Jump to content


Photo

Hijack This Logfile


  • This topic is locked This topic is locked
9 replies to this topic

#1 namreg6360

namreg6360

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 November 2009 - 11:48 PM

I'm pretty sure lsass.exe is no good, but i'm not having any luck when trying to remove it. Suggestions? Also, is there anything else that is no good from my list?



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:22 PM, on 11/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1213379939814
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rose-hulman.edu
O17 - HKLM\Software\..\Telephony: DomainName = rose-hulman.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rose-hulman.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rose-hulman.edu,dhcp.rose-hulman.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rose-hulman.edu,dhcp.rose-hulman.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: MIT_KFW - C:\WINDOWS\system32\kfwlogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: OpenAFS Client Service (TransarcAFSDaemon) - OpenAFS Project - C:\Program Files\OpenAFS\Client\Program\afsd_service.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O24 - Desktop Component 1: (no name) - http://i213.photobuc...m/albums/cc162/

--
End of file - 9512 bytes




Thanks Much,

Namreg6360

Edited by namreg6360, 23 November 2009 - 11:49 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 26 November 2009 - 12:21 PM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#3 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,649 posts

Posted 27 November 2009 - 06:34 AM

Hello namreg6360. Welcome to SWI.

I’m pretty sure lsass.exe is no good, but i’m not having any luck when trying to remove it.

I’m very glad to hear that. The legitimate lsass.exe file is a vital system file.
Please see here for further information.

Now, download ATF Cleaner
Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Please download Malwarebytes’ Anti-Malware to your Desktop
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a location you will remember.
  • Copy and Paste that log into your next reply.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK for either of the prompts and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Please use the Internet Explorer and run a BitDefender Online scan from Here
  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan
Please post: (You may have to use two posts.)

Security Check log.
MBAM log.
BitDefender Report.
A fresh HJT log.

Please give me detailed information about what problems you are having with the computer, and why you think lsass.exe is a bad file.



Rocket Grannie
a81.gif


 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#4 namreg6360

namreg6360

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 November 2009 - 11:33 PM

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
McAfee VirusScan Enterprise
Antivirus out of date!
``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
SpywareBlaster 4.2
Spybot - Search & Destroy
Windows Defender
HijackThis 2.0.2
Java™ 6 Update 11
Java™ 6 Update 6
Java™ 6 Update 7
Java™ SE Development Kit 6 Update 6
Java DB 10.3.1.4
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.4
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````



Malwarebytes' Anti-Malware 1.41
Database version: 3246
Windows 5.1.2600 Service Pack 3

11/27/2009 11:10:19 PM
mbam-log-2009-11-27 (23-10-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 310028
Time elapsed: 1 hour(s), 28 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gtk 2.0 (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\GTK\2.0\uninst.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

#5 namreg6360

namreg6360

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 November 2009 - 11:35 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:05 PM, on 11/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1213379939814
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rose-hulman.edu
O17 - HKLM\Software\..\Telephony: DomainName = rose-hulman.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rose-hulman.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rose-hulman.edu,dhcp.rose-hulman.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rose-hulman.edu,dhcp.rose-hulman.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: MIT_KFW - C:\WINDOWS\system32\kfwlogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: OpenAFS Client Service (TransarcAFSDaemon) - OpenAFS Project - C:\Program Files\OpenAFS\Client\Program\afsd_service.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O24 - Desktop Component 1: (no name) - http://i213.photobuc...pg?t=1229580337

--
End of file - 10030 bytes



I had some trouble with the bit defender scan. I received a message saying it couldn't be updated all the way, then it wouldn't scan at all.

I had read somewhere online that lsass.exe was a trojan, but i'll take your word that it's good. There's nothing really wrong with my computer other than it slowing down somewhat from original speed.

#6 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,649 posts

Posted 28 November 2009 - 07:06 AM

Hello namreg6360

One or more of the identified infections is a rootkit. Rootkits are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Further, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"

However, if you do not have the resources to reinstall your computer we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

If you wish to continue cleaning your computer, please do the following:

I noticed in your log you have more than one antispyware program running in resident mode. Ad-Aware, Spybot - Search & Destroy, and Windows Defender.

This is very dangerous, as multiple ASs can interfere with one another and actually allow MORE infections to get through.
It is important that only ONE antispyware program is running realtime protection.
I strongly suggest you either (1) uninstall two of the programs through Control Panel->Add or remove Programs,
OR (2) keep all the programs, but leave two of them disabled most of the time.
You can still use them for scanning your computer.

Note: It is only Spybot's Tea Timer feature which needs to be disabled.

Next, please run a GMER Rootkit scan:

Download GMER from here

Unzip it to the Desktop.

Please close any open programs/windows!

Open the program and click on the Rootkit/Malware tab.
http://www.gmer.net/files.php

Make sure all the boxes on the right of the screen are checked, apart from 'Show All'.
Posted Image

Click on Scan (1).
Posted Image

When the scan is finished click Copy (2) and paste the results (if any) into this thread

Seeing BitDefender wouldn’t run, let’s try Kaspersky.

In Internet Explorer, please do a scan with Kaspersky Online Scanner
Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your Desktop.
  • Copy and Paste that information in your next post.
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Please post:
Gmer report.
Kaspersky report.
A fresh HJT log.

Rocket Grannie
a81.gif


 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#7 namreg6360

namreg6360

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 November 2009 - 04:28 PM

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-30 16:26:14
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\germanjd\LOCALS~1\Temp\uxdyrpoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA9CC387B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA9CC37FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9CC38A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA9CC380F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA9CC383B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9CC38CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA9CC37E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA9CC388F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA9CC3825]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA9CC3851]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9CC3867]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9CC38E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA9CC38B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A9CC38BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A9CC387F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A9CC38D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A9CC38E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A9CC3893 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A9CC38A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A9CC386B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP A9CC3855 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP A9CC3829 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 2 Bytes JMP A9CC37FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey + 3 806237B5 2 Bytes [6A, 29] {PUSH 0x29}
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP A9CC3813 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP A9CC383F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP A9CC37EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8730360, 0x349347, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C40F77
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C4006C
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40F9E
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40FAF
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40036
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C400BF
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C400A4
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C400E1
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C40F52
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C400FC
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C40051
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C4001B
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C40087
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C40FCA
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C40FDB
.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C400D0
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C3002F
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30F8D
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30014
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FDE
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30FA8
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C30040
.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FC3
.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20FC1
.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20042
.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20027
.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20FD2
.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C2000C
.text C:\WINDOWS\system32\svchost.exe[216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A40F8F
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40084
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40073
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A40062
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40FC0
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A4009F
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A40F57
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A40F24
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A40F35
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A40F13
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40047
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40011
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A40F74
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40FD1
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A40022
.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A40F46
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A3001B
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A30F8A
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A30FCA
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A30047
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A30FE5
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A30036
.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A30FB9
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20FE5
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20070
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20044
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20055
.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A2001D
.text C:\WINDOWS\system32\svchost.exe[448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A10FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01D70000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01D70084
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01D70F8F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01D70069
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01D70058
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01D7003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01D700B2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01D70F6A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01D700E8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01D700CD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01D700F9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01D70FB6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01D70FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01D70095
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01D7002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01D7001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01D70F4F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01D60FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01D60FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01D60040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01D60025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01D60FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01D60000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01D6006C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01D6005B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01D50045
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] msvcrt.dll!system 77C293C7 5 Bytes JMP 01D5002A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01D50FC1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01D50FE3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01D50FB0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01D50FD2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01D40000
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F61
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0007008E
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070073
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F06
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0007009F
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070EEB
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070014
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F46
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F2B
.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F9B
.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060FB6
.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060062
.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\services.exe[1112] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FAD
.text C:\WINDOWS\system32\services.exe[1112] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050042
.text C:\WINDOWS\system32\services.exe[1112] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[1112] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[1112] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050027
.text C:\WINDOWS\system32\services.exe[1112] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[1112] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E20F6D
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E20F92
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E2006C
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E20051
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E2002F
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E2009F
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E2008E
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E20F2B
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E20F3C
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E200DF
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E20040
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E20FDE
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E2007D
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E2001E
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E20FCD
.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E200BA
.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E10025
.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E10F94
.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E10FD4
.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E10FE5
.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E1005B
.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E1000A
.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E10FB9
.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [01, 89]
.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E10036
.text C:\WINDOWS\system32\lsass.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00F90
.text C:\WINDOWS\system32\lsass.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FA1
.text C:\WINDOWS\system32\lsass.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E00FCD
.text C:\WINDOWS\system32\lsass.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\lsass.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E00FBC
.text C:\WINDOWS\system32\lsass.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E00FDE
.text C:\WINDOWS\system32\lsass.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FA0F69
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FA005E
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FA0F90
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FA0FA1
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FA0028
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FA0085
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FA0F3D
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FA0F0E
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FA00A7
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FA0EFD
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FA0043
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FA0FD4
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FA0F58
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FA0FB2
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FA0FC3
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FA0096
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F90F72
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F90FAF
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F90FCA
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F9002F
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F90F8D
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [19, 89]
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F90F9E
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F80049
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F8002E
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F8001D
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F80FC8
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F8000C
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60FA0
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D6008B
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60FBD
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D6007A
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60058
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F60
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60F7B
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600CD
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D60F34
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D600E8
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60069
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D600A6
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D60047
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D6002C
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D60F4F
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50FC0
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50F94
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50FDB
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D5001B
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50051
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D50040
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50FAF
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40FA8
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40FB9
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40FD4
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D4000C
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40029
.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\svchost.exe[1360] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D3000A
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014E0000
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 014E0F48
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 014E0F63
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 014E0F8A
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 014E003D
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 014E0FB6
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 014E0F1A
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014E0062
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014E00A2
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014E0EFF
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014E00B3
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 014E0F9B
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 014E0FDB
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 014E0F37
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 014E0022
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 014E0011
.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 014E0073
.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 014D0FBC
.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 014D0057
.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 014D0FCD
.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 014D0FDE
.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 014D0F9A
.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 014D0FEF
.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 014D0FAB
.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [6D, 89]
.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 014D0032
.text C:\WINDOWS\Explorer.EXE[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0F86
.text C:\WINDOWS\Explorer.EXE[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0011
.text C:\WINDOWS\Explorer.EXE[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FAB
.text C:\WINDOWS\Explorer.EXE[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FE3
.text C:\WINDOWS\Explorer.EXE[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0000
.text C:\WINDOWS\Explorer.EXE[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0FD2
.text C:\WINDOWS\Explorer.EXE[1432] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\Explorer.EXE[1432] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00C60FCA
.text C:\WINDOWS\Explorer.EXE[1432] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00C60FB9
.text C:\WINDOWS\Explorer.EXE[1432] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00C60FA8
.text C:\WINDOWS\Explorer.EXE[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0090
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0075
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0064
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0047
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD00CD
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD00B2
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD011E
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0103
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD012F
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD00A1
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD00DE
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F9E
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!Reg

#8 namreg6360

namreg6360

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 November 2009 - 08:32 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, November 30, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, November 30, 2009 22:32:32
Records in database: 3316453
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 166546
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:42:27

No threats found. Scanned area is clean.

Selected area has been scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:40 PM, on 11/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1213379939814
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rose-hulman.edu
O17 - HKLM\Software\..\Telephony: DomainName = rose-hulman.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rose-hulman.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rose-hulman.edu,dhcp.rose-hulman.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rose-hulman.edu,dhcp.rose-hulman.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: MIT_KFW - C:\WINDOWS\system32\kfwlogon.dll
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: OpenAFS Client Service (TransarcAFSDaemon) - OpenAFS Project - C:\Program Files\OpenAFS\Client\Program\afsd_service.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O24 - Desktop Component 1: (no name) - http://i213.photobuc...pg?t=1229580337

--
End of file - 9690 bytes

#9 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,649 posts

Posted 01 December 2009 - 01:16 AM

Hello namreg6360

Well done! Your logs appear to be clean. Now for some tidying up.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

Your McAfee antivirus is out of date. Please update it, run a scan, and let it fix whatever it finds.

You are using an obsolete version of Internet Explorer. I strongly recommend updating to the latest version, Internet Explorer 8.
Newer versions address many software vulnerabilities found in older versions, and include greater security features to protect your computer.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.


Download and save to your Desktop the latest version of the Java Runtime Environment (JRE) from here.

Please download JavaRa and unzip it to your Desktop.
[color=”green”]***Please close any instances of Internet Explorer before continuing!***[/color]
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted.
  • When JavaRa is finished, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.
Finally, install the Java you downloaded earlier.

Adobe Reader is out of date and older versions contain vulnerabilities. Please download the newest version from here
[color=red]Please uncheck Google toolbar unless you want to download it. [/color]

Please consider using an alternate pdf viewer. Sumatra PDF is a very good alternative.
Sumatra PDF is a slim, free and open-source pdf viewer.
Please remove all older versions of Adobe.
When you are finished, install the new version.

Now, please delete the Security Check folder, and the Gmer folder on the Desktop.

System Restore maintains a backup of your programs and may also backup infections, so please reset it to make a clean Restore Point.

Please do this:
On the Desktop, right-click My Computer > click Properties > click the System Restore tab.
Check Turn off System Restore.
Click Apply > a window will pop up and ask if you really want to turn it off > click Yes.
Please wait a few moments to let it clear.
Now please remove the check from Turn off System Restore.
Click Apply, and then click OK.

System Restore will be working again and will have a new Restore Point.

Please let me know how the updates went, and if any problems remain.


Rocket Grannie
a81.gif


 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#10 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,649 posts

Posted 07 December 2009 - 04:44 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
a81.gif


 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button