TechSpot

High level disk activity and slow running in outlook

By pendragon19600
Mar 18, 2011
  1. Hi,
    I hope you can help me.
    I am running Windows xp through a virtual machine on my macbook. I use parallels 6 and mcafee AV. Everything was working fine but i now have a machine that is slow to respond when I press send or save. In Word, saving files is very slow.
    I have up to date definitions and mcafee is finding nothing.

    Attached are the logs

    thank you

    Chris
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Chris, you've been a member for a while, so you may not have realized that we have updated the preliminary scans and that all logs must now be pasted into the reply.

    Please run whatever you have not (Malwarebytes), complete any other steps like TFC and Java update. Paste the 2 DDS logs and the GMER log, along with the Mbam log into your next reply.

    Here are the current steps: Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. pendragon19600

    pendragon19600 TS Rookie Topic Starter Posts: 19

    Here are the pasted logs

    I have run the files as requested and here are the pasted logs. I hope I've done it right this time. GMER will be pasted separately.



    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Administrator at 15:25:16.48 on 18/03/2011
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.767.405 [GMT 0:00]
    .
    AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe
    C:\Program Files\Parallels\Parallels Tools\prl_cc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    svchost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
    C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe
    C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    \\psf\Home\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: H - No File
    mWinlogon: Userinit=Userinit.exe,
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [Parallels Shared Internet Applications] "c:\program files\parallels\parallels tools\sia\SharedIntApp.exe" /start
    mRun: [Parallels Tools Center] "c:\program files\parallels\parallels tools\prl_cc.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    uPolicies-explorer: NoSimpleNetIDList = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
    IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {0DAFD86E-BB02-4687-8478-760E1A3CFE56} - hxxp://passport.hhi.co.kr/setup/ZsSecurePassport.ocx
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1283071187515
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1283071169203
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 prl_pv32;prl_pv32;c:\windows\system32\drivers\prl_pv32.sys [2008-12-30 23880]
    R0 prl_strg;Parallels paravirt disk filter;c:\windows\system32\drivers\prl_strg.sys [2011-2-15 29640]
    R0 prl_tg;Parallels Tool Device;c:\windows\system32\drivers\prl_tg.sys [2009-1-19 24008]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
    R1 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2011-3-15 34248]
    R1 prl_boot;prl_boot;c:\windows\system32\drivers\prl_boot.sys [2011-2-17 38216]
    R1 prl_fs;Parallels Shared Folders;c:\windows\system32\drivers\prl_fs.sys [2008-12-29 149448]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2011-3-15 359952]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2011-3-15 144704]
    R2 Parallels Coherence Service;Parallels Coherence Service;c:\program files\parallels\parallels tools\services\coherence.exe [2011-2-17 28488]
    R2 Parallels Tools Service;Parallels Tools Service;c:\program files\parallels\parallels tools\services\prl_tools_service.exe [2011-2-17 186696]
    R2 prl_memdev;Parallels Memdev Driver;c:\windows\system32\drivers\prl_memdev.sys [2011-3-15 15176]
    R2 prl_time;Parallels Time Synchronization Helper;c:\windows\system32\drivers\prl_time.sys [2011-3-15 15816]
    R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2011-3-15 606736]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-15 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-15 35272]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2011-3-15 40552]
    R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2009-4-1 43640]
    R3 prl_eth5;Parallels Ethernet Adapter;c:\windows\system32\drivers\prl_eth5.sys [2009-1-19 18376]
    R3 prl_mouf;Parallels Mouse Synchronization Device;c:\windows\system32\drivers\prl_mouf.sys [2009-1-19 16200]
    R3 prl_sound;Parallels Audio Controller;c:\windows\system32\drivers\prl_sound.sys [2011-2-15 45896]
    R3 prl_va;Parallels Video Adapter;c:\windows\system32\drivers\prl_vamp.sys [2009-1-19 25928]
    S2 0231071300460218mcinstcleanup;McAfee Application Installer Cleanup (0231071300460218);c:\windows\temp\023107~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\023107~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-1-17 30192]
    .
    =============== Created Last 30 ================
    .
    2011-03-18 14:32:48 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
    2011-03-18 14:29:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-18 14:28:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-03-18 14:28:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-18 14:28:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-15 21:17:53 15176 ----a-w- c:\windows\system32\drivers\prl_memdev.sys
    2011-03-15 21:17:08 15816 ----a-w- c:\windows\system32\drivers\prl_time.sys
    2011-03-15 12:08:02 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-03-15 12:08:02 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
    2011-03-15 12:08:02 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-03-15 12:08:00 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2011-03-15 12:07:44 -------- d-----w- c:\program files\common files\McAfee
    2011-03-15 12:07:43 -------- d-----w- c:\program files\McAfee.com
    2011-03-15 12:07:31 -------- d-----w- c:\program files\McAfee
    2011-03-15 12:06:24 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
    2011-03-15 06:46:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2011-03-15 06:46:38 -------- d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
    2011-03-15 06:44:56 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-03-04 11:38:02 -------- d-----w- c:\windows\pss
    2011-02-17 06:16:24 38216 ----a-w- c:\windows\system32\drivers\prl_boot.sys
    .
    ==================== Find3M ====================
    .
    2011-02-17 06:16:58 194376 ----a-w- c:\windows\system32\prl_vadd.dll
    2011-02-17 06:08:16 101376 ----a-w- c:\windows\system32\prl_np.dll
    2011-02-17 06:07:16 187392 ----a-w- c:\windows\system32\prl_gl.dll
    .
    ============= FINISH: 15:26:50.82 ===============



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 19/01/2009 11:24:29
    System Uptime: 18/03/2011 14:52:57 (1 hours ago)
    .
    Motherboard: Parallels Software International Inc. | | Parallels Virtual Platform
    Processor: Intel Pentium III Xeon processor | CPU Socket #0 | 2000/333mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 32 GiB total, 21.107 GiB free.
    D: is CDROM ()
    Y: is NetworkDisk (PrlSF) - 149 GiB total, 51.436 GiB free.
    Z: is NetworkDisk (PrlSF) - 149 GiB total, 51.436 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP492: 14/01/2011 09:51:52 - System Checkpoint
    RP493: 17/01/2011 10:41:13 - System Checkpoint
    RP494: 18/01/2011 11:42:10 - System Checkpoint
    RP495: 19/01/2011 12:05:08 - System Checkpoint
    RP496: 20/01/2011 14:16:02 - System Checkpoint
    RP497: 24/01/2011 14:51:16 - System Checkpoint
    RP498: 25/01/2011 15:48:43 - System Checkpoint
    RP499: 28/01/2011 09:35:32 - System Checkpoint
    RP500: 31/01/2011 08:34:26 - System Checkpoint
    RP501: 01/02/2011 08:46:51 - System Checkpoint
    RP502: 01/02/2011 19:29:49 - Printer Driver Microsoft Office Document Image Writer Installed
    RP503: 03/02/2011 14:27:08 - System Checkpoint
    RP504: 04/02/2011 15:20:44 - System Checkpoint
    RP505: 06/02/2011 12:56:40 - System Checkpoint
    RP506: 07/02/2011 15:02:05 - System Checkpoint
    RP507: 08/02/2011 15:32:54 - System Checkpoint
    RP508: 10/02/2011 08:27:22 - System Checkpoint
    RP509: 11/02/2011 09:09:53 - System Checkpoint
    RP510: 13/02/2011 15:28:17 - System Checkpoint
    RP511: 14/02/2011 15:37:22 - System Checkpoint
    RP512: 14/02/2011 21:40:11 - Installed FranklinCovey PlanPlus for Microsoft Outlook.
    RP513: 15/02/2011 11:47:51 - Removed Parallels Tools.
    RP514: 15/02/2011 11:48:31 - Installed Parallels Tools.
    RP515: 16/02/2011 15:00:23 - System Checkpoint
    RP516: 17/02/2011 15:10:41 - System Checkpoint
    RP517: 21/02/2011 09:22:04 - System Checkpoint
    RP518: 22/02/2011 22:31:28 - System Checkpoint
    RP519: 24/02/2011 09:26:37 - System Checkpoint
    RP520: 26/02/2011 18:10:55 - System Checkpoint
    RP521: 28/02/2011 11:21:38 - System Checkpoint
    RP522: 01/03/2011 11:59:34 - System Checkpoint
    RP523: 02/03/2011 12:54:36 - System Checkpoint
    RP524: 03/03/2011 16:05:33 - System Checkpoint
    RP525: 03/03/2011 20:22:36 - Removed FranklinCovey PlanPlus for Microsoft Outlook.
    RP526: 03/03/2011 20:44:52 - Printer Driver Microsoft Office Document Image Writer Installed
    RP527: 04/03/2011 10:37:53 - Printer Driver Microsoft Office Document Image Writer Installed
    RP528: 05/03/2011 16:42:52 - System Checkpoint
    RP529: 07/03/2011 09:45:34 - System Checkpoint
    RP530: 08/03/2011 10:28:14 - System Checkpoint
    RP531: 09/03/2011 11:06:53 - System Checkpoint
    RP532: 10/03/2011 11:46:55 - System Checkpoint
    RP533: 11/03/2011 11:57:21 - System Checkpoint
    RP534: 14/03/2011 09:35:38 - System Checkpoint
    RP535: 15/03/2011 10:25:29 - System Checkpoint
    RP536: 15/03/2011 12:00:55 - Removed McAfee VirusScan Enterprise
    RP537: 15/03/2011 21:15:58 - Removed Parallels Tools.
    RP538: 15/03/2011 21:16:46 - Installed Parallels Tools.
    RP539: 17/03/2011 09:19:06 - System Checkpoint
    RP540: 18/03/2011 09:53:59 - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.4.0
    Apple Software Update
    Autodesk NavisWorks Freedom 2009
    Bonjour
    CCleaner
    Compatibility Pack for the 2007 Office system
    e-Expenses installer
    Google Desktop
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB981793)
    Java Auto Updater
    Java(TM) 6 Update 22
    Malwarebytes' Anti-Malware
    McAfee SecurityCenter
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft ActiveSync
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Communicator 2007
    Microsoft Office Communicator 2007, MUI
    Microsoft Office Live Meeting 2007
    Microsoft Office Professional Edition 2003
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Visio 2007 Service Pack 2 (SP2)
    Microsoft Office Visio MUI (English) 2007
    Microsoft Office Visio Professional 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Microsoft_VC90_CRT_x86
    MSVCRT
    MSXML 6.0 Parser
    NavisWorks Freedom 2009
    OGA Notifier 2.0.0048.0
    OutlookTempCleaner
    Parallels Tools
    SecurePassport Client 1.6
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio 2007 (KB982127)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Segoe UI
    Spybot - Search & Destroy
    Stellar Phoenix Outlook PST Repair v3.0
    SUPERAntiSpyware
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973815)
    Visual C++ 8.0 ATL (x86) WinSXS MSM
    Visual C++ 8.0 CRT (x86) WinSXS MSM
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows XP Service Pack 3
    Yahoo! Messenger
    .
    ==== Event Viewer Messages From Past Week ========
    .
    18/03/2011 10:58:27, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McAfee Services service, but this action failed with the following error: An instance of the service is already running.
    18/03/2011 10:57:27, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    15/03/2011 21:24:22, error: Service Control Manager [7000] - The SABProcEnum service failed to start due to the following error: The system cannot find the file specified.
    14/03/2011 20:53:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Pml Driver HPZ12 service to connect.
    14/03/2011 20:53:44, error: Service Control Manager [7000] - The Pml Driver HPZ12 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6098

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    18/03/2011 14:43:20
    mbam-log-2011-03-18 (14-43-20).txt

    Scan type: Quick scan
    Objects scanned: 137375
    Time elapsed: 8 minute(s), 15 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (userinit.exe,C:\WINDOWS\system\svchost.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-03-18 15:47:40
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Virtual__HDD_[0] rev.FWR10003
    Running: iz0lz9p9.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kflyifoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB2595620]

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB248878B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB2488822]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB2488739]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB248874D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB2488836]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB2488862]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB24888D0]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB24888BA]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB24887CB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB24888FC]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB248880E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB2488711]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB2488725]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB248879F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB2488938]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB24888A4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB248888E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB248884C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB2488924]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB2488910]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB2488777]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB2488763]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB2488878]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB24888E6]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB24887E1]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB24887B5]
    Code 6A314201 KeFindConfigurationNextEntry
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 8050225C 7 Bytes JMP B24887B9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtCreateFile 8056E2EE 5 Bytes JMP B248878F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP B24887CF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP B24887E5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA88 7 Bytes JMP B24887A3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP B2488715 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP B2488729 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DD4 5 Bytes JMP B2488767 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP B2488751 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcess 805C74A0 5 Bytes JMP B248873D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetContextThread 805C79AA 5 Bytes JMP B248877B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryValueKey 80618568 7 Bytes JMP B2488892 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP B248887C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnloadKey 80618BE0 7 Bytes JMP B24888EA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619492 7 Bytes JMP B24888A8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP B2488850 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP B2488826 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP B248883A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP B2488866 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB90 7 Bytes JMP B24888D4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADFA 7 Bytes JMP B24888BE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP B2488812 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryKey 8061BA64 7 Bytes JMP B248893C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRestoreKey 8061BD24 5 Bytes JMP B2488914 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwReplaceKey 8061C418 5 Bytes JMP B2488928 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C532 5 Bytes JMP B2488900 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    ? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    -
     
  4. pendragon19600

    pendragon19600 TS Rookie Topic Starter Posts: 19

    GMER File

    GMER FILE says it is too big to post. Am I doing something wrong?

    I have attached it
     

    Attached Files:

  5. pendragon19600

    pendragon19600 TS Rookie Topic Starter Posts: 19

    Trying to put GMER in two parts

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-03-18 15:47:40
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Virtual__HDD_[0] rev.FWR10003
    Running: iz0lz9p9.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kflyifoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB2595620]

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB248878B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB2488822]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB2488739]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB248874D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB2488836]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB2488862]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB24888D0]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB24888BA]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB24887CB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB24888FC]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB248880E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB2488711]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB2488725]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB248879F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB2488938]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB24888A4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB248888E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB248884C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB2488924]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB2488910]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB2488777]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB2488763]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB2488878]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB24888E6]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB24887E1]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB24887B5]
    Code 6A314201 KeFindConfigurationNextEntry
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 8050225C 7 Bytes JMP B24887B9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtCreateFile 8056E2EE 5 Bytes JMP B248878F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP B24887CF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP B24887E5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA88 7 Bytes JMP B24887A3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP B2488715 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP B2488729 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DD4 5 Bytes JMP B2488767 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP B2488751 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcess 805C74A0 5 Bytes JMP B248873D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetContextThread 805C79AA 5 Bytes JMP B248877B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryValueKey 80618568 7 Bytes JMP B2488892 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP B248887C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnloadKey 80618BE0 7 Bytes JMP B24888EA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619492 7 Bytes JMP B24888A8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP B2488850 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateKey 8061A344 5 Bytes JMP B2488826 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP B248883A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP B2488866 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB90 7 Bytes JMP B24888D4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADFA 7 Bytes JMP B24888BE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 8061B722 5 Bytes JMP B2488812 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryKey 8061BA64 7 Bytes JMP B248893C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRestoreKey 8061BD24 5 Bytes JMP B2488914 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwReplaceKey 8061C418 5 Bytes JMP B2488928 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C532 5 Bytes JMP B2488900 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    ? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007A0000
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007A005F
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007A0F74
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007A004E
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007A0F9B
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007A003D
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007A0F3C
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007A0F59
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007A00B0
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007A009F
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007A00CB
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007A0FAC
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007A0FE5
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007A007A
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007A002C
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007A001B
    .text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007A0F2B
    .text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00790FC3
    .text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00790F7C
    .text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0079000A
    .text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00790FD4
    .text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00790F8D
    .text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00790FEF
    .text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00790039
    .text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00790FA8
    .text C:\WINDOWS\System32\svchost.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00780F9C
    .text C:\WINDOWS\System32\svchost.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00780FAD
    .text C:\WINDOWS\System32\svchost.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0078001D
    .text C:\WINDOWS\System32\svchost.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00780FE3
    .text C:\WINDOWS\System32\svchost.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00780FBE
    .text C:\WINDOWS\System32\svchost.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00780000
    .text C:\WINDOWS\System32\svchost.exe[784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00770FE5
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070084
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070073
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070058
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070047
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070036
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700D7
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700BC
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F48
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F59
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700F2
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FA5
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FD4
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070095
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070025
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0007000A
    .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F74
    .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060F9E
    .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F68
    .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FB9
    .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FD4
    .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060025
    .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
    .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0006000A
    .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060F8D
    .text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050049
    .text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050038
    .text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FD2
    .text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
    .text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050027
    .text C:\WINDOWS\system32\services.exe[936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FE3
    .text C:\WINDOWS\system32\services.exe[936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DF0FEF
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DF0097
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DF0FA2
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DF007A
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DF0069
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DF003D
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DF00C5
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DF0F7D
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DF010C
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DF00FB
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DF0131
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DF0058
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DF0000
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DF00A8
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DF002C
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DF0011
    .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DF00E0
    .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DE001B
    .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DE0FA5
    .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DE0FCA
    .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DE0FE5
    .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DE0062
    .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DE0000
    .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DE0047
    .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DE0036
    .text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20F8B
    .text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20016
    .text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FB7
    .text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20FEF
    .text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20FA6
    .text C:\WINDOWS\system32\lsass.exe[948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FDE
    .text C:\WINDOWS\system32\lsass.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B90FE5
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024A0000
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024A0F66
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024A0F77
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024A0F92
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024A0051
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024A002C
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024A0F1D
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024A0F3A
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024A0EF1
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024A008A
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024A0ED6
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 024A0FAF
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 024A0011
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024A0F4B
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 024A0FCA
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 024A0FDB
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024A0F0C
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0249001B
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02490F6F
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02490FCA
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0249000A
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02490F8A
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02490FEF
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02490FA5
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [69, 8A]
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0249002C
    .text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0FCD
    .text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF004E
    .text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0022
    .text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
    .text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0033
    .text C:\WINDOWS\system32\svchost.exe[1116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0011
    .text C:\WINDOWS\system32\svchost.exe[1116] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B40000
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B4006E
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B4005D
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40F79
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40036
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B4001B
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B40F4D
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B40095
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B40F2B
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B40F3C
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B400DF
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B40F94
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B40FE5
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B40F68
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B40FAF
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B40FCA
    .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B400BA
    .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B3001B
    .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B30058
    .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B30FCA
    .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B30FEF
    .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B30FA5
    .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B3000A
    .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B30047
    .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B3002C
    .text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B20FA8
    .text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B20033
    .text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B20FCD
    .text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B20FEF
    .text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B20022
    .text C:\WINDOWS\system32\svchost.exe[1200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B20FDE
    .text C:\WINDOWS\system32\svchost.exe[1200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B10000
    .text C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe[1208] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 004025C0 C:\Program Files\Parallels\Parallels Tools\Services\prl_hook.dll (Parallels Helper Hook/Parallels Holdings, Ltd. and its affiliates.)
    .text C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe[1208] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 004025F0 C:\Program Files\Parallels\Parallels Tools\Services\prl_hook.dll (Parallels Helper Hook/Parallels Holdings, Ltd. and its affiliates.)
    .text C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe[1208] USER32.dll!UpdateLayeredWindow 7E42ACF3 5 Bytes JMP 004040D0 C:\Program Files\Parallels\Parallels Tools\Services\prl_hook.dll (Parallels Helper Hook/Parallels Holdings, Ltd. and its affiliates.)
    .text C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe[1208] USER32.dll!SetLayeredWindowAttributes 7E42CE12 5 Bytes JMP 00403BE0 C:\Program Files\Parallels\Parallels Tools\Services\prl_hook.dll (Parallels Helper Hook/Parallels Holdings, Ltd. and its affiliates.)
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03BF0000
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03BF0F79
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03BF0F94
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03BF006C
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03BF005B
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03BF0036
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03BF00A6
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03BF0089
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03BF0F1E
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03BF0F2F
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03BF00DC
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03BF0FAF
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03BF0FE5
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03BF0F5E
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03BF0FCA
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03BF001B
    .text C:\WINDOWS\System32\svchost.exe[1324] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03BF00B7
    .text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03BE0039
    .text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03BE0FA1
    .text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03BE0FDE
    .text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03BE0014
    .text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03BE0FBC
    .text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03BE0FEF
    .text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03BE0FCD
    .text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DE, 8B]
    .text C:\WINDOWS\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03BE0054
    .text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03BD0F9C
    .text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!system 77C293C7 5 Bytes JMP 03BD0FB7
    .text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03BD0FD2
    .text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03BD000C
    .text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03BD0027
    .text C:\WINDOWS\System32\svchost.exe[1324] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03BD0FE3
    .text C:\WINDOWS\System32\svchost.exe[1324] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03360FEF
    .text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 03380FD4
    .text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 03380FE5
    .text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 03380FC3
    .text C:\WINDOWS\System32\svchost.exe[1324] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 03380FA8
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007D0000
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007D009B
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007D0FA6
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007D0FB7
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007D0076
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007D0FD4
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007D0F7A
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007D00C0
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007D0102
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007D00E7
    01A28 5 Bytes JMP 00860FEF
    .text
     
  6. pendragon19600

    pendragon19600 TS Rookie Topic Starter Posts: 19

    2nd part of GMER

    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007D0F4E
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007D005B
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007D001B
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007D0F95
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007D0036
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007D0FE5
    .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007D0F69
    .text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 003A002C
    .text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 003A007D
    .text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 003A001B
    .text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 003A0FE5
    .text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 003A0FC0
    .text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 003A0000
    .text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 003A0058
    .text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 003A0047
    .text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00390053
    .text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!system 77C293C7 5 Bytes JMP 0039002E
    .text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0039001D
    .text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00390FE3
    .text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00390FBE
    .text C:\WINDOWS\system32\svchost.exe[1360] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00390000
    .text C:\WINDOWS\system32\svchost.exe[1360] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00380FE5
    .text C:\WINDOWS\system32\svchost.exe[1360] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00380000
    .text C:\WINDOWS\system32\svchost.exe[1360] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00380FD4
    .text C:\WINDOWS\system32\svchost.exe[1360] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00380FAD
    .text C:\WINDOWS\system32\svchost.exe[1360] WS2_32.dll!socket 71AB4211 3 Bytes JMP 0037000A
    .text C:\WINDOWS\system32\svchost.exe[1360] WS2_32.dll!socket + 4 71AB4215 1 Byte [8E]
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00860FEF
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00860082
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00860F8D
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00860FA8
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0086005B
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00860040
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008600BA
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00860F72
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00860F46
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008600DF
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00860F35
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00860FB9
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0086000A
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0086009D
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0086002F
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00860FD4
    .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00860F61
    .text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00850FCA
    .text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0085006C
    .text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00850FDB
    .text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0085001B
    .text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0085005B
    .text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00850000
    .text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00850FB9
    .text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A5, 88]
    .text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00850036
    .text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00840FBE
    .text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!system 77C293C7 5 Bytes JMP 00840FCF
    .text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0084002E
    .text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0084000C
    .text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0084003F
    .text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0084001D
    .text C:\WINDOWS\system32\svchost.exe[1376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007E0FEF
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C0006C
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C00F6D
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00F88
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00051
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00FB9
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C000AE
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00093
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C000F5
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C000DA
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C00F37
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00040
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C0000A
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00F5C
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00FD4
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00025
    .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C000C9
    .text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0FCA
    .text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0F97
    .text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF001B
    .text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FE5
    .text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0054
    .text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000
    .text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BF0FA8
    .text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 88]
    .text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FB9
    .text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0FA8
    .text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0033
    .text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0022
    .text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FEF
    .text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FC3
    .text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FDE
    .text C:\WINDOWS\system32\svchost.exe[1436] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007A0000
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007A0062
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007A0F6D
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007A0F8A
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007A0047
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007A001B
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007A0F2B
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007A0F3C
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007A009F
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007A0F06
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007A00BA
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007A0036
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007A0FE5
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007A0073
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007A0FB9
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007A0FCA
    .text C:\WINDOWS\System32\svchost.exe[1836] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007A0084
    .text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00790011
    .text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00790047
    .text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00790FCA
    .text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00790FDB
    .text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0079002C
    .text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00790000
    .text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00790F94
    .text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [99, 88]
    .text C:\WINDOWS\System32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00790FA5
    .text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00780F88
    .text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!system 77C293C7 5 Bytes JMP 0078001D
    .text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00780FC8
    .text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00780FEF
    .text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00780FB7
    .text C:\WINDOWS\System32\svchost.exe[1836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0078000C
    .text C:\WINDOWS\System32\svchost.exe[1836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00770FEF
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 017D0FEF
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 017D0089
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 017D0078
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 017D0F9E
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 017D0051
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 017D0025
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 017D00DC
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 017D00B5
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 017D0112
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 017D0F6F
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 017D0123
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 017D0040
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 017D0FDE
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 017D009A
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 017D000A
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 017D0FC3
    .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 017D00ED
    .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0177001B
    .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01770036
    .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01770FD4
    .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01770000
    .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01770F79
    .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01770FE5
    .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01770F8A
    .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [97, 89]
    .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01770FA5
    .text C:\WINDOWS\Explorer.EXE[1984] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D70042
    .text C:\WINDOWS\Explorer.EXE[1984] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70FB7
    .text C:\WINDOWS\Explorer.EXE[1984] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70FD2
    .text C:\WINDOWS\Explorer.EXE[1984] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70FEF
    .text C:\WINDOWS\Explorer.EXE[1984] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70031
    .text C:\WINDOWS\Explorer.EXE[1984] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D7000C
    .text C:\WINDOWS\Explorer.EXE[1984] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00D60FE5
    .text C:\WINDOWS\Explorer.EXE[1984] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00D60000
    .text C:\WINDOWS\Explorer.EXE[1984] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00D6001B
    .text C:\WINDOWS\Explorer.EXE[1984] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00D6002C
    .text C:\WINDOWS\Explorer.EXE[1984] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10FEF
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0000
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0098
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0087
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0076
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB0FC3
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0051
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB0F7E
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB00D0
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB0F5C
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB00F5
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CB011A
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CB0FD4
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CB0FEF
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CB00B3
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CB0040
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CB002F
    .text C:\WINDOWS\system32\svchost.exe[2124] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CB0F6D
    .text C:\WINDOWS\system32\svchost.exe[2124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CA0022
    .text C:\WINDOWS\system32\svchost.exe[2124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CA0F79
    .text C:\WINDOWS\system32\svchost.exe[2124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CA0011
    .text C:\WINDOWS\system32\svchost.exe[2124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CA0000
    .text C:\WINDOWS\system32\svchost.exe[2124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CA0F8A
    .text C:\WINDOWS\system32\svchost.exe[2124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CA0FE5
    .text C:\WINDOWS\system32\svchost.exe[2124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CA0F9B
    .text C:\WINDOWS\system32\svchost.exe[2124] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes JMP 50C03388
    .text C:\WINDOWS\system32\svchost.exe[2124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CA0FB6
    .text C:\WINDOWS\system32\svchost.exe[2124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C90055
    .text C:\WINDOWS\system32\svchost.exe[2124] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C90FCA
    .text C:\WINDOWS\system32\svchost.exe[2124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C90029
    .text C:\WINDOWS\system32\svchost.exe[2124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C90FEF
    .text C:\WINDOWS\system32\svchost.exe[2124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C9003A
    .text C:\WINDOWS\system32\svchost.exe[2124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C90018
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FEF
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F72
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260F83
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0026005D
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260040
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260FA8
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002600A9
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260F61
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260F2B
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260F46
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00260F1A
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260025
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0026000A
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0026008C
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260FB9
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00260FD4
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002600C4
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360040
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360F97
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360FEF
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0036001B
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360FA8
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0036000A
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00360FB9
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [56, 88]
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360FD4
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00370FC3
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] msvcrt.dll!system 77C293C7 5 Bytes JMP 0037004E
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00370FEF
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00370000
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370FD4
    .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[2192] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0037001D
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FE5
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F29
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260F3A
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260F57
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260014
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260F83
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260EE2
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260EF3
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260EBD
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260060
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0026007B
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260F72
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260FCA
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260F04
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260F94
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00260FB9
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0026004F
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0035003B
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] msvcrt.dll!system 77C293C7 5 Bytes JMP 00350FA6
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00350FD2
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00350000
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00350FC1
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00350FE3
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360022
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360058
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360FDB
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00360011
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360F9B
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360000
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00360FB6
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [56, 88]
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360033
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00380000
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00380FE5
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00380011
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00380FBE
    .text C:\Program Files\Internet Explorer\iexplore.exe[2632] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920000

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [614AAE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [614A9C27] C:\
     
  7. pendragon19600

    pendragon19600 TS Rookie Topic Starter Posts: 19

    3rd part of GMER

    PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [614A9B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [614A9B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [614AAE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [614A9D87] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [614A9B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [614A9C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [614A9CF2] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2584] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [614A9B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    Device \Driver\atapi \Device\Ide\IdePort0 prl_strg.sys (Parallels Disk Filter/Parallels Holdings, Ltd. and its affiliates.)
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 prl_strg.sys (Parallels Disk Filter/Parallels Holdings, Ltd. and its affiliates.)
    Device \Driver\atapi \Device\Ide\IdePort1 prl_strg.sys (Parallels Disk Filter/Parallels Holdings, Ltd. and its affiliates.)
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c prl_strg.sys (Parallels Disk Filter/Parallels Holdings, Ltd. and its affiliates.)

    AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    About GMER: no problem except extra work for you! :rolleyes:You just missed the line that says:
    Let's go ahead and do an Eset online scan and run Combofix:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ================================================
    Download Combofix from HERE or HERE
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  9. pendragon19600

    pendragon19600 TS Rookie Topic Starter Posts: 19

    Combofix run log

    Hello,
    I ran the antivirus online. Nothing was found and no log file was generated.

    Here is the file for the Combofix. Appreciate your help with this

    Chris


    ComboFix 11-03-23.03 - Administrator 23/03/2011 21:21:51.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.615.272 [GMT 0:00]
    Running from: \\psf\Home\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\ntuser.pol
    c:\windows\system\_sv_CMD_
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-21 06:15 . 2011-02-17 06:16 29640 ----a-w- c:\windows\system32\drivers\prl_strg.sys
    2011-03-21 06:15 . 2011-02-17 06:16 15176 ----a-w- c:\windows\system32\drivers\prl_memdev.sys
    2011-03-21 06:15 . 2011-02-17 06:16 45896 ----a-w- c:\windows\system32\drivers\prl_sound.sys
    2011-03-21 06:15 . 2011-02-17 06:16 24008 ----a-w- c:\windows\system32\drivers\prl_tg.sys
    2011-03-21 06:14 . 2011-02-17 06:16 18376 ----a-w- c:\windows\system32\drivers\prl_eth5.sys
    2011-03-21 06:14 . 2011-02-17 06:17 25928 ----a-w- c:\windows\system32\drivers\prl_vamp.sys
    2011-03-21 06:14 . 2011-02-17 06:16 194376 ----a-w- c:\windows\system32\prl_vadd.dll
    2011-03-21 06:14 . 2011-02-17 06:07 187392 ----a-w- c:\windows\system32\prl_gl.dll
    2011-03-21 06:14 . 2011-02-17 06:16 16200 ----a-w- c:\windows\system32\drivers\prl_mouf.sys
    2011-03-21 06:14 . 2011-02-17 06:16 15816 ----a-w- c:\windows\system32\drivers\prl_time.sys
    2011-03-21 06:13 . 2011-02-17 06:16 23880 ----a-w- c:\windows\system32\drivers\prl_pv32.sys
    2011-03-20 21:02 . 2010-10-13 22:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-03-19 15:52 . 2011-03-21 06:06 -------- d-----w- c:\program files\McAfee
    2011-03-18 14:32 . 2011-03-18 14:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-03-18 14:29 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-18 14:28 . 2011-03-18 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-18 14:28 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-18 14:28 . 2011-03-18 14:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-15 06:46 . 2011-03-15 06:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-03-15 06:46 . 2011-03-15 06:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2011-03-15 06:44 . 2011-03-18 10:14 -------- d-----w- c:\program files\SUPERAntiSpyware
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-17 06:16 . 2011-02-17 06:16 149448 ----a-w- c:\windows\system32\drivers\prl_fs.sys
    2011-02-17 06:16 . 2011-02-17 06:16 38216 ----a-w- c:\windows\system32\drivers\prl_boot.sys
    2011-02-17 06:08 . 2008-12-29 17:52 101376 ----a-w- c:\windows\system32\prl_np.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\PrlToolsShellExt]
    @="{456C7CE2-DAAA-4333-A715-898D4671BBD4}"
    [HKEY_CLASSES_ROOT\CLSID\{456C7CE2-DAAA-4333-A715-898D4671BBD4}]
    2011-02-17 06:16 317256 ----a-w- c:\program files\Parallels\Parallels Tools\ShellExtentions\PrlToolsShellExt.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-04-29 5248312]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-10-10 5726032]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-01-17 30192]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
    "Parallels Shared Internet Applications"="c:\program files\Parallels\Parallels Tools\SIA\SharedIntApp.exe" [2011-02-17 131912]
    "Parallels Tools Center"="c:\program files\Parallels\Parallels Tools\prl_cc.exe" [2011-02-17 201544]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSimpleNetIDList"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    .
    R0 prl_pv32;prl_pv32;c:\windows\system32\drivers\prl_pv32.sys [21/03/2011 06:13 23880]
    R0 prl_strg;Parallels paravirt disk filter;c:\windows\system32\drivers\prl_strg.sys [21/03/2011 06:15 29640]
    R0 prl_tg;Parallels Tool Device;c:\windows\system32\drivers\prl_tg.sys [21/03/2011 06:15 24008]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [20/03/2011 21:02 84072]
    R1 prl_boot;prl_boot;c:\windows\system32\drivers\prl_boot.sys [17/02/2011 06:16 38216]
    R1 prl_fs;Parallels Shared Folders;c:\windows\system32\drivers\prl_fs.sys [17/02/2011 06:16 149448]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [20/03/2011 21:01 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [20/03/2011 21:02 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [20/03/2011 21:02 141792]
    R2 Parallels Coherence Service;Parallels Coherence Service;c:\program files\Parallels\Parallels Tools\Services\coherence.exe [17/02/2011 06:17 28488]
    R2 Parallels Tools Service;Parallels Tools Service;c:\program files\Parallels\Parallels Tools\Services\prl_tools_service.exe [17/02/2011 06:16 186696]
    R2 prl_memdev;Parallels Memdev Driver;c:\windows\system32\drivers\prl_memdev.sys [21/03/2011 06:15 15176]
    R2 prl_time;Parallels Time Synchronization Helper;c:\windows\system32\drivers\prl_time.sys [21/03/2011 06:14 15816]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [20/03/2011 21:02 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [20/03/2011 21:02 88544]
    R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [01/04/2009 08:48 43640]
    R3 prl_eth5;Parallels Ethernet Adapter;c:\windows\system32\drivers\prl_eth5.sys [21/03/2011 06:14 18376]
    R3 prl_mouf;Parallels Mouse Synchronization Device;c:\windows\system32\drivers\prl_mouf.sys [21/03/2011 06:14 16200]
    R3 prl_sound;Parallels Audio Controller;c:\windows\system32\drivers\prl_sound.sys [21/03/2011 06:15 45896]
    R3 prl_va;Parallels Video Adapter;c:\windows\system32\drivers\prl_vamp.sys [21/03/2011 06:14 25928]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [20/03/2011 21:02 55840]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [17/01/2011 21:32 30192]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [20/03/2011 21:02 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [20/03/2011 21:02 84264]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    DPF: {0DAFD86E-BB02-4687-8478-760E1A3CFE56} - hxxp://passport.hhi.co.kr/setup/ZsSecurePassport.ocx
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-23 21:29
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\docume~1\ADMINI~1\LOCALS~1\Temp\Cab5.tmp 29367 bytes
    c:\docume~1\ADMINI~1\LOCALS~1\Temp\Tar6.tmp 82537 bytes
    .
    scan completed successfully
    hidden files: 2
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1324)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    - - - - - - - > 'explorer.exe'(3780)
    c:\program files\Parallels\Parallels Tools\ShellExtentions\PrlToolsShellExt.dll
    c:\windows\System32\prl_np.dll
    c:\program files\Parallels\Parallels Tools\ShellIntHook.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft ActiveSync\wcescomm.exe
    c:\progra~1\MICROS~3\rapimgr.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Parallels\Parallels Tools\Services\prl_tools.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\windows\system32\wscntfy.exe
    c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-23 21:32:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-23 21:32
    .
    Pre-Run: 21,797,150,720 bytes free
    Post-Run: 21,865,652,224 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 607BF9822FD96463AD99F4CEEE73A236
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Chris, do you have any idea what these 2 hidden files are?

    I'd like you to run the following. Hopefully it will show me the location of one suspicious entry:

    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  11. pendragon19600

    pendragon19600 TS Rookie Topic Starter Posts: 19

    HiJackThis Log.

    Bobbye,
    I don't know the details of the hidden files. I will do some further checking

    Here is the hijack log.

    many thanks

    Chris

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 08:50:16, on 24/03/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe
    C:\Program Files\Parallels\Parallels Tools\prl_cc.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
    C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe
    C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis[1].zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110320210217.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [Parallels Shared Internet Applications] "C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe" /start
    O4 - HKLM\..\Run: [Parallels Tools Center] "C:\Program Files\Parallels\Parallels Tools\prl_cc.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0DAFD86E-BB02-4687-8478-760E1A3CFE56} (ZsSecurePassport Control) - http://passport.hhi.co.kr/setup/ZsSecurePassport.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1283071187515
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1283071169203
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
    O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
    O23 - Service: Parallels Coherence Service - Parallels Holdings, Ltd. and its affiliates. - C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
    O23 - Service: Parallels Tools Service - Parallels Holdings, Ltd. and its affiliates. - C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe

    --
    End of file - 8765 bytes
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry I couldn't get to you sooner- internet was down-again 2#^*@$)! I tried to work from the email screen.

    FYI: I noted that both of these are running now- unless you are using them both, now, they shouldn't be running- didn't need to start on boot:
    C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE


    You are currently using HijackThis from a temporary directory, this can cause problems.
    HijackThis creates backups, these are needed in case of any recovery issues.
    Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.

    STEPS For Creating Folder

    1. 1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.
      2. Download HijackThis to the new folder:
      3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.
      4. Close ALL windows except HJT
      5. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
      6. POST the log in reply using 'Add Reply' (Ctrl-V to 'paste')
    ======================================
    The following is a setup that I cannot identify- don't double click on it as that will run and install it. There is a site URL given for the download- in Korea:
    O16 - DPF: {0DAFD86E-BB02-4687-8478-760E1A3CFE56} (ZsSecurePassport Control) - http://passport.hhi.co.kr/setup/ZsSecurePassport.ocx

    Here is site info for Domain Name : hi.co.kr
    Registrant : Hyundai Marine , Fire Insurance Co., Ltd.
    Registrant Address : Hyundai Marine Fire Insurance Co. Bldg. 178 Sejongno Jongno-gu Seoul
    Registrant Zip Code : 110731
    Administrative Contact(AC): Hyundai Marine & Fire Insurance Co., Ltd.

    If this is something you are aware of, you should either go ahead and install it or remove the setup.

    Let me know about this one, please.
     
  13. pendragon19600

    pendragon19600 TS Rookie Topic Starter Posts: 19

    Updated HJT

    Bobbye,

    Here's the updated log and from a separate directory. The HHI file can be removed as i no longer need it.

    regards


    Chris


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 19:46:03, on 28/03/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe
    C:\Program Files\Parallels\Parallels Tools\prl_cc.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
    C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe
    C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\hjt\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110320210217.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [Parallels Shared Internet Applications] "C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe" /start
    O4 - HKLM\..\Run: [Parallels Tools Center] "C:\Program Files\Parallels\Parallels Tools\prl_cc.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0DAFD86E-BB02-4687-8478-760E1A3CFE56} (ZsSecurePassport Control) - http://passport.hhi.co.kr/setup/ZsSecurePassport.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1283071187515
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1283071169203
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: McAfee Application Installer Cleanup (0084981301057806) (0084981301057806mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\008498~1.EXE
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
    O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
    O23 - Service: Parallels Coherence Service - Parallels Holdings, Ltd. and its affiliates. - C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
    O23 - Service: Parallels Tools Service - Parallels Holdings, Ltd. and its affiliates. - C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe

    --
    End of file - 8804 bytes
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    DDS::
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . No log needed.
    ====================
    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O16 - DPF: {0DAFD86E-BB02-4687-8478-760E1A3CFE56} (ZsSecurePassport Control) - http://passport.hhi.co.kr/setup/ZsSecurePassport.ocx


    Close all Windows except HijackThis and click on "Fix Checked"
    ============================================
    Open Tools in IE> Manage Addons> check both 'addons' currently used' and 'addons previously used> Highlight and disable entry for ZsSecurePassport (or HHI if it appears)> OK> Apply> OK.
    Be sure the Java is current v6u24.
    =============================================
    Be sure Java is current v6u24: Java Updates Uninstall all earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    =============================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you have any more questions.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...