Manualy removed virus now Windows security center service wont start

Inactive
By Shnig
Mar 29, 2011
Topic Status:
Not open for further replies.
  1. Hey guys/gals,
    I manualy removed a recently mutated (exefile rather then pw regestry entries) version of the win 7 security 2011 virus. Sadly it was so newly mutated it seems that Mcafees didnt pick it up in fully updated full scans so i had to do it manualy To do this I figured out the proccesses that were effecting the use of .exe files, killed said proccess, deleted the files that were linked to the reg entries, deleted the mailious reg entries themselves and copied a clean libary of .exe related reg entries. Everything is working fine again now and I have the internet back thankfully. However since fixing it Windows security center service wont start. Any suggestions?
    Yours in preemptive thanks,
    Shnig.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I'm not real comfortable with your 'manual removal' and when you start talking .exe files, it bothers me even more!

    You've been around for a while and probably have some idea of what we need: If there is still malware suppressing the Security Center, it needs to be found and removed:

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    Well let me start by saying its been a while since I'v been around properly as my life kinda took me away from computing for quite a while so Im kind of out of the loop (But im back now ;) ). One of the reasons I took this form of action was because I was completely cut off from the internet and lovely sources of info like guides found on this site. So, sorry if I offened with my renegade approach to virus smahing but I had zero accsess to the net. I'll have a look through that later and post ye olde logs. Cheers.
  4. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    Oh sorry just realised a bit of confusion I think occered there when i mentioned "exefile" in the first line I was refering to what the name the virus was hiding behind in reg entries not .exe files...
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay. Just post logs when ready.
  6. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6224

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 9.0.8112.16421

    01/04/2011 00:38:21
    mbam-log-2011-04-01 (00-38-21).txt

    Scan type: Quick scan
    Objects scanned: 159477
    Time elapsed: 6 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  7. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-04-01 01:13:24
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MJA2500BH_G2 rev.0084001C
    Running: tucrhnoo.exe; Driver: C:\Users\Shane\AppData\Local\Temp\ugloypog.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8844F0B8]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8844F0E2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8844F0CE]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8844F0A4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 82E7E5C5 5 Bytes JMP 8844F0A8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    .text ntkrnlpa.exe!ZwSaveKey + 13C1 82E90339 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EC9D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text C:\windows\system32\DRIVERS\atipmdag.sys section is writeable [0x8E01B000, 0x2ECEB2, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\windows\system32\services.exe[600] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 004C0FEF
    .text C:\windows\system32\services.exe[600] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 004C000A
    .text C:\windows\system32\services.exe[600] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 004C0FDE
    .text C:\windows\system32\services.exe[600] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 004B00A5
    .text C:\windows\system32\services.exe[600] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 004B0F2B
    .text C:\windows\system32\services.exe[600] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 004B0F50
    .text C:\windows\system32\services.exe[600] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 004B0025
    .text C:\windows\system32\services.exe[600] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 004B0065
    .text C:\windows\system32\services.exe[600] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 004B0F8D
    .text C:\windows\system32\services.exe[600] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 004B0F9E
    .text C:\windows\system32\services.exe[600] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 004B0FDE
    .text C:\windows\system32\services.exe[600] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 004B0FEF
    .text C:\windows\system32\services.exe[600] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 004B00E5
    .text C:\windows\system32\services.exe[600] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 004B00C0
    .text C:\windows\system32\services.exe[600] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 004B0036
    .text C:\windows\system32\services.exe[600] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 004B0FAF
    .text C:\windows\system32\services.exe[600] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 004B0F72
    .text C:\windows\system32\services.exe[600] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 004B0014
    .text C:\windows\system32\services.exe[600] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 004B0F61
    .text C:\windows\system32\services.exe[600] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 004B0080
    .text C:\windows\system32\services.exe[600] msvcrt.dll!_open 75537E48 5 Bytes JMP 00A60000
    .text C:\windows\system32\services.exe[600] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00A60F95
    .text C:\windows\system32\services.exe[600] msvcrt.dll!system 7556B16F 5 Bytes JMP 00A60FB0
    .text C:\windows\system32\services.exe[600] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 00A60FD2
    .text C:\windows\system32\services.exe[600] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 00A60FC1
    .text C:\windows\system32\services.exe[600] msvcrt.dll!_wopen 75570570 5 Bytes JMP 00A60FE3
    .text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00A50FEF
    .text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00A50040
    .text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00A50F94
    .text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00A50FAF
    .text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00A5000A
    .text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00A5005B
    .text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00A50FCA
    .text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00A50025
    .text C:\windows\system32\services.exe[600] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 00A70FEF
    .text C:\windows\system32\lsass.exe[616] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00070000
    .text C:\windows\system32\lsass.exe[616] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00070FD4
    .text C:\windows\system32\lsass.exe[616] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 00070FE5
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 000600B3
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 0006010B
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 000600FA
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 0006002F
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 00060F91
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 00060073
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 00060062
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 0006000A
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 00060FEF
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 0006011C
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 000600CE
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 00060040
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 00060051
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 00060098
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 00060FDE
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 000600DF
    .text C:\windows\system32\lsass.exe[616] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 00060F80
    .text C:\windows\system32\lsass.exe[616] msvcrt.dll!_open 75537E48 5 Bytes JMP 00090FEF
    .text C:\windows\system32\lsass.exe[616] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00090F9C
    .text C:\windows\system32\lsass.exe[616] msvcrt.dll!system 7556B16F 5 Bytes JMP 00090FB7
    .text C:\windows\system32\lsass.exe[616] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 0009000C
    .text C:\windows\system32\lsass.exe[616] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 0009001D
    .text C:\windows\system32\lsass.exe[616] msvcrt.dll!_wopen 75570570 5 Bytes JMP 00090FD2
    .text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00080000
    .text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00080025
    .text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00080F83
    .text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00080F9E
    .text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00080FE5
    .text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00080F72
    .text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00080FC3
    .text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00080FD4
    .text C:\windows\system32\lsass.exe[616] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 006A0FE5
    .text C:\windows\system32\svchost.exe[740] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 0040000A
    .text C:\windows\system32\svchost.exe[740] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 0040002C
    .text C:\windows\system32\svchost.exe[740] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 0040001B
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 003F0F83
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 003F00E2
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 003F0F57
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 003F0036
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 003F0098
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 003F0087
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 003F006C
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 003F0FE5
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 003F0000
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 003F0F32
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 003F0F68
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 003F0FCA
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 003F0051
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 003F0F94
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 003F001B
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 003F00D1
    .text C:\windows\system32\svchost.exe[740] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 003F0FAF
    .text C:\windows\system32\svchost.exe[740] msvcrt.dll!_open 75537E48 5 Bytes JMP 00420FEF
    .text C:\windows\system32\svchost.exe[740] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00420040
    .text C:\windows\system32\svchost.exe[740] msvcrt.dll!system 7556B16F 5 Bytes JMP 00420025
    .text C:\windows\system32\svchost.exe[740] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 0042000A
    .text C:\windows\system32\svchost.exe[740] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 00420FB5
    .text C:\windows\system32\svchost.exe[740] msvcrt.dll!_wopen 75570570 5 Bytes JMP 00420FD2
    .text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00410000
    .text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00410047
    .text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00410FA5
    .text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00410FC0
    .text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00410FE5
    .text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00410F94
    .text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00410036
    .text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00410025
    .text C:\windows\system32\svchost.exe[740] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 00430FEF
    .text C:\windows\system32\svchost.exe[812] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 001D0FEF
    .text C:\windows\system32\svchost.exe[812] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 001D0FCA
    .text C:\windows\system32\svchost.exe[812] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 001D0000
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 00180F46
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 00180EE4
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 00180EFF
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 00180FAF
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 00180F79
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 00180051
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 00180F94
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 00180FE5
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 00180000
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 00180ED3
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 00180F2B
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 0018001B
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 00180036
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 00180F57
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 00180FCA
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 00180F10
    .text C:\windows\system32\svchost.exe[812] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 00180F68
    .text C:\windows\system32\svchost.exe[812] msvcrt.dll!_open 75537E48 5 Bytes JMP 002B0FE3
    .text C:\windows\system32\svchost.exe[812] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 002B0F7F
    .text C:\windows\system32\svchost.exe[812] msvcrt.dll!system 7556B16F 5 Bytes JMP 002B0FA4
    .text C:\windows\system32\svchost.exe[812] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 002B000A
    .text C:\windows\system32\svchost.exe[812] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 002B0FB5
    .text C:\windows\system32\svchost.exe[812] msvcrt.dll!_wopen 75570570 5 Bytes JMP 002B0FC6
    .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 001E0FEF
    .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 001E0025
    .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 001E0047
    .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 001E0036
    .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 001E000A
    .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 001E0F8A
    .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 001E0FC3
    .text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 001E0FD4
    .text C:\windows\system32\svchost.exe[812] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 002C0FEF
    .text C:\windows\System32\svchost.exe[972] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00A00FEF
    .text C:\windows\System32\svchost.exe[972] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00A00000
    .text C:\windows\System32\svchost.exe[972] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 00A00FCA
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 009F009E
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 009F00C3
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 009F0F2E
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 009F001B
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 009F0F97
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 009F0FA8
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 009F0FB9
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 009F0FCA
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 009F0FE5
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 009F0F1D
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 009F0F64
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 009F0036
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 009F0051
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 009F0F75
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 009F000A
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 009F0F49
    .text C:\windows\System32\svchost.exe[972] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 009F0F86
    .text C:\windows\System32\svchost.exe[972] msvcrt.dll!_open 75537E48 5 Bytes JMP 00A20FE3
    .text C:\windows\System32\svchost.exe[972] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00A20FA4
    .text C:\windows\System32\svchost.exe[972] msvcrt.dll!system 7556B16F 5 Bytes JMP 00A2002F
    .text C:\windows\System32\svchost.exe[972] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 00A20FC6
    .text C:\windows\System32\svchost.exe[972] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 00A20FB5
    .text C:\windows\System32\svchost.exe[972] msvcrt.dll!_wopen 75570570 5 Bytes JMP 00A20000
    .text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00A10FE5
    .text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00A10FC3
    .text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00A10054
    .text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00A10FB2
    .text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00A10000
    .text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00A1006F
    .text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00A10FD4
    .text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00A1001B
    .text C:\windows\System32\svchost.exe[972] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 00E4000A
    .text C:\windows\System32\svchost.exe[1004] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00990000
    .text C:\windows\System32\svchost.exe[1004] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00990FD4
    .text C:\windows\System32\svchost.exe[1004] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 00990FEF
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 00980F46
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 009800D1
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 009800C0
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 0098002F
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 00980F7C
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 00980F97
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 00980FA8
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 00980FDE
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 00980FEF
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 009800E2
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 00980094
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 00980040
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 00980FB9
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 0098006F
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 00980014
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 009800A5
    .text C:\windows\System32\svchost.exe[1004] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 00980F61
    .text C:\windows\System32\svchost.exe[1004] msvcrt.dll!_open 75537E48 5 Bytes JMP 00A30000
    .text C:\windows\System32\svchost.exe[1004] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00A30FB2
    .text C:\windows\System32\svchost.exe[1004] msvcrt.dll!system 7556B16F 5 Bytes JMP 00A3003D
    .text C:\windows\System32\svchost.exe[1004] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 00A30FD7
    .text C:\windows\System32\svchost.exe[1004] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 00A3002C
    .text C:\windows\System32\svchost.exe[1004] msvcrt.dll!_wopen 75570570 5 Bytes JMP 00A30011
    .text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00A20FE5
    .text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00A20FC3
    .text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00A20FA1
    .text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00A20FB2
    .text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00A20000
    .text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00A2005E
    .text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00A2002F
    .text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00A20FD4
    .text C:\windows\System32\svchost.exe[1004] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 00A40FEF
    .text C:\windows\system32\svchost.exe[1044] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00A80FEF
    .text C:\windows\system32\svchost.exe[1044] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00A8001B
    .text C:\windows\system32\svchost.exe[1044] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 00A8000A
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 009F00CE
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 009F0F65
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 009F00FA
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 009F0047
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 009F0FAF
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 009F0087
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 009F006C
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 009F0025
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 009F000A
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 009F0F4A
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 009F00DF
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 009F0FDB
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 009F0FCA
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 009F00BD
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 009F0036
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 009F0F80
    .text C:\windows\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 009F00A2
    .text C:\windows\system32\svchost.exe[1044] msvcrt.dll!_open 75537E48 5 Bytes JMP 010B0000
    .text C:\windows\system32\svchost.exe[1044] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 010B0FD9
    .text C:\windows\system32\svchost.exe[1044] msvcrt.dll!system 7556B16F 5 Bytes JMP 010B0064
    .text C:\windows\system32\svchost.exe[1044] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 010B002E
    .text C:\windows\system32\svchost.exe[1044] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 010B003F
    .text C:\windows\system32\svchost.exe[1044] msvcrt.dll!_wopen 75570570 5 Bytes JMP 010B001D
    .text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00F60000
    .text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00F60036
    .text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00F6005B
    .text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00F60FB9
    .text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00F60FEF
    .text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00F60F9E
    .text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00F60025
    .text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00F60FD4
    .text C:\windows\system32\svchost.exe[1044] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 01160000
    .text C:\windows\system32\svchost.exe[1172] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00940000
    .text C:\windows\system32\svchost.exe[1172] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00940036
    .text C:\windows\system32\svchost.exe[1172] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 0094001B
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 00930F72
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 00930F21
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 00930F3C
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 00930FCD
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 00930065
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 00930054
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 00930F97
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 00930FDE
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 00930FEF
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 00930F10
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 009300C0
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 0093002F
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 00930FA8
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 00930091
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 00930014
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 00930F57
    .text C:\windows\system32\svchost.exe[1172] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 00930080
  8. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    .text C:\windows\system32\svchost.exe[1172] msvcrt.dll!_open 75537E48 5 Bytes JMP 00A60000
    .text C:\windows\system32\svchost.exe[1172] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00A60051
    .text C:\windows\system32\svchost.exe[1172] msvcrt.dll!system 7556B16F 5 Bytes JMP 00A60FC6
    .text C:\windows\system32\svchost.exe[1172] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 00A60011
    .text C:\windows\system32\svchost.exe[1172] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 00A60036
    .text C:\windows\system32\svchost.exe[1172] msvcrt.dll!_wopen 75570570 5 Bytes JMP 00A60FE3
    .text C:\windows\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00A50000
    .text C:\windows\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00A50FB9
    .text C:\windows\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00A50F94
    .text C:\windows\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00A50040
    .text C:\windows\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00A50011
    .text C:\windows\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00A50051
    .text C:\windows\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00A50FCA
    .text C:\windows\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00A50FDB
    .text C:\windows\system32\svchost.exe[1172] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 00A70000
    .text C:\windows\system32\svchost.exe[1252] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 009A0FE5
    .text C:\windows\system32\svchost.exe[1252] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 009A0FC3
    .text C:\windows\system32\svchost.exe[1252] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 009A0FD4
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 00940095
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 00940F2C
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 009400C1
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 0094001B
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 00940069
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 00940058
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 00940047
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 0094000A
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 00940FEF
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 009400E6
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 009400A6
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 00940036
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 00940FAF
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 0094007A
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 00940FCA
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 00940F47
    .text C:\windows\system32\svchost.exe[1252] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 00940F6C
    .text C:\windows\system32\svchost.exe[1252] msvcrt.dll!_open 75537E48 5 Bytes JMP 009B000C
    .text C:\windows\system32\svchost.exe[1252] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 009B0070
    .text C:\windows\system32\svchost.exe[1252] msvcrt.dll!system 7556B16F 5 Bytes JMP 009B0FEF
    .text C:\windows\system32\svchost.exe[1252] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 009B0044
    .text C:\windows\system32\svchost.exe[1252] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 009B005F
    .text C:\windows\system32\svchost.exe[1252] msvcrt.dll!_wopen 75570570 5 Bytes JMP 009B001D
    .text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00990000
    .text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 0099002C
    .text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00990FAF
    .text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00990051
    .text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00990FDB
    .text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00990F9E
    .text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00990FC0
    .text C:\windows\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00990011
    .text C:\windows\system32\svchost.exe[1252] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 009D0000
    .text C:\windows\system32\svchost.exe[1468] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00A20FEF
    .text C:\windows\system32\svchost.exe[1468] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00A20011
    .text C:\windows\system32\svchost.exe[1468] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 00A20000
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 009C00BA
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 009C0104
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 009C00E9
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 009C0FDB
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 009C0098
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 009C007D
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 009C006C
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 009C001B
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 009C000A
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 009C0115
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 009C0F80
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 009C0FC0
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 009C0047
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 009C00A9
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 009C0036
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 009C0F6F
    .text C:\windows\system32\svchost.exe[1468] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 009C0FA5
    .text C:\windows\system32\svchost.exe[1468] msvcrt.dll!_open 75537E48 5 Bytes JMP 00A70FEF
    .text C:\windows\system32\svchost.exe[1468] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00A7004C
    .text C:\windows\system32\svchost.exe[1468] msvcrt.dll!system 7556B16F 5 Bytes JMP 00A7003B
    .text C:\windows\system32\svchost.exe[1468] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 00A70FD2
    .text C:\windows\system32\svchost.exe[1468] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 00A70FC1
    .text C:\windows\system32\svchost.exe[1468] msvcrt.dll!_wopen 75570570 5 Bytes JMP 00A70000
    .text C:\windows\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 009D000A
    .text C:\windows\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 009D0025
    .text C:\windows\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 009D0040
    .text C:\windows\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 009D0F9E
    .text C:\windows\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 009D0FE5
    .text C:\windows\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 009D0051
    .text C:\windows\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 009D0FAF
    .text C:\windows\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 009D0FCA
    .text C:\windows\system32\svchost.exe[1468] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 00A80FEF
    .text C:\windows\system32\svchost.exe[1664] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00400FEF
    .text C:\windows\system32\svchost.exe[1664] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 0040000A
    .text C:\windows\system32\svchost.exe[1664] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 00400FD4
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 003D0F38
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 003D0EFB
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 003D0F0C
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 003D0FBC
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 003D0F64
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 003D003C
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 003D0F75
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 003D0FDE
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 003D0FEF
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 003D0EE0
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 003D0F1D
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 003D0FAB
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 003D0F86
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 003D0F49
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 003D0FCD
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 003D0086
    .text C:\windows\system32\svchost.exe[1664] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 003D004D
    .text C:\windows\system32\svchost.exe[1664] msvcrt.dll!_open 75537E48 5 Bytes JMP 003F000C
    .text C:\windows\system32\svchost.exe[1664] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 003F0042
    .text C:\windows\system32\svchost.exe[1664] msvcrt.dll!system 7556B16F 5 Bytes JMP 003F0031
    .text C:\windows\system32\svchost.exe[1664] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 003F0FD2
    .text C:\windows\system32\svchost.exe[1664] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 003F0FB7
    .text C:\windows\system32\svchost.exe[1664] msvcrt.dll!_wopen 75570570 5 Bytes JMP 003F0FEF
    .text C:\windows\system32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 003E0FE5
    .text C:\windows\system32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 003E001B
    .text C:\windows\system32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 003E0036
    .text C:\windows\system32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 003E0F94
    .text C:\windows\system32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 003E000A
    .text C:\windows\system32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 003E0F79
    .text C:\windows\system32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 003E0FAF
    .text C:\windows\system32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 003E0FCA
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1840] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 6EB49A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1840] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 6EB49AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\windows\system32\svchost.exe[2820] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 001F0000
    .text C:\windows\system32\svchost.exe[2820] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 001F001B
    .text C:\windows\system32\svchost.exe[2820] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 001F0FE5
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 001800B0
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 00180F40
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 001800DF
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 00180FCA
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 00180073
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 00180062
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 00180051
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 00180011
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 00180000
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 00180F2F
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 00180F76
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 00180FB9
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 00180040
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 00180095
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 00180FDB
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 00180F65
    .text C:\windows\system32\svchost.exe[2820] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 00180084
    .text C:\windows\system32\svchost.exe[2820] msvcrt.dll!_open 75537E48 5 Bytes JMP 001E0FEF
    .text C:\windows\system32\svchost.exe[2820] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 001E0016
    .text C:\windows\system32\svchost.exe[2820] msvcrt.dll!system 7556B16F 5 Bytes JMP 001E0F95
    .text C:\windows\system32\svchost.exe[2820] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 001E0FB7
    .text C:\windows\system32\svchost.exe[2820] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 001E0FA6
    .text C:\windows\system32\svchost.exe[2820] msvcrt.dll!_wopen 75570570 5 Bytes JMP 001E0FD2
    .text C:\windows\system32\svchost.exe[2820] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 001D0FE5
    .text C:\windows\system32\svchost.exe[2820] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 001D0039
    .text C:\windows\system32\svchost.exe[2820] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 001D0FB2
    .text C:\windows\system32\svchost.exe[2820] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 001D0054
    .text C:\windows\system32\svchost.exe[2820] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 001D0FD4
    .text C:\windows\system32\svchost.exe[2820] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 001D006F
    .text C:\windows\system32\svchost.exe[2820] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 001D001E
    .text C:\windows\system32\svchost.exe[2820] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 001D0FC3
    .text C:\windows\system32\svchost.exe[2948] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00250000
    .text C:\windows\system32\svchost.exe[2948] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00250FCA
    .text C:\windows\system32\svchost.exe[2948] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 00250FE5
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 001D00B3
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 001D010E
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 001D00E9
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 001D0FE5
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 001D006C
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 001D0F94
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 001D0FAF
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 001D001B
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 001D0000
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 001D0129
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 001D0F79
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 001D0051
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 001D0FCA
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 001D00A2
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 001D0036
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 001D00D8
    .text C:\windows\system32\svchost.exe[2948] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 001D0087
    .text C:\windows\system32\svchost.exe[2948] msvcrt.dll!_open 75537E48 5 Bytes JMP 00230FEF
    .text C:\windows\system32\svchost.exe[2948] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00230033
    .text C:\windows\system32\svchost.exe[2948] msvcrt.dll!system 7556B16F 5 Bytes JMP 00230FA8
    .text C:\windows\system32\svchost.exe[2948] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 00230FD4
    .text C:\windows\system32\svchost.exe[2948] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 00230FB9
    .text C:\windows\system32\svchost.exe[2948] msvcrt.dll!_wopen 75570570 5 Bytes JMP 0023000C
    .text C:\windows\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 001E0FE5
    .text C:\windows\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 001E0F9E
    .text C:\windows\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 001E0F68
    .text C:\windows\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 001E0F83
    .text C:\windows\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 001E0FCA
    .text C:\windows\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 001E001B
    .text C:\windows\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 001E0FB9
    .text C:\windows\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 001E000A
    .text C:\windows\system32\svchost.exe[2948] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 00240FEF
    .text C:\windows\system32\svchost.exe[3264] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 0004000A
    .text C:\windows\system32\svchost.exe[3264] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00040FE5
    .text C:\windows\system32\svchost.exe[3264] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 0004001B
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 000100D1
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 00010F61
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 000100F6
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 0001002F
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 000100B6
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 000100A5
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 0001008A
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 00010FDE
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 00010FEF
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 00010F46
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 00010F8D
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 00010054
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 00010065
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 00010FA8
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 00010014
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 00010F7C
    .text C:\windows\system32\svchost.exe[3264] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 00010FB9
    .text C:\windows\system32\svchost.exe[3264] msvcrt.dll!_open 75537E48 5 Bytes JMP 00080FEF
    .text C:\windows\system32\svchost.exe[3264] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00080029
    .text C:\windows\system32\svchost.exe[3264] msvcrt.dll!system 7556B16F 5 Bytes JMP 00080F9E
    .text C:\windows\system32\svchost.exe[3264] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 00080018
    .text C:\windows\system32\svchost.exe[3264] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 00080FC3
    .text C:\windows\system32\svchost.exe[3264] msvcrt.dll!_wopen 75570570 5 Bytes JMP 00080FDE
    .text C:\windows\system32\svchost.exe[3264] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00250000
    .text C:\windows\system32\svchost.exe[3264] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00250FC3
    .text C:\windows\system32\svchost.exe[3264] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00250F97
    .text C:\windows\system32\svchost.exe[3264] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00250FB2
    .text C:\windows\system32\svchost.exe[3264] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00250FE5
    .text C:\windows\system32\svchost.exe[3264] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 0025005E
    .text C:\windows\system32\svchost.exe[3264] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 0025002F
    .text C:\windows\system32\svchost.exe[3264] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00250FD4
    .text C:\windows\system32\svchost.exe[3264] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 00260000
    .text C:\windows\Explorer.EXE[3536] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00040FEF
    .text C:\windows\Explorer.EXE[3536] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00040FDE
    .text C:\windows\Explorer.EXE[3536] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 0004000A
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 00010065
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 00010F10
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 00010F21
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 00010FC3
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 00010F72
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 00010F8D
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 00010F9E
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 00010FD4
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 00010FEF
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 00010EEB
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 00010080
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 00010025
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 00010040
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 00010F3C
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 00010014
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 0001009B
    .text C:\windows\Explorer.EXE[3536] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 00010F4D
    .text C:\windows\Explorer.EXE[3536] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 000E0FEF
    .text C:\windows\Explorer.EXE[3536] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 000E0FC0
    .text C:\windows\Explorer.EXE[3536] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 000E0F9E
    .text C:\windows\Explorer.EXE[3536] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 000E0FAF
    .text C:\windows\Explorer.EXE[3536] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 000E000A
    .text C:\windows\Explorer.EXE[3536] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 000E0F8D
    .text C:\windows\Explorer.EXE[3536] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 000E0036
    .text C:\windows\Explorer.EXE[3536] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 000E0025
    .text C:\windows\Explorer.EXE[3536] msvcrt.dll!_open 75537E48 5 Bytes JMP 000F0000
    .text C:\windows\Explorer.EXE[3536] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 000F0049
    .text C:\windows\Explorer.EXE[3536] msvcrt.dll!system 7556B16F 5 Bytes JMP 000F0038
    .text C:\windows\Explorer.EXE[3536] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 000F0FC8
    .text C:\windows\Explorer.EXE[3536] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 000F001D
    .text C:\windows\Explorer.EXE[3536] msvcrt.dll!_wopen 75570570 5 Bytes JMP 000F0FE3
    .text C:\windows\Explorer.EXE[3536] WININET.dll!InternetOpenA 75684E2B 5 Bytes JMP 029B0000
    .text C:\windows\Explorer.EXE[3536] WININET.dll!InternetOpenUrlA 7568BFCE 5 Bytes JMP 029B0FD4
    .text C:\windows\Explorer.EXE[3536] WININET.dll!InternetOpenW 756BC03E 5 Bytes JMP 029B0FE5
    .text C:\windows\Explorer.EXE[3536] WININET.dll!InternetOpenUrlW 756ED722 5 Bytes JMP 029B0FB9
    .text C:\windows\Explorer.EXE[3536] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 03D40000
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4928] USER32.dll!SetWindowLongA 75268BA3 5 Bytes JMP 5EB79777 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4928] USER32.dll!SetWindowLongW 75274449 5 Bytes JMP 5EB79709 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4928] USER32.dll!GetWindowInfo 75274B5E 5 Bytes JMP 5E9A7C37 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4928] USER32.dll!TrackPopupMenu 75282228 5 Bytes JMP 5E9A823A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5996] ntdll.dll!LdrLoadDll 76E222B8 5 Bytes JMP 00B91410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5996] WININET.dll!InternetCloseHandle 7566B7C4 5 Bytes JMP 0B622BF0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5996] WININET.dll!InternetReadFile 7566EA3A 5 Bytes JMP 0B622D10 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5996] WININET.dll!InternetConnectA 75695456 5 Bytes JMP 0B622FB0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[5996] WININET.dll!HttpOpenRequestA 75695539 5 Bytes JMP 0B622EB0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\windows\system32\mfevtps.exe[1916] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00A577A0] C:\windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
    IAT C:\windows\system32\rundll32.exe[1976] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74E9FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\windows\system32\rundll32.exe[1976] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74E9FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\windows\system32\rundll32.exe[1976] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74E9FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\windows\system32\rundll32.exe[1976] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74E9FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

    AttachedDevice mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    Device Sftfslh.sys (Microsoft Application Virtualization File System/Microsoft Corporation)
    Device \Driver\ACPI_HAL \Device\00000057 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device Fs_Rec.sys (File System Recognizer Driver/Microsoft Corporation)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:516] 89F8DE22
    Thread System [4:732] 8E60F82C
    Thread System [4:736] 8E6B9B58

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\506313bedb53
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\506313bedb53@0025e7aca9f6 0xC2 0x85 0x27 0x2A ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\506313bedb53 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\506313bedb53@0025e7aca9f6 0xC2 0x85 0x27 0x2A ...

    ---- EOF - GMER 1.0.15 ----
  9. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    [edited to delete accidental duplacate of post #8]
  10. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Shane at 1:21:31.40 on 01/04/2011
    Internet Explorer: 9.0.8112.16421
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.353.1033.18.1788.815 [GMT 13:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\wininit.exe
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\system32\atiesrxx.exe
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\system32\WLANExt.exe
    C:\windows\system32\conhost.exe
    C:\windows\System32\spoolsv.exe
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
    C:\windows\system32\atieclxx.exe
    C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\windows\system32\mfevtps.exe
    C:\windows\system32\rundll32.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
    C:\windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
    C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    C:\windows\system32\svchost.exe -k bthsvcs
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\windows\system32\Dwm.exe
    C:\windows\system32\taskhost.exe
    C:\windows\Explorer.EXE
    C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe
    C:\Program Files\Lenovo\YouCam\YouCamTray.exe
    C:\Program Files\Lenovo\Energy Management\utility.exe
    C:\Program Files\Lenovo\Energy Management\Energy Management.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
    C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe
    C:\windows\system32\SearchIndexer.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Apoint2K\ApMsgFwd.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\windows\system32\conhost.exe
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
    C:\Program Files\Common Files\McAfee\Core\mchost.exe
    C:\windows\explorer.exe
    C:\windows\system32\DllHost.exe
    C:\windows\system32\DllHost.exe
    C:\Users\Shane\Downloads\dds.scr
    C:\windows\system32\conhost.exe
    C:\windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.bbc.co.uk/
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\RazaWebHook32.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110208114341.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [cAudioFilterAgent] c:\program files\conexant\caudiofilteragent\cAudioFilterAgent.exe
    mRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [VeriFaceManager] c:\program files\lenovo\veriface\PManage.exe
    mRun: [UCam_Menu] "c:\program files\lenovo\youcam\muitransfer\muistartmenu.exe" "c:\program files\lenovo\youcam" updatewithcreateonce "software\cyberlink\youcam\3.0"
    mRun: [YouCam Mirror Tray icon] "c:\program files\lenovo\youcam\YouCamTray.exe" /s
    mRun: [UpdateP2GShortCut] "c:\program files\lenovo\power2go\muitransfer\muistartmenu.exe" "c:\program files\lenovo\power2go" updatewithcreateonce "software\cyberlink\power2go\5.0"
    mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe
    mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRunOnce: [WLStart] "c:\program files\windows live\installer\wlstart.exe" /nosearch /nohomepage
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\lenovo\bluetooth software\BTTray.exe
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Download with &Shareaza - c:\program files\shareaza\RazaWebHook32.dll/3000
    IE: Free YouTube to MP3 Converter - c:\users\shane\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
    IE: Send image to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
    IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\shane\appdata\roaming\mozilla\firefox\profiles\jnxb92om.default\
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-14 386840]
    R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-2-8 64304]
    R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-2-8 164840]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-1-5 172032]
    R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2011-1-5 284672]
    R2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ati technologies\ati.ace\reservation manager\AMD Reservation Manager.exe [2010-6-17 140224]
    R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-2-28 821664]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-8 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-8 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-8 271480]
    R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-8 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-8 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-8 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-8 141792]
    R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2010-4-24 483688]
    R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2010-1-20 23136]
    R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2011-2-8 37944]
    R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2010-5-20 5340160]
    R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-5-20 152064]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-8 55840]
    R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2010-5-20 58368]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-8 152960]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-8 313288]
    R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2010-4-24 550760]
    R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2010-4-24 195944]
    R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2010-4-24 21864]
    R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2010-4-24 19304]
    R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2010-4-24 209768]
    R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2010-5-20 30392]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
    S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-5-20 29472]
    S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-2-11 39272]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
    S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-14 229888]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-8 52104]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-8 84264]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-11 4231168]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-10 4640000]
    S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2011-3-21 20080]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-5-20 191008]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-1 52224]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-2-8 1343400]
    S3 wdmirror;wdmirror;c:\windows\system32\drivers\WDMirror.sys [2010-5-20 11792]
    S3 wsvd;wsvd;c:\windows\system32\drivers\wsvd.sys [2009-7-22 81704]
    S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-23 51040]
    .
    =============== Created Last 30 ================
    .
    2011-03-31 10:59:35 -------- d-----w- c:\users\shane\appdata\roaming\Malwarebytes
    2011-03-31 10:59:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-31 10:59:29 -------- d-----w- c:\progra~2\Malwarebytes
    2011-03-31 10:59:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-31 10:59:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-28 01:04:45 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-03-28 01:04:44 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-03-28 01:04:43 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-03-28 01:04:43 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
    2011-03-28 01:04:43 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
    2011-03-28 01:04:43 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-03-28 01:04:43 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-03-28 01:04:43 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-03-27 10:40:51 -------- d-----w- c:\users\shane\appdata\local\Thunderbird
    2011-03-27 08:38:40 398336 ----a-w- c:\windows\regedit(1).com
    2011-03-27 02:30:44 -------- d-----w- c:\program files\Spyware Doctor
    2011-03-21 08:46:15 -------- d-----w- c:\users\shane\appdata\local\Shareaza
    2011-03-21 08:45:22 -------- d-----w- c:\users\shane\appdata\roaming\Shareaza
    2011-03-21 08:45:11 -------- d-----w- c:\program files\Shareaza
    2011-03-21 06:22:46 -------- d-----w- c:\program files\PeerBlock
    2011-03-10 02:27:32 805376 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-10 02:27:32 1076736 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-10 02:27:31 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-03-10 02:27:26 850944 ----a-w- c:\windows\system32\sbe.dll
    2011-03-10 02:27:26 642048 ----a-w- c:\windows\system32\CPFilters.dll
    2011-03-10 02:27:26 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-10 02:27:25 199680 ----a-w- c:\windows\system32\mpg2splt.ax
    .
    ==================== Find3M ====================
    .
    2011-03-01 07:38:40 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-02-09 01:51:13 1462392 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
    2011-02-09 01:51:13 115904 ----a-w- c:\windows\system32\Vxdif.dll
    2011-02-09 01:47:00 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
    2011-02-02 17:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-17 05:47:13 161792 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-07 07:46:34 870912 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-07 07:46:34 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-01-07 07:45:57 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-07 05:43:36 294400 ----a-w- c:\windows\system32\atmfd.dll
    2011-01-05 03:51:01 2330624 ----a-w- c:\windows\system32\win32k.sys
    2011-01-05 02:55:50 278528 ----a-w- c:\windows\system32\Oemdspif.dll
    2011-01-05 02:32:34 1912832 ----a-w- c:\windows\system32\atiumdmv.dll
    .
    ============= FINISH: 1:22:01.66 ===============
  11. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 08/02/2011 09:25:10
    System Uptime: 31/03/2011 21:18:44 (4 hours ago)
    .
    Motherboard: LENOVO | | Bali
    Processor: AMD Athlon(tm) II Dual-Core M320 | Socket S1G3 | 2100/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 422 GiB total, 322.703 GiB free.
    D: is FIXED (NTFS) - 29 GiB total, 28.129 GiB free.
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP16: 01/03/2011 20:32:08 - Windows 7 Service Pack 1
    RP17: 01/03/2011 21:39:51 - Windows Update
    RP18: 10/03/2011 16:08:44 - Windows Update
    RP19: 18/03/2011 16:45:27 - Scheduled Checkpoint
    RP20: 24/03/2011 13:36:30 - Windows Update
    RP21: 28/03/2011 13:49:19 - Windows Modules Installer
    RP22: 31/03/2011 16:05:25 - Windows Update
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.0.1
    ALPS Touch Pad Driver
    AMD Fuel
    AMD USB Filter Driver
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
    ATI AVIVO Codecs
    ATI Catalyst Install Manager
    ATI Stream SDK v2 Developer
    Broadcom 802.11 Wireless Driver
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    ccc-utility
    CCC Help English
    Conexant HD Audio
    CyberLink YouCam
    D3DX10
    Energy Management
    Free Audio CD Burner version 1.4.7
    Free YouTube to MP3 Converter version 3.9.35.324
    Junk Mail filter update
    Lenovo Bluetooth with Enhanced Data Rate Software
    Lenovo DirectShare
    Lenovo EasyCamera
    Lenovo OneKey Recovery
    Malwarebytes' Anti-Malware
    McAfee AntiVirus Plus
    Mesh Runtime
    Messenger Companion
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2010
    Microsoft Office Click-to-Run 2010
    Microsoft Office Starter 2010 - English
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Mozilla Firefox 4.0 (x86 en-GB)
    Mozilla Thunderbird (3.1.9)
    MSVCRT
    PeerBlock 1.1 (r518)
    Power2Go
    Realtek USB 2.0 Card Reader
    Shareaza 2.5.4.0
    StarCraft II
    Uninstall 1.0.0.1
    Windows Driver Package - Broadcom Bluetooth (06/15/2009 6.2.0.9000)
    Windows Driver Package - Broadcom Bluetooth (07/30/2009 6.2.0.9405)
    Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Messenger Companion Core
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Remote Client
    Windows Live Remote Client Resources
    Windows Live Remote Service
    Windows Live Remote Service Resources
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WMV9/VC-1 Video Playback
    WorldUnlock Codes Calculator
    .
    ==== Event Viewer Messages From Past Week ========
    .
    31/03/2011 17:15:06, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820} and APPID {8BC3F05E-D86B-11D0-A075-00C04FB68820} to the user Shane-PC\Guest SID (S-1-5-21-3934910652-234392554-2896648687-501) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    30/03/2011 14:36:43, Error: Service Control Manager [7034] - The AMD External Events Utility service terminated unexpectedly. It has done this 1 time(s).
    27/03/2011 20:47:00, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    27/03/2011 20:47:00, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the User Profile Service service, but this action failed with the following error: An instance of the service is already running.
    27/03/2011 20:47:00, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Multimedia Class Scheduler service, but this action failed with the following error: An instance of the service is already running.
    27/03/2011 20:47:00, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the IKE and AuthIP IPsec Keying Modules service, but this action failed with the following error: An instance of the service is already running.
    27/03/2011 20:45:59, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Server service, but this action failed with the following error: An instance of the service is already running.
    27/03/2011 20:44:59, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    27/03/2011 20:44:59, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    27/03/2011 20:44:59, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    27/03/2011 20:44:59, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    27/03/2011 20:44:59, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    27/03/2011 20:44:59, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    27/03/2011 20:44:59, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    27/03/2011 20:44:59, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    27/03/2011 20:44:59, Error: Service Control Manager [7031] - The IP Helper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    27/03/2011 20:44:59, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    27/03/2011 20:44:59, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    27/03/2011 20:44:59, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    27/03/2011 20:35:12, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    27/03/2011 20:24:33, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    27/03/2011 20:24:33, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    27/03/2011 20:21:51, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    27/03/2011 20:21:33, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    27/03/2011 20:21:33, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    27/03/2011 20:21:32, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    27/03/2011 20:21:32, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    27/03/2011 20:21:31, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    27/03/2011 20:21:26, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    27/03/2011 20:21:10, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache mfehidk mfenlfk mfewfpk NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf ws2ifsl
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the Windows Firewall service which failed to start because of the following error: The dependency service or group failed to start.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    27/03/2011 20:21:10, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The dependency service or group failed to start.
    27/03/2011 14:12:09, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    26/03/2011 00:25:01, Error: Microsoft-Windows-Application-Experience [205] - The Program Compatibility Assistant service failed to perform the phase two initialization.
    01/04/2011 01:22:01, Error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
    .
    ==== End Of File ===========================
  12. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    Right well there are all the logs sorry about the delay but Im travelling at the mo and the connection in the place im in at the moment is woeful. Thanks for the help!
  13. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    Im thinking that Im after wiping out the virus but that it had edited the reg entries relating to the Windows security stuff and all i need now is to reload the revelent clean entries. Wont do anything until you say it but thats what I'm thinking...
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    No problem. We had such bad weather yesterday, I couldn't do much.

    Suggest you review this thread from McAfee Forum:https://community.mcafee.com/thread/30466

    When you talk about "mutating so fast" it sound more like one of the file infectors like Virut or Ramnit. I don't send anyone in to the Registry to Edit. I'd like to do 2 more scans:

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ====================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  15. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    ComboFix 11-04-01.01 - Shane 03/04/2011 19:59:50.1.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.353.1033.18.1788.1045 [GMT 12:00]
    Running from: c:\users\Shane\Downloads\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\s.bat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-31 14:23 . 2011-03-31 14:28 -------- d-----w- c:\users\Shane\AppData\Roaming\vlc
    2011-03-31 14:19 . 2011-03-31 14:19 -------- d-----w- c:\program files\VideoLAN
    2011-03-31 10:59 . 2011-03-31 10:59 -------- d-----w- c:\users\Shane\AppData\Roaming\Malwarebytes
    2011-03-31 10:59 . 2010-12-20 05:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-31 10:59 . 2011-03-31 10:59 -------- d-----w- c:\programdata\Malwarebytes
    2011-03-31 10:59 . 2010-12-20 05:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-31 10:59 . 2011-03-31 10:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-30 22:00 . 2011-03-30 22:00 -------- d-----w- c:\programdata\Microsoft Help
    2011-03-30 22:00 . 2011-03-30 22:00 -------- d-----w- c:\users\Guest\AppData\Local\Microsoft Help
    2011-03-30 21:53 . 2011-03-31 03:05 -------- d-----w- c:\users\Guest\AppData\Roaming\SoftGrid Client
    2011-03-30 21:53 . 2011-03-30 21:53 -------- d-----w- c:\users\Guest\AppData\Local\SoftGrid Client
    2011-03-29 07:28 . 2011-03-29 07:28 -------- d-----w- c:\users\Guest\AppData\Roaming\CyberLink
    2011-03-29 07:28 . 2011-03-29 07:28 -------- d-----w- c:\users\Public\CyberLink
    2011-03-28 01:04 . 2011-03-18 17:57 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-03-28 01:04 . 2011-03-18 17:57 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-03-28 01:04 . 2011-03-18 17:57 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-03-28 01:04 . 2011-03-18 17:57 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
    2011-03-28 01:04 . 2011-03-18 17:57 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
    2011-03-28 01:04 . 2011-03-18 17:57 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-03-28 01:04 . 2011-03-18 17:57 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-03-28 01:04 . 2011-03-18 17:57 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-03-27 10:40 . 2011-03-27 10:41 -------- d-----w- c:\users\Shane\AppData\Roaming\Thunderbird
    2011-03-27 10:40 . 2011-03-27 10:41 -------- d-----w- c:\users\Shane\AppData\Local\Thunderbird
    2011-03-27 10:40 . 2011-03-27 10:40 -------- d-----w- c:\program files\Mozilla Thunderbird
    2011-03-27 08:38 . 2009-07-14 01:14 398336 ----a-w- c:\windows\regedit(1).com
    2011-03-27 02:30 . 2011-03-27 23:59 -------- d-----w- c:\program files\Spyware Doctor
    2011-03-21 08:46 . 2011-03-21 08:46 -------- d-----w- c:\users\Shane\AppData\Local\Shareaza
    2011-03-21 08:45 . 2011-03-21 08:46 -------- d-----w- c:\users\Shane\AppData\Roaming\Shareaza
    2011-03-21 08:45 . 2011-03-21 08:45 -------- d-----w- c:\program files\Shareaza
    2011-03-21 06:22 . 2011-03-27 07:18 -------- d-----w- c:\program files\PeerBlock
    2011-03-10 02:27 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-10 02:27 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-10 02:27 . 2011-02-19 06:30 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-03-10 02:27 . 2010-12-23 05:54 850944 ----a-w- c:\windows\system32\sbe.dll
    2011-03-10 02:27 . 2010-12-23 05:54 642048 ----a-w- c:\windows\system32\CPFilters.dll
    2011-03-10 02:27 . 2010-12-23 05:54 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-10 02:27 . 2010-12-23 05:50 199680 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-07 01:56 . 2011-03-07 01:56 -------- d-----w- c:\users\Guest\AppData\Local\Adobe
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-23 21:50 . 2010-06-24 11:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-03-01 07:38 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-02-09 01:51 . 2010-04-13 14:06 1462392 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
    2011-02-09 01:51 . 2010-04-13 14:06 115904 ----a-w- c:\windows\system32\Vxdif.dll
    2011-02-09 01:51 . 2010-04-13 14:16 252536 ----a-w- c:\windows\system32\drivers\Apfiltr.sys
    2011-02-09 01:47 . 2008-06-25 17:52 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
    2011-02-03 05:54 . 2011-02-09 01:36 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
    2011-02-02 17:11 . 2011-02-08 01:48 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-02-02 17:10 . 2011-02-08 01:48 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4ACE64A0-89CD-486E-B17B-705449EE9F9B}\mpengine.dll
    2011-01-17 05:47 . 2011-03-01 08:32 161792 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-07 07:46 . 2011-03-01 06:25 870912 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-07 07:46 . 2011-03-01 06:25 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-01-07 07:45 . 2011-02-09 01:36 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-07 05:43 . 2011-02-09 01:36 294400 ----a-w- c:\windows\system32\atmfd.dll
    2011-01-05 03:51 . 2011-02-09 01:36 2330624 ----a-w- c:\windows\system32\win32k.sys
    2011-01-05 02:55 . 2011-01-05 02:55 278528 ----a-w- c:\windows\system32\Oemdspif.dll
    2011-01-05 02:32 . 2011-01-05 02:32 1912832 ----a-w- c:\windows\system32\atiumdmv.dll
    2011-03-18 17:57 . 2011-03-28 01:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2010-10-13 22:28 . 2011-02-08 11:43 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-06 1866864]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe" [2010-03-10 496184]
    "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-12-03 35184]
    "UCam_Menu"="c:\program files\Lenovo\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
    "YouCam Mirror Tray icon"="c:\program files\Lenovo\YouCam\YouCamTray.exe" [2009-12-22 167008]
    "UpdateP2GShortCut"="c:\program files\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2009-12-17 4114368]
    "Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2009-12-17 6223808]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-04 336384]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-11-22 1193848]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2011-02-09 248440]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "WLStart"="c:\program files\Windows Live\Installer\wlstart.exe" [2009-07-26 768336]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2009-9-5 795936]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "HideSCAHealth"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-07-13 229888]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
    R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-06 20080]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-03-24 191008]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-07 1343400]
    R3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [2009-07-16 11792]
    R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 81704]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]
    S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-03 172032]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-04 284672]
    S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 140224]
    S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-13 141792]
    S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
    S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2010-01-20 23136]
    S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [2010-02-18 37944]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-03-03 5340160]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-03-03 152064]
    S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2009-11-13 58368]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-04-24 550760]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-04-24 195944]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-04-24 21864]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-04-24 19304]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-12-22 30392]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bbc.co.uk/
    IE: Download with &Shareaza - c:\program files\Shareaza\RazaWebHook32.dll/3000
    IE: Free YouTube to MP3 Converter - c:\users\Shane\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    IE: Send image to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
    FF - ProfilePath - c:\users\Shane\AppData\Roaming\Mozilla\Firefox\Profiles\jnxb92om.default\
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    HKLM-Run-VeriFaceManager - c:\program files\Lenovo\VeriFace\PManage.exe
    AddRemove-WorldUnlock Codes Calculator - c:\program files\WorldUnlock Codes Calculator\uninst.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3934910652-234392554-2896648687-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (S-1-5-21-3934910652-234392554-2896648687-1000)
    @Denied: (2) (LocalSystem)
    "Progid"="ThunderbirdEML"
    .
    [HKEY_USERS\S-1-5-21-3934910652-234392554-2896648687-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-04-03 20:13:19
    ComboFix-quarantined-files.txt 2011-04-03 08:13
    .
    Pre-Run: 345,728,761,856 bytes free
    Post-Run: 345,632,514,048 bytes free
    .
    - - End Of File - - 5EF45FDADB07BBB22A88FDD4363CAF67
  16. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    Cant get that online scan to run it gets to about 50-60% of the signatures downloaded then returns an error erverytime. Think its somthing to do with this rubbish connection here. Its as bad as my old 36k modem...
  17. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    ESETSmartInstaller@High as downloader log:
    all ok
    esets_scanner_update returned -1 esets_gle=12
    esets_scanner_update returned -1 esets_gle=12
  18. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    Was all that was in log when it finally ran. The text displayed said no threats found anyway. There was no option to copy to clipboard...
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I tried to find a screenshot for you. But it appears that either 1. if not threats are found or 2. threats are removed, the clipboard option is not given. But we don't have entries removed so there should be the option if there are any threats.

    Do you now what this is? 2009-07-14 01:14 398336>>>c:\windows\regedit(1).com
    I found PCTools The Registry Guide for Windows®, formerly RegEdit.com but your entry isn't valid.
    =====================================
    The security was all running when you ran Combofix. This can affect the scan:
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated
    FW: McAfee Firewall *Enabled*
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated*
    ======================================
    Be advised: Count on adware and possibly spywre from this program:
    2011-03-31 14:19 > c:\program files\VideoLAN
    This was installed right before you began reporting problems.
    ======================================
    Have you made an attempt to restart the Security Center? Did it start? Was it still running after a reboot?
  20. Shnig

    Shnig TechSpot Enthusiast Topic Starter Posts: 175

    I do Indeed. I created that file to get into regedit because the virus did not allow me to open exe files.



    I actually disabled the real-time scanning and the firewall before running combo fix but it was still telling me they were running so i killed the processes for McAfee. It still gave the warning that it was on but I ran it anyway.

    VideoLan is also known as VLC. It is a clean program. Been using it for years. Besides I installed that after the problems started and I know the exact file that I opened that contained the virus (Was expecting a package delivery and stupidly opened a itinery.pdf file in an email from "upc". The kind of email you would delete straight away if you weren't expecting a package...)

    Just checked it there again. Its running now but A. Its not recognising that any of the McAfee stuff is running I.E that its saying there is no firewall or AV running but I know there is and B. its not displaying the errors in the task-bar any longer...
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    About the Regedit: You created that to handle a problem in 2009. If you get a malware infection that prevents the executables from running, you need to deal with that, not create a Registry shortcut. Recommend that you delete this.

    I need to check some Registry entries:Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    RegLock::
    [HKEY_USERS\S-1-5-21-3934910652-234392554-2896648687-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserC hoice]
    [HKEY_USERS\S-1-5-21-3934910652-234392554-2896648687-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserC hoice]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Is the Security Center still running okay? One of the locked Registry entries I'm checking is:
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)


    I have not been able to identify this entry.
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.