• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
namreg6360

Hijack This Logfile

10 posts in this topic

I'm pretty sure lsass.exe is no good, but i'm not having any luck when trying to remove it. Suggestions? Also, is there anything else that is no good from my list?

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:05:22 PM, on 11/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\AMT\UNS.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

C:\Program Files\Pidgin\pidgin.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213379939814

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rose-hulman.edu

O17 - HKLM\Software\..\Telephony: DomainName = rose-hulman.edu

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rose-hulman.edu

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rose-hulman.edu,dhcp.rose-hulman.edu

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rose-hulman.edu,dhcp.rose-hulman.edu

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: MIT_KFW - C:\WINDOWS\system32\kfwlogon.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: OpenAFS Client Service (TransarcAFSDaemon) - OpenAFS Project - C:\Program Files\OpenAFS\Client\Program\afsd_service.exe

O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe

O24 - Desktop Component 1: (no name) - http://i213.photobucket.com/albums/cc162/

 

--

End of file - 9512 bytes

 

 

 

 

Thanks Much,

 

Namreg6360

Edited by namreg6360

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

 

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello namreg6360. Welcome to SWI.

 

I’m pretty sure lsass.exe is no good, but i’m not having any luck when trying to remove it.

I’m very glad to hear that. The legitimate lsass.exe file is a vital system file.

Please see here for further information.

 

Now, download ATF Cleaner

Save it to your Desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.

If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

 

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please download Malwarebytes’ Anti-Malware to your Desktop

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a location you will remember.
  • Copy and Paste that log into your next reply.

Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK for either of the prompts and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately.

 

Please use the Internet Explorer and run a BitDefender Online scan from Here

  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan

Please post: (You may have to use two posts.)

 

Security Check log.

MBAM log.

BitDefender Report.

A fresh HJT log.

 

Please give me detailed information about what problems you are having with the computer, and why you think lsass.exe is a bad file.

 

 

 

Rocket Grannie

Share this post


Link to post
Share on other sites

Results of screen317's Security Check version 0.99.0

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Disabled!

McAfee VirusScan Enterprise

Antivirus out of date!

``````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

SpywareBlaster 4.2

Spybot - Search & Destroy

Windows Defender

HijackThis 2.0.2

Java 6 Update 11

Java 6 Update 6

Java 6 Update 7

Java SE Development Kit 6 Update 6

Java DB 10.3.1.4

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.1.4

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

 

`````````End of Log```````````

 

 

 

Malwarebytes' Anti-Malware 1.41

Database version: 3246

Windows 5.1.2600 Service Pack 3

 

11/27/2009 11:10:19 PM

mbam-log-2009-11-27 (23-10-19).txt

 

Scan type: Full Scan (C:\|)

Objects scanned: 310028

Time elapsed: 1 hour(s), 28 minute(s), 43 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gtk 2.0 (Rootkit.Agent) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Program Files\Common Files\GTK\2.0\uninst.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:32:05 PM, on 11/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\AMT\UNS.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Pidgin\pidgin.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213379939814

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rose-hulman.edu

O17 - HKLM\Software\..\Telephony: DomainName = rose-hulman.edu

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rose-hulman.edu

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rose-hulman.edu,dhcp.rose-hulman.edu

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rose-hulman.edu,dhcp.rose-hulman.edu

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: MIT_KFW - C:\WINDOWS\system32\kfwlogon.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: OpenAFS Client Service (TransarcAFSDaemon) - OpenAFS Project - C:\Program Files\OpenAFS\Client\Program\afsd_service.exe

O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe

O24 - Desktop Component 1: (no name) - http://i213.photobucket.com/albums/cc162/beepface/thuy.jpg?t=1229580337

 

--

End of file - 10030 bytes

 

 

 

I had some trouble with the bit defender scan. I received a message saying it couldn't be updated all the way, then it wouldn't scan at all.

 

I had read somewhere online that lsass.exe was a trojan, but i'll take your word that it's good. There's nothing really wrong with my computer other than it slowing down somewhat from original speed.

Share this post


Link to post
Share on other sites

Hello namreg6360

 

One or more of the identified infections is a rootkit. Rootkits are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

 

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

 

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Further, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

 

"When should I re-format? How should I reinstall?"

 

However, if you do not have the resources to reinstall your computer we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

 

If you wish to continue cleaning your computer, please do the following:

 

I noticed in your log you have more than one antispyware program running in resident mode. Ad-Aware, Spybot - Search & Destroy, and Windows Defender.

 

This is very dangerous, as multiple ASs can interfere with one another and actually allow MORE infections to get through.

It is important that only ONE antispyware program is running realtime protection.

I strongly suggest you either (1) uninstall two of the programs through Control Panel->Add or remove Programs,

OR (2) keep all the programs, but leave two of them disabled most of the time.

You can still use them for scanning your computer.

 

Note: It is only Spybot's Tea Timer feature which needs to be disabled.

 

Next, please run a GMER Rootkit scan:

 

Download GMER from here

 

Unzip it to the Desktop.

 

Please close any open programs/windows!

 

Open the program and click on the Rootkit/Malware tab.

http://www.gmer.net/files.php

 

Make sure all the boxes on the right of the screen are checked, apart from 'Show All'.

2wg8via.gif

 

Click on Scan (1).

jijosi.gif

 

When the scan is finished click Copy (2) and paste the results (if any) into this thread

 

Seeing BitDefender wouldn’t run, let’s try Kaspersky.

 

In Internet Explorer, please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your Desktop.
  • Copy and Paste that information in your next post.

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

 

Please post:

Gmer report.

Kaspersky report.

A fresh HJT log.

 

Rocket Grannie

Share this post


Link to post
Share on other sites

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit scan 2009-11-30 16:26:14

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\germanjd\LOCALS~1\Temp\uxdyrpoc.sys

 

 

---- System - GMER 1.0.15 ----

 

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA9CC387B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA9CC37FB]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9CC38A5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA9CC380F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA9CC383B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9CC38CF]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA9CC37E7]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA9CC388F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA9CC3825]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA9CC3851]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9CC3867]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9CC38E5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA9CC38B9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

 

---- Kernel code sections - GMER 1.0.15 ----

 

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A9CC38BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A9CC387F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A9CC38D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A9CC38E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A9CC3893 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A9CC38A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A9CC386B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP A9CC3855 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP A9CC3829 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 2 Bytes JMP A9CC37FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateKey + 3 806237B5 2 Bytes [6A, 29] {PUSH 0x29}

PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP A9CC3813 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP A9CC383F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP A9CC37EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8730360, 0x349347, 0xE8000020]

 

---- User code sections - GMER 1.0.15 ----

 

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C4000A

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C40F77

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C4006C

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40F9E

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40FAF

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40036

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C400BF

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C400A4

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C400E1

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C40F52

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C400FC

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C40051

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C4001B

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C40087

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C40FCA

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C40FDB

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C400D0

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C3002F

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30F8D

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30014

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FDE

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30FA8

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30FEF

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C30040

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FC3

.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20FC1

.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20042

.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20027

.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20FEF

.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20FD2

.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C2000C

.text C:\WINDOWS\system32\svchost.exe[216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C1000A

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40000

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A40F8F

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40084

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40073

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A40062

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40FC0

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A4009F

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A40F57

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A40F24

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A40F35

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A40F13

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40047

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40011

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A40F74

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40FD1

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A40022

.text C:\WINDOWS\system32\svchost.exe[448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A40F46

.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A3001B

.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A30F8A

.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A30000

.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A30FCA

.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A30047

.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A30FE5

.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A30036

.text C:\WINDOWS\system32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A30FB9

.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20FE5

.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20070

.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20044

.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20000

.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20055

.text C:\WINDOWS\system32\svchost.exe[448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A2001D

.text C:\WINDOWS\system32\svchost.exe[448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A10FE5

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01D70000

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01D70084

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01D70F8F

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01D70069

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01D70058

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01D7003D

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01D700B2

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01D70F6A

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01D700E8

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01D700CD

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01D700F9

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01D70FB6

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01D70FE5

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01D70095

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01D7002C

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01D7001B

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01D70F4F

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01D60FE5

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01D60FB9

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01D60040

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01D60025

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01D60FCA

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01D60000

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01D6006C

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01D6005B

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01D50045

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] msvcrt.dll!system 77C293C7 5 Bytes JMP 01D5002A

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01D50FC1

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01D50FE3

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01D50FB0

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01D50FD2

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01D40000

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F61

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F72

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070040

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F83

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FA8

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0007008E

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070073

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F06

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0007009F

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070EEB

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070025

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070014

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F46

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FB9

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FD4

.text C:\WINDOWS\system32\services.exe[1112] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F2B

.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060036

.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F9B

.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060025

.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FEF

.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060FB6

.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000

.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060062

.text C:\WINDOWS\system32\services.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060047

.text C:\WINDOWS\system32\services.exe[1112] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FAD

.text C:\WINDOWS\system32\services.exe[1112] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050042

.text C:\WINDOWS\system32\services.exe[1112] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FD2

.text C:\WINDOWS\system32\services.exe[1112] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF

.text C:\WINDOWS\system32\services.exe[1112] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050027

.text C:\WINDOWS\system32\services.exe[1112] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005000C

.text C:\WINDOWS\system32\services.exe[1112] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E20FEF

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E20F6D

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E20F92

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E2006C

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E20051

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E2002F

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E2009F

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E2008E

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E20F2B

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E20F3C

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E200DF

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E20040

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E20FDE

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E2007D

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E2001E

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E20FCD

.text C:\WINDOWS\system32\lsass.exe[1124] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E200BA

.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E10025

.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E10F94

.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E10FD4

.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E10FE5

.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E1005B

.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E1000A

.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E10FB9

.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [01, 89]

.text C:\WINDOWS\system32\lsass.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E10036

.text C:\WINDOWS\system32\lsass.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00F90

.text C:\WINDOWS\system32\lsass.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FA1

.text C:\WINDOWS\system32\lsass.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E00FCD

.text C:\WINDOWS\system32\lsass.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00FEF

.text C:\WINDOWS\system32\lsass.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E00FBC

.text C:\WINDOWS\system32\lsass.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E00FDE

.text C:\WINDOWS\system32\lsass.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF0000

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FA0FEF

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FA0F69

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FA005E

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FA0F90

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FA0FA1

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FA0028

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FA0085

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FA0F3D

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FA0F0E

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FA00A7

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FA0EFD

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FA0043

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FA0FD4

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FA0F58

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FA0FB2

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FA0FC3

.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FA0096

.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F90000

.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F90F72

.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F90FAF

.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F90FCA

.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F9002F

.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F90FEF

.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F90F8D

.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [19, 89]

.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F90F9E

.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F80049

.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F8002E

.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F8001D

.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F80FEF

.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F80FC8

.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F8000C

.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F70FE5

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60000

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60FA0

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D6008B

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60FBD

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D6007A

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60058

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F60

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60F7B

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600CD

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D60F34

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D600E8

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60069

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D6001B

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D600A6

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D60047

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D6002C

.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D60F4F

.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50FC0

.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50F94

.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50FDB

.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D5001B

.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50051

.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50000

.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D50040

.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50FAF

.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40FA8

.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40FB9

.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40FD4

.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D4000C

.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40029

.text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40FEF

.text C:\WINDOWS\system32\svchost.exe[1360] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D3000A

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014E0000

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 014E0F48

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 014E0F63

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 014E0F8A

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 014E003D

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 014E0FB6

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 014E0F1A

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014E0062

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014E00A2

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014E0EFF

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014E00B3

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 014E0F9B

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 014E0FDB

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 014E0F37

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 014E0022

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 014E0011

.text C:\WINDOWS\Explorer.EXE[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 014E0073

.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 014D0FBC

.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 014D0057

.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 014D0FCD

.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 014D0FDE

.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 014D0F9A

.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 014D0FEF

.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 014D0FAB

.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [6D, 89]

.text C:\WINDOWS\Explorer.EXE[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 014D0032

.text C:\WINDOWS\Explorer.EXE[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0F86

.text C:\WINDOWS\Explorer.EXE[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0011

.text C:\WINDOWS\Explorer.EXE[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FAB

.text C:\WINDOWS\Explorer.EXE[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FE3

.text C:\WINDOWS\Explorer.EXE[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0000

.text C:\WINDOWS\Explorer.EXE[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0FD2

.text C:\WINDOWS\Explorer.EXE[1432] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00C60FEF

.text C:\WINDOWS\Explorer.EXE[1432] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00C60FCA

.text C:\WINDOWS\Explorer.EXE[1432] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00C60FB9

.text C:\WINDOWS\Explorer.EXE[1432] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00C60FA8

.text C:\WINDOWS\Explorer.EXE[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C7000A

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0090

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0075

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0064

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0047

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0036

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD00CD

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD00B2

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD011E

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0103

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD012F

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0FAF

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0FEF

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD00A1

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FD4

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD001B

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD00DE

.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FCA

.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F9E

.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093001B

.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!Reg

Share this post


Link to post
Share on other sites

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Monday, November 30, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, November 30, 2009 22:32:32

Records in database: 3316453

--------------------------------------------------------------------------------

 

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

 

Scan area - My Computer:

C:\

D:\

 

Scan statistics:

Objects scanned: 166546

Threats found: 0

Infected objects found: 0

Suspicious objects found: 0

Scan duration: 01:42:27

 

No threats found. Scanned area is clean.

 

Selected area has been scanned.

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:31:40 PM, on 11/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\AMT\UNS.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213379939814

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rose-hulman.edu

O17 - HKLM\Software\..\Telephony: DomainName = rose-hulman.edu

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rose-hulman.edu

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rose-hulman.edu,dhcp.rose-hulman.edu

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rose-hulman.edu,dhcp.rose-hulman.edu

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: MIT_KFW - C:\WINDOWS\system32\kfwlogon.dll

O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: OpenAFS Client Service (TransarcAFSDaemon) - OpenAFS Project - C:\Program Files\OpenAFS\Client\Program\afsd_service.exe

O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe

O24 - Desktop Component 1: (no name) - http://i213.photobucket.com/albums/cc162/beepface/thuy.jpg?t=1229580337

 

--

End of file - 9690 bytes

Share this post


Link to post
Share on other sites

Hello namreg6360

 

Well done! Your logs appear to be clean. Now for some tidying up.

 

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Your McAfee antivirus is out of date. Please update it, run a scan, and let it fix whatever it finds.

 

You are using an obsolete version of Internet Explorer. I strongly recommend updating to the latest version, Internet Explorer 8.

Newer versions address many software vulnerabilities found in older versions, and include greater security features to protect your computer.

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

 

Download and save to your Desktop the latest version of the Java Runtime Environment (JRE) from here.

 

Please download JavaRa and unzip it to your Desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted.
  • When JavaRa is finished, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Finally, install the Java you downloaded earlier.

 

Adobe Reader is out of date and older versions contain vulnerabilities. Please download the newest version from here

Please uncheck Google toolbar unless you want to download it.

 

Please consider using an alternate pdf viewer. Sumatra PDF is a very good alternative.

Sumatra PDF is a slim, free and open-source pdf viewer.

Please remove all older versions of Adobe.

When you are finished, install the new version.

 

Now, please delete the Security Check folder, and the Gmer folder on the Desktop.

 

System Restore maintains a backup of your programs and may also backup infections, so please reset it to make a clean Restore Point.

 

Please do this:

On the Desktop, right-click My Computer > click Properties > click the System Restore tab.

Check Turn off System Restore.

Click Apply > a window will pop up and ask if you really want to turn it off > click Yes.

Please wait a few moments to let it clear.

Now please remove the check from Turn off System Restore.

Click Apply, and then click OK.

 

System Restore will be working again and will have a new Restore Point.

 

Please let me know how the updates went, and if any problems remain.

 

 

Rocket Grannie

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0