Inactive Backdoor.bot will not go away!

Status
Not open for further replies.
McAfee does not find it but MBAM does and Spybot does. Both programs will remove it but it always comes back once I restart the computer. I have even tried in safe mode. Here are the required logs, hope I did't forget anything. Could someone please take a look for me? Thanks!

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7694

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19088

9/12/2011 09:07:02 PM
mbam-log-2011-09-12 (21-07-02).txt

Scan type: Quick scan
Objects scanned: 240965
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
c:\Windows\system\svchost.exe (Backdoor.Bot) -> 4428 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\system\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.



DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_21
Run by Family at 20:11:05 on 2011-09-12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3325.1817 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\java.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k termlfsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Windows\diskperfm.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
C:\Windows\system32\taskeng.exe
C:\Users\Family\Desktop\Scanners\gmer.exe
C:\Windows\system\svchost.exe -k NetworkService
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn0\YTNavAssist.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110621044448.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [MemoryTriUtils] c:\windows\diskperfm.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{85F265C6-2F78-422F-BF1C-9D481E980FD1} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{EF51299E-9794-4ACC-ADAD-F679B68B1152} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{F6422208-BDC8-4E91-8A42-02DC8310A15B} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\family\appdata\roaming\mozilla\firefox\profiles\3tn0abw9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - My Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZJxdm035U8us&ptb=FOtrFlRDXdA01XSwmP2Gog&ind=2011082700&ptnrS=ZJxdm035U8us&si=51633&n=77deafcc&psa=&st=kwd&searchfor=
FF - component: c:\program files\firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\users\family\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\family\appdata\roaming\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\users\family\appdata\roaming\mozilla\firefox\profiles\3tn0abw9.default\extensions\{000f1ea4-5e08-4564-a29b-29076f63a37a}\plugins\npsoe.dll
FF - plugin: c:\users\family\appdata\roaming\mozilla\firefox\profiles\3tn0abw9.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: SOE Web Installer: {000F1EA4-5E08-4564-A29B-29076F63A37A} - %profile%\extensions\{000F1EA4-5E08-4564-A29B-29076F63A37A}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\family\appdata\roaming\Move Networks
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 459728]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-8-14 64648]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-8-14 163400]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-8-14 54776]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-5-17 308592]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-14 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-14 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-14 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-14 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-14 165000]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2010-4-22 25824]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-14 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-14 148520]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-4-30 14088]
R2 TermServices;Remote Desktop Service;c:\windows\system32\svchost.exe -k termlfsvc [2008-1-20 21504]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-14 57432]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-5 179248]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-14 337912]
R3 OA002Afx;Provides a software interface to control audio effects of OA002 camera.;c:\windows\system32\drivers\OA002Afx.sys [2007-6-8 148056]
R3 OA002Ufd;Creative Camera OA002 Upper Filter Driver;c:\windows\system32\drivers\OA002Ufd.sys [2008-6-3 144672]
R3 OA002Vid;Creative Camera OA002 Function Driver;c:\windows\system32\drivers\OA002Vid.sys [2008-7-31 268672]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2009-1-12 31616]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-22 41272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-25 136176]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
S2 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\ae1000va.sys [2010-7-31 836384]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-3-21 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-3-21 8456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-25 136176]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-5 59288]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-14 85984]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-5 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-5 40552]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-1-20 21504]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-12 23:41:15 7680 ----a-w- c:\windows\system\svchost.exe
2011-09-12 22:57:33 -------- d-----w- c:\users\family\appdata\local\temp
2011-09-12 22:45:49 -------- d-----w- C:\$RECYCLE.BIN
2011-09-12 22:29:47 -------- d-----w- C:\ComboFix
2011-09-12 21:31:45 -------- d-----w- c:\users\family\appdata\local\Adobe
2011-09-11 05:05:39 -------- d-----w- c:\program files\CCleaner
2011-09-11 02:39:19 691 ----a-w- c:\users\family\appdata\roaming\GetValue.vbs
2011-09-11 02:39:19 35 ----a-w- c:\users\family\appdata\roaming\SetValue.bat
2011-08-30 00:43:07 218624 ----a-w- c:\windows\system32\tercdw32.dll
2011-08-29 22:47:46 -------- d-----w- c:\program files\RegSupreme Pro
2011-08-27 21:22:29 -------- d--h--w- c:\programdata\Common Files
2011-08-27 21:17:58 -------- d-----w- c:\program files\AVG
2011-08-27 21:17:43 -------- d-----w- c:\programdata\avg9
2011-08-27 04:31:27 -------- d-----w- c:\users\family\appdata\roaming\Tific
2011-08-27 04:31:27 -------- d-----w- c:\users\family\appdata\local\Tific
.
==================== Find3M ====================
.
2011-08-11 11:07:08 2562 ----a-w- c:\windows\memsetk.dll
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 14:56:47 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe
2006-05-31 14:14:50 108056 ----a-w- c:\program files\common files\secman.dll
2006-03-12 00:09:30 626176 ----a-w- c:\program files\common files\osmax.ocx
.
============= FINISH: 20:12:54.73 ===============


DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 1/5/2009 06:10:53 AM
System Uptime: 9/12/2011 07:35:47 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0TP406
Processor: Intel(R) Core(TM)2 Quad CPU Q8200 @ 2.33GHz | CPU | 2327/1333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 581 GiB total, 255.88 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 9.518 GiB free.
E: is CDROM ()
G: is FIXED (NTFS) - 1863 GiB total, 1311.805 GiB free.
H: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
µTorrent
5 Card Slingo Deluxe
AAC Decoder
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.4
Adobe Shockwave Player 11.5
Advanced Audio FX Engine
Advanced Video FX Engine
aiofw
aioprnt
aioscnnr
ALZip
Any DVD Cloner Platinum 1.0.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AutoUpdate
AVI to DVD Converter
Banctec Service Agreement
Bonjour
Brother MFL-Pro Suite
Browser Address Error Redirector
C4USelfUpdater
CCleaner
center
CEP (Color Enable Package) v.9.0 (beta)
Choice Guard
Command & Conquer 3
Compatibility Pack for the 2007 Office system
Dell DataSafe Online
Dell Driver Download Manager
Dell Getting Started Guide
Dell Resource CD
Dell Support Center (Support Software)
Dell Webcam Center
Dell Webcam Central
Dell Webcam Manager
DirectXInstallService
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
EASEUS Partition Master 7.1.1 Home Edition
EDocs
Facebook Plug-In
Free Realms
GameHouse Games Collection: Bejeweled 2
GameHouse Games Collection: Boggle Supreme
GameHouse Games Collection: Chicktionary
GameHouse Games Collection: Feeding Frenzy
GameHouse Games Collection: Five Card Deluxe
GameHouse Games Collection: Flip Words
GameHouse Games Collection: Insaniquarium Deluxe
GameHouse Games Collection: Jewel Quest
GameHouse Games Collection: Luxor
GameHouse Games Collection: Mahjong Towers Eternity
GameHouse Games Collection: SCRABBLE
GameHouse Games Collection: Shape Shifter
GameHouse Games Collection: Slingo Deluxe
GameHouse Games Collection: Super SpongeBob Collapse!
Garmin Communicator Plugin
Garmin USB Drivers
Google Earth
Google Update Helper
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections 12.1.12.4
iTunes
J2SE Runtime Environment 5.0 Update 4
Java Auto Updater
Java(TM) 6 Update 21
Java(TM) 6 Update 3
Java(TM) 6 Update 7
KODAK AiO Home Center
ksDIP
Linksys EasyLink Advisor
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Malwarebytes' Anti-Malware version 1.51.1.1800
McAfee Online Backup
McAfee Total Protection
McAfee Virtual Technician
Memeo Instant Backup
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MKV Splitter
Monitor Webcam Driver (1.01.02.0804)
Move Media Player
Mozilla Firefox (3.6.20)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music, Photos & Videos Launcher
OGA Notifier 2.0.0048.0
PeerBlock 1.0+ (r404)
PreReq
Product Documentation Launcher
Pure Networks Platform
QuickTime
RegSupreme
RegSupreme Pro
Roxio Activation Module
Roxio CinePlayer Decoder Pack
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Premier
Roxio Creator Premier 10
Roxio Creator Tools
Roxio Express Labeler
Roxio Update Manager
Seagate Dashboard
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype™ 5.3
Slingo Deluxe
Snail Mail
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Switch Sound File Converter
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Apartment Life
The Sims™ 2 Bon Voyage
The Sims™ 2 Double Deluxe
The Sims™ 2 FreeTime
The Sims™ 2 Seasons
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2586924)
VC80CRTRedist - 8.0.50727.762
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.5
VoiceOver Kit
WBFS Manager 3.0
WebEx Support Manager for Internet Explorer
Winamp
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Player Firefox Plugin
XPS MiniView Gadget
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
9/9/2011 07:02:53 AM, Error: EventLog [6008] - The previous system shutdown at 6:06:53 AM on 9/9/2011 was unexpected.
9/9/2011 06:01:14 AM, Error: EventLog [6008] - The previous system shutdown at 11:10:07 PM on 9/8/2011 was unexpected.
9/9/2011 04:59:24 PM, Error: netbt [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.103. The computer with the IP address 192.168.1.102 did not allow the name to be claimed by this computer.
9/9/2011 04:51:34 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
9/9/2011 04:50:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {395633B1-EED9-4DFC-B67F-9788B51C9F06}
9/9/2011 04:49:44 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MOBKFilter spldr Wanarpv6
9/9/2011 04:48:34 PM, Error: EventLog [6008] - The previous system shutdown at 4:47:05 PM on 9/9/2011 was unexpected.
9/9/2011 02:59:07 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
9/7/2011 07:37:08 PM, Error: srv [2017] - The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
9/7/2011 06:56:07 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 001EE5202071 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
9/7/2011 06:56:06 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.103 for the Network Card with network address 0022191F8369 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
9/7/2011 02:45:57 PM, Error: EventLog [6008] - The previous system shutdown at 2:23:37 PM on 9/7/2011 was unexpected.
9/6/2011 08:31:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
9/6/2011 08:28:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
9/6/2011 08:28:22 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX DfsC mfehidk mfenlfk mfewfpk MOBKFilter NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr Tcpip tdx Wanarpv6 ws2ifsl
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The McAfee Anti-Spam Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The Kodak AiO Network Discovery Service service depends on the Bonjour Service service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/6/2011 08:28:22 PM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/6/2011 08:28:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
9/6/2011 08:28:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
9/6/2011 08:28:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
9/6/2011 08:28:08 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/6/2011 08:27:59 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
9/6/2011 08:27:14 PM, Error: EventLog [6008] - The previous system shutdown at 8:24:44 PM on 9/6/2011 was unexpected.
9/6/2011 07:42:28 AM, Error: Service Control Manager [7031] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
9/6/2011 06:32:00 AM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Kodak with shared resource name Kodak. Error 2114. The printer cannot be used by others on the network.
9/6/2011 06:32:00 AM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer KODAK ESP 5200 Series AiO with shared resource name KODAK ESP 5200 Series AiO. Error 2114. The printer cannot be used by others on the network.
9/6/2011 06:09:05 AM, Error: EventLog [6008] - The previous system shutdown at 12:51:03 AM on 9/6/2011 was unexpected.
9/6/2011 02:35:45 PM, Error: EventLog [6008] - The previous system shutdown at 9:35:22 AM on 9/6/2011 was unexpected.
9/5/2011 12:52:25 AM, Error: Service Control Manager [7000] - The SessionLauncher service failed to start due to the following error: The system cannot find the path specified.
9/5/2011 12:51:35 AM, Error: EventLog [6008] - The previous system shutdown at 12:06:15 PM on 9/4/2011 was unexpected.
9/12/2011 06:32:44 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
9/12/2011 06:32:42 PM, Error: Service Control Manager [7034] - The Linksys Updater service terminated unexpectedly. It has done this 1 time(s).
9/11/2011 01:15:19 AM, Error: Service Control Manager [7022] - The McAfee Network Agent service hung on starting.
9/10/2011 11:06:31 PM, Error: EventLog [6008] - The previous system shutdown at 11:04:30 PM on 9/10/2011 was unexpected.
9/10/2011 09:50:31 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
9/10/2011 09:50:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wcncsvc with arguments "" in order to run the server: {375FF000-DD27-11D9-8F9C-0002B3988E81}
.
==== End Of File ===========================


will post GMER is a second message
 
GMER log part 1

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-12 21:06:08
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.1AA0
Running: gmer.exe; Driver: C:\Users\Family\AppData\Local\Temp\kxdyrfob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8B757D48]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8B757D72]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8B757D5E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8B757D34]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82A741A0 5 Bytes JMP 8B757D38 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82C302F0 5 Bytes JMP 8B757D76 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 82C71AFE 7 Bytes JMP 8B757D4C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82C72155 5 Bytes JMP 8B757D62 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? System32\drivers\hpjm.sys The system cannot find the path specified. !
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8FE0A000, 0x1F8A4C, 0xE8000020]
init C:\Windows\system32\Drivers\OA002Afx.sys entry point in "init" section [0x82624310]
PAGE spsys.sys!?SPVersion@@3PADA + 1A67 8268E03F 240 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1B58 8268E130 6 Bytes [0E, 83, 78, 14, 01, 75]
PAGE spsys.sys!?SPVersion@@3PADA + 1B5F 8268E137 2214 Bytes [83, 78, 18, 37, 75, 02, B3, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 2406 8268E9DE 47 Bytes [04, BB, A8, 01, 00, 00, 8D, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 2436 8268EA0E 44 Bytes [05, 00, 00, 39, 54, 8D, D0, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[752] ntdll.dll!NtCreateFile 77307C78 5 Bytes JMP 00140000
.text C:\Windows\system32\services.exe[752] ntdll.dll!NtCreateProcess 77307D38 5 Bytes JMP 00140FC0
.text C:\Windows\system32\services.exe[752] ntdll.dll!NtProtectVirtualMemory 773085D8 5 Bytes JMP 00140FE5
.text C:\Windows\system32\services.exe[752] kernel32.dll!GetStartupInfoW 76B71929 5 Bytes JMP 00130F5E
.text C:\Windows\system32\services.exe[752] kernel32.dll!GetStartupInfoA 76B719C9 5 Bytes JMP 00130F6F
.text C:\Windows\system32\services.exe[752] kernel32.dll!CreateProcessW 76B71C01 5 Bytes JMP 00130F2B
.text C:\Windows\system32\services.exe[752] kernel32.dll!CreateProcessA 76B71C36 5 Bytes JMP 00130F3C
.text C:\Windows\system32\services.exe[752] kernel32.dll!VirtualProtect 76B71DD1 5 Bytes JMP 00130F94
.text C:\Windows\system32\services.exe[752] kernel32.dll!CreateNamedPipeW 76B75C44 5 Bytes JMP 00130FD4
.text C:\Windows\system32\services.exe[752] kernel32.dll!LoadLibraryExW 76B9374A 5 Bytes JMP 00130062
.text C:\Windows\system32\services.exe[752] kernel32.dll!LoadLibraryW 76B9382D 5 Bytes JMP 00130FA5
.text C:\Windows\system32\services.exe[752] kernel32.dll!VirtualProtectEx 76B98F5E 5 Bytes JMP 00130089
.text C:\Windows\system32\services.exe[752] kernel32.dll!LoadLibraryExA 76B99649 5 Bytes JMP 00130051
.text C:\Windows\system32\services.exe[752] kernel32.dll!LoadLibraryA 76B99671 5 Bytes JMP 00130036
.text C:\Windows\system32\services.exe[752] kernel32.dll!CreatePipe 76BA0474 5 Bytes JMP 001300A4
.text C:\Windows\system32\services.exe[752] kernel32.dll!GetProcAddress 76BBBAC6 5 Bytes JMP 00130F10
.text C:\Windows\system32\services.exe[752] kernel32.dll!CreateFileW 76BBCE4E 5 Bytes JMP 00130FEF
.text C:\Windows\system32\services.exe[752] kernel32.dll!CreateFileA 76BBD171 5 Bytes JMP 00130000
.text C:\Windows\system32\services.exe[752] kernel32.dll!CreateNamedPipeA 76C0462E 5 Bytes JMP 00130025
.text C:\Windows\system32\services.exe[752] kernel32.dll!WinExec 76C0580B 5 Bytes JMP 00130F4D
.text C:\Windows\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExA 7670B5E7 5 Bytes JMP 00150FA8
.text C:\Windows\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyA 7670B8AE 5 Bytes JMP 00150FB9
.text C:\Windows\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyA 76710BF5 5 Bytes JMP 00150FEF
.text C:\Windows\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW 7671B83D 5 Bytes JMP 0015004A
.text C:\Windows\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExW 7671BCE1 5 Bytes JMP 0015005B
.text C:\Windows\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExA 7671D4E8 5 Bytes JMP 0015000A
.text C:\Windows\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyW 76723CB0 5 Bytes JMP 00150FD4
.text C:\Windows\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExW 7672F09D 5 Bytes JMP 00150025
.text C:\Windows\system32\services.exe[752] msvcrt.dll!_wsystem 76E98A47 5 Bytes JMP 00160FAD
.text C:\Windows\system32\services.exe[752] msvcrt.dll!system 76E98B63 5 Bytes JMP 00160FBE
.text C:\Windows\system32\services.exe[752] msvcrt.dll!_creat 76E9C6F1 5 Bytes JMP 00160FD9
.text C:\Windows\system32\services.exe[752] msvcrt.dll!_open 76E9DA7E 5 Bytes JMP 00160000
.text C:\Windows\system32\services.exe[752] msvcrt.dll!_wcreat 76E9DC9E 5 Bytes JMP 0016002E
.text C:\Windows\system32\services.exe[752] msvcrt.dll!_wopen 76E9DE79 5 Bytes JMP 0016001D
.text C:\Windows\system32\services.exe[752] WS2_32.dll!socket 774936D1 5 Bytes JMP 00510FEF
.text C:\Windows\system32\lsass.exe[764] ntdll.dll!NtCreateFile 77307C78 5 Bytes JMP 00A50000
.text C:\Windows\system32\lsass.exe[764] ntdll.dll!NtCreateProcess 77307D38 5 Bytes JMP 00A50022
.text C:\Windows\system32\lsass.exe[764] ntdll.dll!NtProtectVirtualMemory 773085D8 5 Bytes JMP 00A50011
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!GetStartupInfoW 76B71929 5 Bytes JMP 009A0F55
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!GetStartupInfoA 76B719C9 5 Bytes JMP 009A0091
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!CreateProcessW 76B71C01 5 Bytes JMP 009A0F1F
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!CreateProcessA 76B71C36 1 Byte [E9]
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!CreateProcessA 76B71C36 5 Bytes JMP 009A0F3A
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!VirtualProtect 76B71DD1 5 Bytes JMP 009A0F8B
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeW 76B75C44 5 Bytes JMP 009A0040
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!LoadLibraryExW 76B9374A 5 Bytes JMP 009A0FA8
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!LoadLibraryW 76B9382D 5 Bytes JMP 009A0FC3
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!VirtualProtectEx 76B98F5E 5 Bytes JMP 009A0F7A
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!LoadLibraryExA 76B99649 5 Bytes JMP 009A0065
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!LoadLibraryA 76B99671 5 Bytes JMP 009A0FD4
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!CreatePipe 76BA0474 5 Bytes JMP 009A0080
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!GetProcAddress 76BBBAC6 5 Bytes JMP 009A0F0E
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!CreateFileW 76BBCE4E 5 Bytes JMP 009A000A
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!CreateFileA 76BBD171 5 Bytes JMP 009A0FEF
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeA 76C0462E 5 Bytes JMP 009A0025
.text C:\Windows\system32\lsass.exe[764] kernel32.dll!WinExec 76C0580B 5 Bytes JMP 009A00B6
.text C:\Windows\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExA 7670B5E7 5 Bytes JMP 00A60F8D
.text C:\Windows\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyA 7670B8AE 5 Bytes JMP 00A60FB9
.text C:\Windows\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyA 76710BF5 5 Bytes JMP 00A60000
.text C:\Windows\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyW 7671B83D 5 Bytes JMP 00A60FA8
.text C:\Windows\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExW 7671BCE1 5 Bytes JMP 00A60F7C
.text C:\Windows\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExA 7671D4E8 5 Bytes JMP 00A6001B
.text C:\Windows\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyW 76723CB0 5 Bytes JMP 00A60FE5
.text C:\Windows\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExW 7672F09D 5 Bytes JMP 00A60FCA
.text C:\Windows\system32\lsass.exe[764] msvcrt.dll!_wsystem 76E98A47 5 Bytes JMP 00A70FC6
.text C:\Windows\system32\lsass.exe[764] msvcrt.dll!system 76E98B63 5 Bytes JMP 00A70051
.text C:\Windows\system32\lsass.exe[764] msvcrt.dll!_creat 76E9C6F1 5 Bytes JMP 00A70FD7
.text C:\Windows\system32\lsass.exe[764] msvcrt.dll!_open 76E9DA7E 5 Bytes JMP 00A70000
.text C:\Windows\system32\lsass.exe[764] msvcrt.dll!_wcreat 76E9DC9E 5 Bytes JMP 00A7002C
.text C:\Windows\system32\lsass.exe[764] msvcrt.dll!_wopen 76E9DE79 5 Bytes JMP 00A70011
.text C:\Windows\system32\lsass.exe[764] WS2_32.dll!socket 774936D1 5 Bytes JMP 00A80FEF
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateFile 77307C78 5 Bytes JMP 00190000
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtCreateProcess 77307D38 5 Bytes JMP 00190025
.text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtProtectVirtualMemory 773085D8 5 Bytes JMP 00190FEF
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 76B71929 5 Bytes JMP 00180F4D
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 76B719C9 5 Bytes JMP 00180089
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateProcessW 76B71C01 5 Bytes JMP 001800E4
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateProcessA 76B71C36 5 Bytes JMP 001800C9
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!VirtualProtect 76B71DD1 5 Bytes JMP 00180F72
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 76B75C44 5 Bytes JMP 00180025
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 76B9374A 5 Bytes JMP 00180F83
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryW 76B9382D 5 Bytes JMP 00180FAF
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 76B98F5E 5 Bytes JMP 00180067
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 76B99649 5 Bytes JMP 00180F9E
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 76B99671 5 Bytes JMP 00180036
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreatePipe 76BA0474 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreatePipe 76BA0474 5 Bytes JMP 00180078
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!GetProcAddress 76BBBAC6 5 Bytes JMP 001800FF
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateFileW 76BBCE4E 5 Bytes JMP 00180FE5
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateFileA 76BBD171 5 Bytes JMP 00180000
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 76C0462E 5 Bytes JMP 00180FD4
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!WinExec 76C0580B 5 Bytes JMP 001800AE
.text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_wsystem 76E98A47 5 Bytes JMP 001B0FA8
.text C:\Windows\system32\svchost.exe[936] msvcrt.dll!system 76E98B63 5 Bytes JMP 001B0FB9
.text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_creat 76E9C6F1 5 Bytes JMP 001B0018
.text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_open 76E9DA7E 5 Bytes JMP 001B0FEF
.text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_wcreat 76E9DC9E 5 Bytes JMP 001B0033
.text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_wopen 76E9DE79 5 Bytes JMP 001B0FDE
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 7670B5E7 5 Bytes JMP 001A0058
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 7670B8AE 5 Bytes JMP 001A0FD1
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 76710BF5 5 Bytes JMP 001A0000
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 7671B83D 5 Bytes JMP 001A0FB6
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 7671BCE1 5 Bytes JMP 001A0FA5
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 7671D4E8 5 Bytes JMP 001A002C
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 76723CB0 5 Bytes JMP 001A0011
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 7672F09D 5 Bytes JMP 001A003D
.text C:\Windows\system32\svchost.exe[936] WS2_32.dll!socket 774936D1 5 Bytes JMP 001C0FEF
.text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtCreateFile 77307C78 5 Bytes JMP 000F0FEF
.text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtCreateProcess 77307D38 5 Bytes JMP 000F000A
.text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtProtectVirtualMemory 773085D8 5 Bytes JMP 000F0FD4
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!GetStartupInfoW 76B71929 5 Bytes JMP 000E0F48
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!GetStartupInfoA 76B719C9 5 Bytes JMP 000E008E
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateProcessW 76B71C01 5 Bytes JMP 000E00CE
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateProcessA 76B71C36 5 Bytes JMP 000E00BD
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!VirtualProtect 76B71DD1 5 Bytes JMP 000E0062
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateNamedPipeW 76B75C44 5 Bytes JMP 000E0FDE
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExW 76B9374A 5 Bytes JMP 000E0051
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!LoadLibraryW 76B9382D 5 Bytes JMP 000E0F9E
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!VirtualProtectEx 76B98F5E 5 Bytes JMP 000E0073
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExA 76B99649 5 Bytes JMP 000E0040
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!LoadLibraryA 76B99671 5 Bytes JMP 000E0FC3
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreatePipe 76BA0474 5 Bytes JMP 000E0F63
 
GMER log part 2

.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!GetProcAddress 76BBBAC6 5 Bytes JMP 000E0F26
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateFileW 76BBCE4E 5 Bytes JMP 000E0025
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateFileA 76BBD171 5 Bytes JMP 000E000A
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateNamedPipeA 76C0462E 5 Bytes JMP 000E0FEF
.text C:\Windows\system32\svchost.exe[1032] kernel32.dll!WinExec 76C0580B 5 Bytes JMP 000E0F37
.text C:\Windows\system32\svchost.exe[1032] msvcrt.dll!_wsystem 76E98A47 5 Bytes JMP 00110064
.text C:\Windows\system32\svchost.exe[1032] msvcrt.dll!system 76E98B63 5 Bytes JMP 00110049
.text C:\Windows\system32\svchost.exe[1032] msvcrt.dll!_creat 76E9C6F1 5 Bytes JMP 00110FD9
.text C:\Windows\system32\svchost.exe[1032] msvcrt.dll!_open 76E9DA7E 5 Bytes JMP 00110000
.text C:\Windows\system32\svchost.exe[1032] msvcrt.dll!_wcreat 76E9DC9E 5 Bytes JMP 00110038
.text C:\Windows\system32\svchost.exe[1032] msvcrt.dll!_wopen 76E9DE79 5 Bytes JMP 00110011
.text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExA 7670B5E7 5 Bytes JMP 00100FC0
.text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyA 7670B8AE 5 Bytes JMP 00100051
.text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyA 76710BF5 5 Bytes JMP 00100FEF
.text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyW 7671B83D 5 Bytes JMP 00100062
.text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExW 7671BCE1 5 Bytes JMP 00100FA5
.text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExA 7671D4E8 5 Bytes JMP 0010001B
.text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyW 76723CB0 5 Bytes JMP 0010000A
.text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExW 7672F09D 5 Bytes JMP 00100036
.text C:\Windows\system32\svchost.exe[1032] WS2_32.dll!socket 774936D1 5 Bytes JMP 001E0FEF
.text C:\Windows\System32\svchost.exe[1108] ntdll.dll!NtCreateFile 77307C78 5 Bytes JMP 00710000
.text C:\Windows\System32\svchost.exe[1108] ntdll.dll!NtCreateProcess 77307D38 5 Bytes JMP 0071001B
.text C:\Windows\System32\svchost.exe[1108] ntdll.dll!NtProtectVirtualMemory 773085D8 5 Bytes JMP 00710FE5
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 76B71929 5 Bytes JMP 006F0F61
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 76B719C9 5 Bytes JMP 006F0F72
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateProcessW 76B71C01 5 Bytes JMP 006F0F2E
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateProcessA 76B71C36 5 Bytes JMP 006F0F3F
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!VirtualProtect 76B71DD1 5 Bytes JMP 006F0F8D
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 76B75C44 5 Bytes JMP 006F001B
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 76B9374A 5 Bytes JMP 006F0067
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!LoadLibraryW 76B9382D 5 Bytes JMP 006F0FA8
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 76B98F5E 5 Bytes JMP 006F0082
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 76B99649 5 Bytes JMP 006F004A
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!LoadLibraryA 76B99671 5 Bytes JMP 006F0FB9
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreatePipe 76BA0474 5 Bytes JMP 006F009D
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!GetProcAddress 76BBBAC6 5 Bytes JMP 006F0F1D
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateFileW 76BBCE4E 5 Bytes JMP 006F0FE5
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateFileA 76BBD171 5 Bytes JMP 006F0000
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 76C0462E 5 Bytes JMP 006F0FCA
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!WinExec 76C0580B 5 Bytes JMP 006F0F50
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_wsystem 76E98A47 5 Bytes JMP 009E0FB7
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!system 76E98B63 5 Bytes JMP 009E004C
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_creat 76E9C6F1 5 Bytes JMP 009E0FD2
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_open 76E9DA7E 5 Bytes JMP 009E000C
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_wcreat 76E9DC9E 5 Bytes JMP 009E0027
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_wopen 76E9DE79 5 Bytes JMP 009E0FE3
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 7670B5E7 5 Bytes JMP 00720069
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 7670B8AE 5 Bytes JMP 0072003D
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 76710BF5 5 Bytes JMP 00720000
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 7671B83D 5 Bytes JMP 0072004E
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 7671BCE1 5 Bytes JMP 00720084
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 7671D4E8 5 Bytes JMP 00720011
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 76723CB0 5 Bytes JMP 00720FE5
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 7672F09D 5 Bytes JMP 0072002C
.text C:\Windows\System32\svchost.exe[1108] WS2_32.dll!socket 774936D1 5 Bytes JMP 00A50FEF
.text C:\Windows\System32\svchost.exe[1136] ntdll.dll!NtCreateFile 77307C78 5 Bytes JMP 00DA0FEF
.text C:\Windows\System32\svchost.exe[1136] ntdll.dll!NtCreateProcess 77307D38 5 Bytes JMP 00DA000A
.text C:\Windows\System32\svchost.exe[1136] ntdll.dll!NtProtectVirtualMemory 773085D8 5 Bytes JMP 00DA0FCA
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!GetStartupInfoW 76B71929 5 Bytes JMP 00D500C7
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!GetStartupInfoA 76B719C9 5 Bytes JMP 00D500B6
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreateProcessW 76B71C01 5 Bytes JMP 00D50F55
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreateProcessA 76B71C36 5 Bytes JMP 00D500EC
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!VirtualProtect 76B71DD1 5 Bytes JMP 00D5006C
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreateNamedPipeW 76B75C44 5 Bytes JMP 00D50FD4
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!LoadLibraryExW 76B9374A 5 Bytes JMP 00D50F92
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!LoadLibraryW 76B9382D 5 Bytes JMP 00D50FB9
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!VirtualProtectEx 76B98F5E 5 Bytes JMP 00D50F81
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!LoadLibraryExA 76B99649 5 Bytes JMP 00D5005B
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!LoadLibraryA 76B99671 5 Bytes JMP 00D50040
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreatePipe 76BA0474 5 Bytes JMP 00D50091
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!GetProcAddress 76BBBAC6 5 Bytes JMP 00D500FD
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreateFileW 76BBCE4E 5 Bytes JMP 00D50000
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreateFileA 76BBD171 5 Bytes JMP 00D50FEF
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!CreateNamedPipeA 76C0462E 5 Bytes JMP 00D5001B
.text C:\Windows\System32\svchost.exe[1136] kernel32.dll!WinExec 76C0580B 5 Bytes JMP 00D50F70
.text C:\Windows\System32\svchost.exe[1136] msvcrt.dll!_wsystem 76E98A47 5 Bytes JMP 00DB0FD2
.text C:\Windows\System32\svchost.exe[1136] msvcrt.dll!system 76E98B63 5 Bytes JMP 00DB0FE3
.text C:\Windows\System32\svchost.exe[1136] msvcrt.dll!_creat 76E9C6F1 5 Bytes JMP 00DB002E
.text C:\Windows\System32\svchost.exe[1136] msvcrt.dll!_open 76E9DA7E 5 Bytes JMP 00DB0000
.text C:\Windows\System32\svchost.exe[1136] msvcrt.dll!_wcreat 76E9DC9E 5 Bytes JMP 00DB0053
.text C:\Windows\System32\svchost.exe[1136] msvcrt.dll!_wopen 76E9DE79 5 Bytes JMP 00DB0011
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExA 7670B5E7 5 Bytes JMP 00D3002F
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyA 7670B8AE 5 Bytes JMP 00D3001E
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyA 76710BF5 5 Bytes JMP 00D30FEF
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyW 7671B83D 5 Bytes JMP 00D30F8D
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExW 7671BCE1 5 Bytes JMP 00D30F7C
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExA 7671D4E8 5 Bytes JMP 00D30FC3
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyW 76723CB0 5 Bytes JMP 00D30FD4
.text C:\Windows\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExW 7672F09D 5 Bytes JMP 00D30FB2
.text C:\Windows\System32\svchost.exe[1136] WS2_32.dll!socket 774936D1 5 Bytes JMP 00DC0FEF
.text C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtCreateFile 77307C78 5 Bytes JMP 02530000
.text C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtCreateProcess 77307D38 5 Bytes JMP 02530FE5
.text C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtProtectVirtualMemory 773085D8 5 Bytes JMP 0253001B
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 76B71929 5 Bytes JMP 024100B5
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 76B719C9 5 Bytes JMP 02410F6F
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessW 76B71C01 5 Bytes JMP 024100D0
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessA 76B71C36 5 Bytes JMP 02410F39
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!VirtualProtect 76B71DD1 5 Bytes JMP 02410089
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 76B75C44 5 Bytes JMP 02410036
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 76B9374A 5 Bytes JMP 02410078
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryW 76B9382D 5 Bytes JMP 02410FB9
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 76B98F5E 5 Bytes JMP 02410F94
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 76B99649 5 Bytes JMP 02410051
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryA 76B99671 5 Bytes JMP 02410FCA
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreatePipe 76BA0474 5 Bytes JMP 0241009A
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetProcAddress 76BBBAC6 5 Bytes JMP 02410F14
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateFileW 76BBCE4E 5 Bytes JMP 02410FEF
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateFileA 76BBD171 5 Bytes JMP 02410000
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 76C0462E 5 Bytes JMP 0241001B
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!WinExec 76C0580B 5 Bytes JMP 02410F54
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_wsystem 76E98A47 5 Bytes JMP 025C0FA1
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!system 76E98B63 5 Bytes JMP 025C0FBC
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_creat 76E9C6F1 5 Bytes JMP 025C0FD7
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_open 76E9DA7E 5 Bytes JMP 025C0000
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_wcreat 76E9DC9E 5 Bytes JMP 025C002C
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_wopen 76E9DE79 5 Bytes JMP 025C0011
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 7670B5E7 5 Bytes JMP 021D0F86
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 7670B8AE 5 Bytes JMP 021D0FA1
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 76710BF5 5 Bytes JMP 021D0FEF
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 7671B83D 5 Bytes JMP 021D0028
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 7671BCE1 5 Bytes JMP 021D0F6B
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 7671D4E8 5 Bytes JMP 021D0FC3
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 76723CB0 5 Bytes JMP 021D0FD4
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 7672F09D 5 Bytes JMP 021D0FB2
.text C:\Windows\system32\svchost.exe[1148] WS2_32.dll!socket 774936D1 5 Bytes JMP 025D0FEF
.text C:\Windows\system32\svchost.exe[1300] ntdll.dll!NtCreateFile 77307C78 5 Bytes JMP 0018000A
.text C:\Windows\system32\svchost.exe[1300] ntdll.dll!NtCreateProcess 77307D38 5 Bytes JMP 00180036
.text C:\Windows\system32\svchost.exe[1300] ntdll.dll!NtProtectVirtualMemory 773085D8 5 Bytes JMP 0018001B
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 76B71929 5 Bytes JMP 00150F1F
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 76B719C9 5 Bytes JMP 00150F3A
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreateProcessW 76B71C01 5 Bytes JMP 001500A2
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreateProcessA 76B71C36 5 Bytes JMP 00150087
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!VirtualProtect 76B71DD1 5 Bytes JMP 00150F77
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 76B75C44 5 Bytes JMP 00150025
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 76B9374A 5 Bytes JMP 00150F88
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!LoadLibraryW 76B9382D 5 Bytes JMP 00150036
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 76B98F5E 5 Bytes JMP 00150F5C
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 76B99649 5 Bytes JMP 00150051
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!LoadLibraryA 76B99671 5 Bytes JMP 00150FB9
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreatePipe 76BA0474 5 Bytes JMP 00150F4B
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!GetProcAddress 76BBBAC6 5 Bytes JMP 00150EF0
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreateFileW 76BBCE4E 5 Bytes JMP 00150FDE
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreateFileA 76BBD171 5 Bytes JMP 00150FEF
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 76C0462E 5 Bytes JMP 0015000A
.text C:\Windows\system32\svchost.exe[1300] kernel32.dll!WinExec 76C0580B 5 Bytes JMP 00150076
.text C:\Windows\system32\svchost.exe[1300] msvcrt.dll!_wsystem 76E98A47 5 Bytes JMP 00190042
.text C:\Windows\system32\svchost.exe[1300] msvcrt.dll!system 76E98B63 5 Bytes JMP 00190FB7
.text C:\Windows\system32\svchost.exe[1300] msvcrt.dll!_creat 76E9C6F1 5 Bytes JMP 0019001D
.text C:\Windows\system32\svchost.exe[1300] msvcrt.dll!_open 76E9DA7E 5 Bytes JMP 00190000
.text C:\Windows\system32\svchost.exe[1300] msvcrt.dll!_wcreat 76E9DC9E 5 Bytes JMP 00190FC8
.text C:\Windows\system32\svchost.exe[1300] msvcrt.dll!_wopen 76E9DE79 5 Bytes JMP 00190FE3
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 7670B5E7 5 Bytes JMP 00140FB6
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 7670B8AE 5 Bytes JMP 00140FD1
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 76710BF5 5 Bytes JMP 00140000
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 7671B83D 5 Bytes JMP 00140058
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 7671BCE1 5 Bytes JMP 00140F9B
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 7671D4E8 5 Bytes JMP 00140022
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 76723CB0 5 Bytes JMP 00140011
.text C:\Windows\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 7672F09D 5 Bytes JMP 00140047
.text C:\Windows\system32\svchost.exe[1300] WS2_32.dll!socket 774936D1 5 Bytes JMP 001A000A
.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtCreateFile 77307C78 5 Bytes JMP 00D3000A
.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtCreateProcess 77307D38 5 Bytes JMP 00D30025
.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtProtectVirtualMemory 773085D8 5 Bytes JMP 00D30FEF
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 76B71929 5 Bytes JMP 008F0091
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 76B719C9 5 Bytes JMP 008F0080
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 76B71C01 5 Bytes JMP 008F0F0E
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 76B71C36 5 Bytes JMP 008F0F1F
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 76B71DD1 5 Bytes JMP 008F0F8B
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 76B75C44 5 Bytes JMP 008F0FDE
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 76B9374A 5 Bytes JMP 008F006F
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 76B9382D 5 Bytes JMP 008F0FC3
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 76B98F5E 5 Bytes JMP 008F0F70
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 76B99649 5 Bytes JMP 008F0FB2
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 76B99671 5 Bytes JMP 008F004A
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreatePipe 76BA0474 5 Bytes JMP 008F0F5F
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 76BBBAC6 5 Bytes JMP 008F0EF3
.text C:\Windows\system32\svchost.exe[1372] kernel32.dll!CreateFileW 76BBCE4E 5 Bytes JMP 008F0FEF
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===============================================================

GMER log is incomplete.
It should end with "EOF" line.
Please repost.
 
Status
Not open for further replies.
Back