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\Daichi[2011-04-10 21:29:07 | 000,000,000 | ---D | C] -- C:\Program Files\FXpansion[2011-04-10 21:29:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\FXpansion[2011-04-10 18:51:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\JXPlugins[2011-04-10 18:39:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\ReFX Junox2 VSTi v1.4[2011-04-10 18:36:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sylenth1[2011-04-10 17:45:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Local Settings\Application Data\Identities[2011-04-10 05:28:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\EDIROL[2011-04-10 05:26:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\DashSignature[2011-04-10 05:19:44 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NICOU\PrivacIE[2011-04-10 04:54:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\LinPlug Instruments[2011-04-10 04:50:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Native Instruments FM7[2011-04-10 03:50:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\Smartelectronix[2011-04-10 03:46:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\My Documents\iZotope iDrum Content[2011-04-10 01:46:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\AdmiralQuality[2011-04-10 01:13:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\LUXONIX[2011-04-10 01:08:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Rob Papen Predator[2011-04-10 01:02:20 | 000,000,000 | ---D | C] -- C:\Program Files\GForce[2011-04-10 01:02:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\GForce[2011-04-10 00:56:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Timeworks[2011-04-10 00:51:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Synapse[2011-04-09 23:33:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\T-RackS 24[2011-04-09 21:54:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\My Documents\Native Instruments[2011-04-09 21:54:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Local Settings\Application Data\Native Instruments[2011-04-09 21:45:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IK Multimedia[2011-04-09 21:43:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IK Multimedia[2011-04-09 21:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\InstallShield[2011-04-08 03:23:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Native Instruments[2011-04-08 03:10:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Native Instruments Pro-53[2011-04-08 03:07:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Native Instruments FM8[2011-04-08 03:00:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Native Instruments B4 II[2011-04-08 02:55:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Linplug[2011-04-08 02:52:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Linplug[2011-04-08 02:37:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\KORG[2011-04-08 02:37:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\KORG[2011-04-08 02:28:06 | 000,233,472 | ---- | C] (Propellerhead Software AB) -- C:\WINDOWS\System32\REX Shared Library.dll[2011-04-08 02:28:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iZotope[2011-04-08 02:28:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iZotope[2011-04-08 02:19:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\HQ Software Synthesizer[2011-04-08 02:15:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Edirol Super Quartet v1.52[2011-04-08 01:22:27 | 000,393,216 | ---- | C] (Native Instruments Software GmbH) -- C:\WINDOWS\System32\NI_IRC_1_2.dll[2011-04-08 01:22:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Native Instruments Battery 3[2011-04-08 01:22:12 | 001,870,336 | ---- | C] (Native Instruments Software Synthesis GmbH) -- C:\WINDOWS\System32\bconvert.dll[2011-04-08 01:22:12 | 000,061,440 | ---- | C] (Native Instruments Software GmbH) -- C:\WINDOWS\System32\NI_DFD_1_5.dll[2011-04-08 01:22:11 | 000,000,000 | ---D | C] -- C:\Program Files\Native Instruments[2011-04-08 01:22:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Native Instruments[2011-04-08 01:06:08 | 000,086,016 | ---- | C] (MindVision Software) -- C:\WINDOWS\unvise32.exe[2011-04-08 01:06:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Arturia[2011-04-08 00:20:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Arturia[2011-04-07 22:41:58 | 001,683,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmvcore2.dll[2011-04-07 22:41:58 | 000,665,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmv8dmoe.dll[2011-04-07 22:41:58 | 000,566,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmvdmoe.dll[2011-04-07 22:41:58 | 000,438,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmv8dmod.dll[2011-04-07 22:41:58 | 000,285,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmidx2.ocx[2011-04-07 22:34:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\FL Studio 6[2011-04-07 22:34:10 | 001,294,336 | ---- | C] (HMS http://hp.vector.co.jp/authors/VA012897/) -- C:\WINDOWS\System32\vorbis.acm[2011-04-07 22:34:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\FL Studio 6[2011-04-06 21:07:58 | 000,000,000 | ---D | C] -- C:\QUARANTINE[2011-04-06 19:48:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Desktop\Microsoft Office Enterprise 2007 (VOXIGEN@mininova.org)[2011-04-06 19:44:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\WinRAR[2011-04-06 19:39:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Local Settings\Application Data\Microsoft Help[2011-04-06 19:38:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help[2011-04-06 19:16:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Alcohol 52%[2011-04-06 19:07:29 | 000,436,792 | ---- | C] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys[2011-04-06 18:46:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\My Documents\Sony Media Libraries[2011-04-06 18:46:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\NetMedia Providers[2011-04-06 18:46:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\Publish Providers[2011-04-06 18:46:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\My Documents\Sony ACID Pro 6.0 Projects[2011-04-06 18:46:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Local Settings\Application Data\Sony[2011-04-06 18:36:12 | 000,033,340 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dbmsqlgc.dll[2011-04-06 18:36:12 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dbmsgnet.dll[2011-04-06 18:35:32 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server[2011-04-06 18:35:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\Sony[2011-04-06 18:34:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sony[2011-04-06 18:34:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sony[2011-04-06 18:33:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\My Documents\Sony[2011-04-06 18:18:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\WinRAR[2011-04-06 18:18:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR[2011-04-06 18:17:19 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR[2011-04-06 18:12:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Local Settings\Application Data\Installer2184[2011-04-06 17:57:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Local Settings\Application Data\Installer376[2011-04-06 17:55:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\vlc[2011-04-06 17:55:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN[2011-04-06 17:54:31 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN[2011-04-06 17:44:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FLEXnet[2011-04-06 17:35:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Control Panels[2011-04-06 17:31:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ALM[2011-04-06 17:30:38 | 000,190,696 | ---- | C] (Adobe Systems, Inc.) -- C:\WINDOWS\System32\NPSWF32_FlashUtil.exe[2011-04-06 17:18:24 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour[2011-04-06 17:16:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Master Collection CS3[2011-04-06 17:07:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared[2011-04-06 16:51:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Serif Applications[2011-04-06 16:49:57 | 000,023,376 | ---- | C] (Softland) -- C:\WINDOWS\System32\dopdfmn7.dll[2011-04-06 16:49:57 | 000,020,304 | ---- | C] (Softland) -- C:\WINDOWS\System32\dopdfmi7.dll[2011-04-06 16:49:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\doPDF 7[2011-04-06 16:47:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PDF Split And Merge[2011-04-06 16:46:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Free Video Converter[2011-04-06 16:22:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\Serif[2011-04-06 15:41:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\Softland[2011-04-06 15:41:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Softland[2011-04-06 15:34:59 | 000,119,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\VB6FR.DLL[2011-04-06 15:34:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\FreeVideoConverter[2011-04-06 15:16:54 | 000,712,192 | ---- | C] (Claude Dekok Link to post Share on other sites More sharing options...
SpySentinel Posted May 2, 2011 ID:424131 Share Posted May 2, 2011 Hi matson,Run OTL.exeUnder the Custom Scans/Fixes box at the bottom, paste in the following:OTLO2 - BHO: (SMTTB2009 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Any Video To DVD DB Toolbar\tbcore3.dll ()O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0:Commands[purity][resethosts][emptytemp][EMPTYFLASH][CREATERESTOREPOINT][Reboot]Then click the Run Fix button at the topLet the program run unhindered, reboot when it is done Link to post Share on other sites More sharing options...
matson Posted May 2, 2011 Author ID:424134 Share Posted May 2, 2011 I can't post the extras, because the connection is reseting all the time, this what the windowsturn to. I am extremely confuse... Link to post Share on other sites More sharing options...
SpySentinel Posted May 2, 2011 ID:424136 Share Posted May 2, 2011 No worries, go ahead and run my fix and then post the log it produces. Link to post Share on other sites More sharing options...
matson Posted May 2, 2011 Author ID:424138 Share Posted May 2, 2011 All processes killed========== OTL ==========Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\ deleted successfully.Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\ deleted successfully.C:\Program Files\Any Video To DVD DB Toolbar\tbcore3.dll moved successfully.Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\HonorAutoRunSetting deleted successfully.Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun deleted successfully.Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun deleted successfully.Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.========== COMMANDS ==========HOSTS file reset successfully[EMPTYTEMP]User: All UsersUser: Default User->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 0 bytesUser: LocalService->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 5809008 bytes->Java cache emptied: 9185 bytes->Flash cache emptied: 4656 bytesUser: NetworkService->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 14517135 bytes->Java cache emptied: 0 bytes->Flash cache emptied: 6564 bytesUser: NICOU->Temp folder emptied: 121440 bytes->Temporary Internet Files folder emptied: 38632 bytes->Java cache emptied: 10264 bytes->FireFox cache emptied: 58881473 bytes->Flash cache emptied: 3568 bytes%systemdrive% .tmp files removed: 0 bytes%systemroot% .tmp files removed: 19569 bytes%systemroot%\System32 .tmp files removed: 2577 bytes%systemroot%\System32\dllcache .tmp files removed: 0 bytes%systemroot%\System32\drivers .tmp files removed: 0 bytesWindows Temp folder emptied: 101335040 bytes%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytesRecycleBin emptied: 505 bytesTotal Files Cleaned = 172,00 mb[EMPTYFLASH]User: All UsersUser: Default UserUser: LocalService->Flash cache emptied: 0 bytesUser: NetworkService->Flash cache emptied: 0 bytesUser: NICOU->Flash cache emptied: 0 bytesTotal Flash Files Cleaned = 0,00 mbRestore point Set: OTL Restore Point (0)OTL by OldTimer - Version 3.2.22.3 log created on 05022011_160736Files\Folders moved on Reboot...Registry entries deleted on Reboot... Link to post Share on other sites More sharing options...
SpySentinel Posted May 2, 2011 ID:424140 Share Posted May 2, 2011 Launch Malwarebytes' Anti-MalwareCheck to see if there are any updates, and download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish, so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked , and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.Run ESET Online ScanHold down Control and click on the following link to open ESET OnlineScan in a new window.ESET OnlineScanClick the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on to download the ESET Smart Installer. Save it to your desktop.Double click on the icon on your desktop.Check Click the button.Accept any security warnings from your browser.Check Push the Start button.ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.When the scan completes, push Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.Push the button.Push You can refer to this animation by neomage if needed. Link to post Share on other sites More sharing options...
matson Posted May 2, 2011 Author ID:424148 Share Posted May 2, 2011 mbam finds nothing. when I opened the windows of ESET, I have been redirected to a wall-mart website...there is the log of the mabam scan, oh and a window telling me that there was a win32 error wanted me to send a report to microsoft.I am installing ESET to run the sacnMalwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 6493Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187022011-05-02 16:24:01mbam-log-2011-05-02 (16-24-01).txtScan type: Quick scanObjects scanned: 147339Time elapsed: 4 minute(s), 20 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
matson Posted May 2, 2011 Author ID:424198 Share Posted May 2, 2011 here is the log of the scan, e files detected, and as you told me I did not cheched the boxes to delete them.C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1\A0002402.dll a variant of Win32/Kryptik.NCK trojan cleaned by deleting - quarantinedC:\WINDOWS\eqoyafisequpal.dl a variant of Win32/Kryptik.NCK trojan cleaned by deleting - quarantined Link to post Share on other sites More sharing options...
SpySentinel Posted May 3, 2011 ID:424224 Share Posted May 3, 2011 Please read carefully and follow these steps. Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop.Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. Link to post Share on other sites More sharing options...
matson Posted May 3, 2011 Author ID:424228 Share Posted May 3, 2011 I can't run Tdsskiller.exe. it fails at 80%this is the message: "TDSS rootkit removing tool has encountered a problem and needs to close. We are sorry for the inconvenience." Link to post Share on other sites More sharing options...
SpySentinel Posted May 3, 2011 ID:424430 Share Posted May 3, 2011 Scan with exeHelper:Please download exeHelper to your desktop.Double-click on exeHelper.com to run the fix.A black window should pop up, press any key to close once the fix is completed.Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)Note: If the window shows a message that says "Error deleting file", please re-run the programNow try running TDSSKiller again. Link to post Share on other sites More sharing options...
matson Posted May 3, 2011 Author ID:424488 Share Posted May 3, 2011 exeHelper logexeHelper by RaktorBuild 20100414Run at 16:22:06 on 05/03/11Now searching...Checking for numerical processes...Checking for sysguard processes...Checking for bad processes...Checking for bad files...Checking for bad registry entries...Resetting filetype association for .exeResetting filetype association for .comResetting userinit and shell values...Resetting policies...--Finished--I am about to try tdsskiller... Link to post Share on other sites More sharing options...
matson Posted May 3, 2011 Author ID:424489 Share Posted May 3, 2011 I have the same result, tdsskiller can'r pass 80%.I have the same message: "TDSS rootkit removing tool has encountered a problem and needs to close. We are sorry for the inconvenience." Link to post Share on other sites More sharing options...
matson Posted May 3, 2011 Author ID:424490 Share Posted May 3, 2011 I also have this error message: "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience." Link to post Share on other sites More sharing options...
SpySentinel Posted May 6, 2011 ID:425257 Share Posted May 6, 2011 Download RogueKiller to your desktopQuit all running programsFor Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exeWhen prompted, type 1 and validateThe RKreport.txt shall be generated next to the executable.If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe Please post the contents of the RKreport.txt in your next Reply. Link to post Share on other sites More sharing options...
matson Posted May 6, 2011 Author ID:425546 Share Posted May 6, 2011 RogueKiller logRogueKiller V4.3.7 by Tigzycontact at http://www.sur-la-toile.commail: tigzyRK<at>gmail<dot>comFeedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.htmlOperating System: Windows XP (5.1.2600 Service Pack 3) 32 bits versionStarted in : Normal modeUser: NICOU [Admin rights]Mode: Scan -- Date : 05/06/2011 17:09:01Bad processes: 0Registry Entries: 0HOSTS File:Finished : << RKreport[1].txt >>RKreport[1].txtps: maybe there is a problem, I don't see no host file, usally isn't it a host 1.0. something????... Link to post Share on other sites More sharing options...
Recommended Posts