Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: TylerDoom on September 03, 2010, 10:24:37 PM
-
There is something for sure on my PC, its been running slow, IE has been crashing a lot and windows even display a message saying its probaly because of a Malicious add on, I can't seem to find whatever this is, also I am not very wise when it comes to this kind of thing, so any help from a site pro will be appreciated muchly.
I have McAfee Security Center and its been running EXTREMELY slow.. It almost takes 20 hours for it to complete the regular scan.. And it also starts it automaticly every 3-5 days, informing me I havent run a scan in the last 30 days.
I also have and ran in the order and on the settings the sticky thread said to:
CCleaner
SUPERAntiSpyware
Malwarebytes' Anti-Malware
And now HiJackThis,
Also I have Spybot S&D which I run 3-4 times a month..
I ran all the ones I had a week prior to now (all but CCleaner and HiJackThis), and several times in the past, and it found a few things every once in awhile, but never had any red items or anything that SEEMED that bad..
So here is my logs in order, and I hope this is enough info to get some help from a pro... I deffinately appreciate the time of anyone that helps..
Thank you very much ahead of time.
EDIT: I just now see that I am not to post logs unless requested by the pro's.. So I have all three of them ready if you need to see them. Thanks.
-
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/03/2010 at 10:58 PM
Application Version : 4.42.1000
Core Rules Database Version : 5454
Trace Rules Database Version: 3266
Scan type : Complete Scan
Total Scan Time : 02:29:44
Memory items scanned : 712
Memory threats detected : 0
Registry items scanned : 8153
Registry threats detected : 1
File items scanned : 144432
File threats detected : 0
System.BrokenFileAssociation
HKCR\.exe
_______________________________
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4539
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943
9/3/2010 11:17:36 PM
mbam-log-2010-09-03 (23-17-36).txt
Scan type: Quick scan
Objects scanned: 134689
Time elapsed: 6 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
_______________________________________ ______
-
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:26:19 PM, on 9/3/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Windows\system32\conime.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\Sniper.exe\sniper.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1208&m=et1161-07
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1208&m=et1161-07
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [PAC207_Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [PoivY] "C:\Program Files\PoivY.com\PoivY\PoivY.exe" -nosplash -minimized
O4 - HKCU\..\Run: [SipDiscount] "C:\Program Files\SipDiscount.com\SipDiscount\SipDiscount.exe" -nosplash -minimized
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 9046 bytes
EDIT: I just now see that I am not to post logs unless requested by the pro's.. So I have all three of them ready if you need to see them. Thanks.
-
Also I cannot uninstall "DivX".. I hope I posted my info and request properly.. I don't know whats the problem with my PC.. Thanks anyone that can help.
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
Download ComboFix by sUBs from one of the below links.
Important! You MUST save ComboFix to your desktop
link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link # 2 (http://subs.geekstogo.com/ComboFix.exe)
Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click on ComboFix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
When the scan completes it will open a text window.
Post the contents of that log in your next reply.
Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
-
This is the info windows still tells me after IE crashes, just in case I didnt explain things well:
"What is Data Execution Prevention?
Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful programs can try to attack Windows by attempting to run (also known as execute) code from system memory locations reserved for Windows and other authorized programs. These types of attacks can harm your programs and files.
DEP can help protect your computer by monitoring your programs to make sure that they use system memory safely. If DEP notices a program on your computer using memory incorrectly, it closes the program and notifies you."
Here is the log:
ComboFix 10-09-07.01 - Tyler 09/07/2010 22:13:44.2.2 - x86
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3070.1945 [GMT -5:00]
Running from: c:\users\Tyler\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\%appdata%
.
((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
.
2010-09-08 03:34 . 2010-09-08 03:37 -------- d-----w- c:\users\Tyler\AppData\Local\temp
2010-09-08 03:34 . 2010-09-08 03:34 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-08 03:34 . 2010-09-08 03:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-04 04:22 . 2010-09-04 04:24 -------- d-----w- c:\program files\Trend Micro
2010-09-04 01:11 . 2010-09-04 01:11 -------- d-----w- c:\program files\CCleaner
2010-09-01 14:16 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 14:16 . 2010-09-01 14:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-01 14:16 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 23:22 . 2010-08-31 23:22 -------- d-----w- c:\program files\The Weather Channel FW
2010-08-31 23:21 . 2010-08-31 23:21 -------- d-----w- c:\users\Tyler\AppData\Local\The Weather Channel
2010-08-31 16:04 . 2010-08-31 16:06 -------- d-----w- c:\program files\QuickTime
2010-08-31 16:04 . 2010-08-31 16:04 -------- d-----w- c:\programdata\Apple Computer
2010-08-28 06:50 . 2010-08-28 07:00 -------- d-----r- c:\program files\SCHTHACK Phantasy Star Online Blue Burst
2010-08-19 16:55 . 2010-08-19 16:55 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-08-19 16:52 . 2010-07-09 22:37 56936 ----a-w- c:\windows\system32\OpenCL.dll
2010-08-19 16:52 . 2010-07-09 22:37 11008040 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-08-19 16:52 . 2010-07-09 22:37 5107816 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-08-19 16:52 . 2010-07-09 22:37 14092904 ----a-w- c:\windows\system32\nvoglv32.dll
2010-08-19 16:52 . 2010-07-09 22:37 2892904 ----a-w- c:\windows\system32\nvcuvid.dll
2010-08-19 16:52 . 2010-07-09 22:37 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-08-19 16:52 . 2010-07-09 22:37 4553832 ----a-w- c:\windows\system32\nvcuda.dll
2010-08-19 16:52 . 2010-07-09 22:37 236136 ----a-w- c:\windows\system32\nvcod1922.dll
2010-08-19 16:52 . 2010-07-09 22:37 236136 ----a-w- c:\windows\system32\nvcod.dll
2010-08-19 16:52 . 2010-07-09 22:37 10267240 ----a-w- c:\windows\system32\nvcompiler.dll
2010-08-19 16:50 . 2010-08-19 16:50 -------- d-----w- c:\program files\SystemRequirementsLab
2010-08-11 18:26 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-08-11 18:26 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-11 18:26 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-11 18:26 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-11 18:26 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-11 18:26 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-11 18:26 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-08 03:37 . 2009-08-25 07:06 36917 ----a-w- c:\programdata\nvModes.dat
2010-09-08 03:36 . 2008-10-30 02:18 -------- d-----w- c:\programdata\NVIDIA
2010-09-04 06:21 . 2009-08-25 08:21 -------- d-----w- c:\program files\OpenAL
2010-09-04 01:17 . 2010-01-13 00:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-04 01:09 . 2009-04-17 07:05 -------- d-----w- c:\programdata\Viewpoint
2010-08-30 13:59 . 2010-03-10 02:19 -------- d-----w- c:\program files\McAfee
2010-08-28 15:22 . 2010-01-12 22:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-28 06:56 . 2010-05-17 18:13 -------- d-----w- c:\program files\Apple Software Update
2010-08-25 03:32 . 2010-08-25 03:32 -------- d-----w- c:\program files\LSI SoftModem
2010-08-19 16:57 . 2009-08-25 07:02 -------- d-----w- c:\program files\NVIDIA Corporation
2010-08-12 08:07 . 2008-10-30 02:41 -------- d-----w- c:\program files\Microsoft Works
2010-08-12 08:01 . 2008-10-30 02:40 -------- d-----w- c:\programdata\Microsoft Help
2010-08-12 08:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-30 20:52 . 2009-09-19 04:29 -------- d-----w- c:\program files\Steam
2010-07-30 04:40 . 2009-12-13 05:24 1530368 ----a-w- c:\windows\system32\_online.exe
2010-07-19 10:01 . 2010-07-19 09:57 -------- d-----w- c:\users\Tyler\AppData\Roaming\SipDiscount
2010-07-19 09:53 . 2010-04-04 15:20 -------- d-----w- c:\users\Tyler\AppData\Roaming\PoivY
2010-07-15 20:18 . 2010-03-10 02:20 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-11 22:30 . 2010-05-23 08:45 -------- d-----w- c:\programdata\DivX
2010-07-11 02:57 . 2009-07-15 06:12 -------- d-----w- c:\program files\PKR
2010-07-10 06:08 . 2010-05-23 08:46 -------- d-----w- c:\program files\DivX
2010-07-09 22:37 . 2009-08-17 05:57 604776 ----a-w- c:\windows\system32\nvudisp.exe
2010-07-09 22:37 . 2008-11-04 20:34 9818728 ----a-w- c:\windows\system32\nvd3dum.dll
2010-07-09 22:37 . 2008-10-30 02:29 1625192 ----a-w- c:\windows\system32\nvapi.dll
2010-07-09 21:37 . 2010-07-09 21:37 1469544 ----a-w- c:\windows\system32\nvsvc.dll
2010-07-09 21:37 . 2010-07-09 21:37 13939816 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-09 21:37 . 2010-07-09 21:37 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 21:37 . 2010-07-09 21:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-07 18:46 . 2008-10-30 02:15 604776 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-06-26 06:05 . 2010-08-11 18:27 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-11 18:27 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 06:02 . 2010-08-11 18:27 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 04:25 . 2010-08-11 18:27 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-21 13:37 . 2010-08-11 18:27 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-11 16:16 . 2010-08-11 18:27 274944 ----a-w- c:\windows\system32\schannel.dll
2009-09-22 02:19 . 2009-09-22 02:02 608744450 ----a-w- c:\program files\WarRock20081102.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-04-16 818288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-23 6183456]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-11 323584]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-11 323584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-08-28 15:22 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):37,a6,fa,1e,10,94,ca,01
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-992643091-3083304189-3454565884-1000]
"EnableNotificationsRef"=dword:00000001
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 cpuz130;cpuz130;c:\users\Tyler\AppData\Local\Temp\cpuz130\cpuz_x32.sys
R3 MRV6X32U;Linksys Wireless-N USB Network Adapter WUSB300N for Vista x86 (USB8x);c:\windows\system32\DRIVERS\WUSB300N.sys [2007-03-16 316672]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2736890]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-08-28 12872]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 XDva310;XDva310;c:\windows\system32\XDva310.sys
R3 XDva317;XDva317;c:\windows\system32\XDva317.sys
R3 XDva321;XDva321;c:\windows\system32\XDva321.sys
R3 XDva327;XDva327;c:\windows\system32\XDva327.sys [2010-02-25 66248]
R3 XDva332;XDva332;c:\windows\system32\XDva332.sys
R3 XDva336;XDva336;c:\windows\system32\XDva336.sys
R3 XDva337;XDva337;c:\windows\system32\XDva337.sys
R3 XDva341;XDva341;c:\windows\system32\XDva341.sys
R3 XDva342;XDva342;c:\windows\system32\XDva342.sys
R3 XDva347;XDva347;c:\windows\system32\XDva347.sys
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-07-28 721904]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-08-28 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-08-28 67656]
S2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 PAC207;PC Camer@;c:\windows\system32\DRIVERS\PFC027.SYS [2008-02-13 618112]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2010-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-10 18:22]
2010-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-10 18:22]
2010-09-08 c:\windows\Tasks\User_Feed_Synchronization-{03964399-1B3B-4881-A777-7585C7FC79E6}.job
- c:\windows\system32\msfeedssync.exe [2010-08-11 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1208&m=et1161-07
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-SipDiscount - c:\program files\SipDiscount.com\SipDiscount\SipDiscount.exe
MSConfigStartUp-PoivY - c:\program files\PoivY.com\PoivY\PoivY.exe
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 22:37
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\TEMP\SEP65D.tmp 0 bytes
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(5972)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\agrsmsvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\rundll32.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\WUDFHost.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\conime.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Completion time: 2010-09-07 22:47:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-08 03:47
ComboFix2.txt 2010-01-13 02:53
Pre-Run: 133,440,774,144 bytes free
Post-Run: 133,402,669,056 bytes free
- - End Of File - - 3880DE0498D30419CEA4ADB665E31036
-
Also I cannot uninstall "DivX"..
You can try uninstalling it this way.
Delete An Uninstall Entry
•Start HijackThis
•Click on the Open the Misc Tools section
•Click on the Open Uninstall Manager button.
•Highlight the entry you want to remove. DivX
•Click Delete this entry
*******************************
You have Viewpoint installed.
Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
More information:
* ViewMgr.exe - Useless (http://www.greatis.com/appdata/u/v/viewmgr.exe.htm)
* Viewpoint to Plunge Into Adware (http://www.clickz.com/news/article.php/3561546/)
It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.
* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology
*********************************
Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
- Click NO
- In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
- Now click the Scan button.
- Once the scan is complete, you may receive another notice about rootkit activity.
- Click OK.
- GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
- Save it where you can easily find it, such as your desktop.
-
Alright here is what happend.
First I tried to use HiJackThis to remove DivXsetup, and it didnt work.. When I click delete entry followed by the click on "yes" it does nothing, and the DivX is still on my PC.
Then Secondly after I tried that. I used the Rootkit program you suggested and it worked fine at first, no alert pop ups on start-up, so then I made sure all the boxes were check except for the "show all" box, then I clicked run scan...
It worked for about 2 minutes or less, then it stopped working, then the windows "program is not responding"
message popped up and it had to close...
Well then I tried to run it again, then before it started back up, my PC went to a blue screen.... Then it reset itself..
Now it started back up and i'm back to my desktop and I will wait to see what you say before taking any action.
Thank you very much for your Time SuperDave
-
Please try to run GMER this way.
Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.
@echo off
Copy /y gmer.exe ark.exe
Start ark.exe
Save it into the gmer folder as File name: ark.cmd
Save as type: All Files
Once done, double click ark.cmd to run it.
This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.
-
It ran fine this time, saved the log.. Then I tried to open it, and it went to blue screen again and reset... here is the log, thanks for ur time SD.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-09 23:57:39
Windows 6.0.6002 Service Pack 2
Running: ark.exe; Driver: C:\Users\Tyler\AppData\Local\Temp\uflyrpod.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0x8A99DC50]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x8A99DC7A]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8A99DCA2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8A99DC64]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x8A99DC3C]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8A99DC28]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8A99DCD1]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8A99DCB8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8A99DC8E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 828659D2 5 Bytes JMP 8A99DC92 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\services.exe[744] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 00210F6D
.text C:\Windows\system32\services.exe[744] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 002100B3
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 002100DF
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 00210F3E
.text C:\Windows\system32\services.exe[744] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 00210F92
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 0021001B
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 00210FCA
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 002100A2
.text C:\Windows\system32\services.exe[744] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 0021006C
.text C:\Windows\system32\services.exe[744] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 00210051
.text C:\Windows\system32\services.exe[744] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 00210FAF
.text C:\Windows\system32\services.exe[744] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 0021002C
.text C:\Windows\system32\services.exe[744] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 0021007D
.text C:\Windows\system32\services.exe[744] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 002100F0
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 00210FEF
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 00210000
.text C:\Windows\system32\services.exe[744] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 002100C4
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyExA 776D39AB 5 Bytes JMP 00200040
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyA 776D3BA9 5 Bytes JMP 00200025
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyA 776D89C7 5 Bytes JMP 00200FEF
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyW 776E391E 5 Bytes JMP 00200F9E
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyExW 776E41F1 5 Bytes JMP 00200F83
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyExA 776E7C42 5 Bytes JMP 00200FCA
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyW 776EE2B5 5 Bytes JMP 0020000A
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyExW 776F7BA1 5 Bytes JMP 00200FB9
.text C:\Windows\system32\services.exe[744] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 001F0042
.text C:\Windows\system32\services.exe[744] msvcrt.dll!system 7722804B 5 Bytes JMP 001F0FB7
.text C:\Windows\system32\services.exe[744] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 001F0FD9
.text C:\Windows\system32\services.exe[744] msvcrt.dll!_open 7722D106 5 Bytes JMP 001F0000
.text C:\Windows\system32\services.exe[744] msvcrt.dll!_wcreat 7722D326 5 Bytes JMP 001F0FC8
.text C:\Windows\system32\services.exe[744] msvcrt.dll!_wopen 7722D501 5 Bytes JMP 001F0011
.text C:\Windows\system32\services.exe[744] WS2_32.dll!socket 77C636D1 5 Bytes JMP 00370FEF
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 000C00B3
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 000C0F6D
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 000C00DF
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 000C00CE
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 000C007D
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 000C000A
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 000C0FAF
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 000C0F88
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 000C006C
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 000C0040
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 000C005B
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 000C0025
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 000C008E
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 000C0F2D
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 000C0FD4
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 000C0FE5
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 000C0F48
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyExA 776D39AB 5 Bytes JMP 000B0FC0
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyA 776D3BA9 5 Bytes JMP 000B0051
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyA 776D89C7 5 Bytes JMP 000B0FEF
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyW 776E391E 5 Bytes JMP 000B006C
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyExW 776E41F1 5 Bytes JMP 000B007D
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyExA 776E7C42 5 Bytes JMP 000B002F
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyW 776EE2B5 5 Bytes JMP 000B0014
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyExW 776F7BA1 5 Bytes JMP 000B0040
.text C:\Windows\system32\lsass.exe[756] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 000A0044
.text C:\Windows\system32\lsass.exe[756] msvcrt.dll!system 7722804B 5 Bytes JMP 000A0FB9
.text C:\Windows\system32\lsass.exe[756] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 000A0029
.text C:\Windows\system32\lsass.exe[756] msvcrt.dll!_open 7722D106 5 Bytes JMP 000A0FEF
.text C:\Windows\system32\lsass.exe[756] msvcrt.dll!_wcreat 7722D326 5 Bytes JMP 000A0FD4
.text C:\Windows\system32\lsass.exe[756] msvcrt.dll!_wopen 7722D501 5 Bytes JMP 000A0018
.text C:\Windows\system32\lsass.exe[756] WS2_32.dll!socket 77C636D1 5 Bytes JMP 0018000A
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 00730F4B
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 00730F5C
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 007300B6
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 00730F1F
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 00730F8B
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 0073000A
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 00730FB9
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 00730087
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 00730065
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 00730FA8
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 0073004A
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 0073002F
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 00730076
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 00730F0E
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 00730FD4
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 00730FE5
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 00730F30
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 00180FA8
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!system 7722804B 5 Bytes JMP 00180FB9
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 00180FEF
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_open 7722D106 5 Bytes JMP 00180000
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_wcreat 7722D326 5 Bytes JMP 00180FDE
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_wopen 7722D501 5 Bytes JMP 00180029
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 776D39AB 5 Bytes JMP 00190FD4
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 776D3BA9 5 Bytes JMP 0019005B
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 776D89C7 5 Bytes JMP 00190FEF
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 776E391E 5 Bytes JMP 00190076
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 776E41F1 5 Bytes JMP 00190091
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 776E7C42 5 Bytes JMP 0019002F
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 776EE2B5 5 Bytes JMP 00190014
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 776F7BA1 5 Bytes JMP 00190040
.text C:\Windows\system32\svchost.exe[948] WS2_32.dll!socket 77C636D1 5 Bytes JMP 00740FEF
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 008700AB
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 00870F65
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 00870F40
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 008700CD
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 00870075
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 0087002C
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 0087003D
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 00870F80
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 00870F9B
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 00870FAC
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 0087004E
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 00870FC7
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 00870090
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 008700E8
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 00870011
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 00870000
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 008700BC
.text C:\Windows\system32\svchost.exe[1020] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 002C0FB7
.text C:\Windows\system32\svchost.exe[1020] msvcrt.dll!system 7722804B 5 Bytes JMP 002C0FD2
.text C:\Windows\system32\svchost.exe[1020] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 002C0027
.text C:\Windows\system32\svchost.exe[1020] msvcrt.dll!_open 7722D106 5 Bytes JMP 002C0000
.text C:\Windows\system32\svchost.exe[1020] msvcrt.dll!_wcreat 7722D326 5 Bytes JMP 002C0042
.text C:\Windows\system32\svchost.exe[1020] msvcrt.dll!_wopen 7722D501 5 Bytes JMP 002C0FE3
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 776D39AB 5 Bytes JMP 00860F9E
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 776D3BA9 5 Bytes JMP 0086002F
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 776D89C7 5 Bytes JMP 00860FEF
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 776E391E 5 Bytes JMP 0086004A
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 776E41F1 5 Bytes JMP 00860F8D
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 776E7C42 5 Bytes JMP 00860FCD
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 776EE2B5 5 Bytes JMP 00860FDE
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 776F7BA1 5 Bytes JMP 0086001E
.text C:\Windows\system32\svchost.exe[1020] WS2_32.dll!socket 77C636D1 5 Bytes JMP 00880FEF
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 0135006C
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 01350F26
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 01350EF0
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 01350091
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 01350F52
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 0135001B
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 01350FC0
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 01350F41
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 01350F79
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 01350FA5
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 01350F94
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 0135002C
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 01350047
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 01350ED5
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 0135000A
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 01350FEF
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 01350F0B
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 01330F9C
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!system 7722804B 5 Bytes JMP 01330027
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 0133000C
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_open 7722D106 5 Bytes JMP 01330FEF
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_wcreat 7722D326 5 Bytes JMP 01330FB7
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_wopen 7722D501 5 Bytes JMP 01330FD2
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExA 776D39AB 5 Bytes JMP 01340036
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyA 776D3BA9 5 Bytes JMP 01340025
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyA 776D89C7 5 Bytes JMP 01340000
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW 776E391E 5 Bytes JMP 01340F94
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExW 776E41F1 5 Bytes JMP 01340F79
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExA 776E7C42 5 Bytes JMP 01340FCA
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyW 776EE2B5 5 Bytes JMP 01340FE5
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExW 776F7BA1 5 Bytes JMP 01340FB9
.text C:\Windows\System32\svchost.exe[1060] WS2_32.dll!socket 77C636D1 5 Bytes JMP 01430FE5
.text C:\Windows\System32\svchost.exe[1060] wininet.dll!InternetOpenA 7793D690 5 Bytes JMP 01360FEF
.text C:\Windows\System32\svchost.exe[1060] wininet.dll!InternetOpenW 7793DB09 5 Bytes JMP 01360FDE
.text C:\Windows\System32\svchost.exe[1060] wininet.dll!InternetOpenUrlA 7793F3A4 5 Bytes JMP 01360FC3
.text C:\Windows\System32\svchost.exe[1060] wininet.dll!InternetOpenUrlW 77986DDF 5 Bytes JMP 01360FB2
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 007100CE
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 007100BD
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 007100FA
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 007100E9
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 0071007D
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 00710025
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 00710FD4
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 00710F88
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 0071006C
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 00710040
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 0071005B
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 00710FC3
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 00710098
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 00710F52
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 0071000A
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 00710FEF
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 00710F6D
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 006B0F95
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!system 7722804B 5 Bytes JMP 006B0FA6
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 006B0016
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_open 7722D106 5 Bytes JMP 006B0FE3
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wcreat 7722D326 5 Bytes JMP 006B0FC1
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wopen 7722D501 5 Bytes JMP 006B0FD2
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 776D39AB 5 Bytes JMP 006E0058
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 776D3BA9 5 Bytes JMP 006E003D
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 776D89C7 5 Bytes JMP 006E0000
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 776E391E 5 Bytes JMP 006E0FB6
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 776E41F1 5 Bytes JMP 006E0073
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 776E7C42 5 Bytes JMP 006E001B
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 776EE2B5 5 Bytes JMP 006E0FDB
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 776F7BA1 5 Bytes JMP 006E002C
.text C:\Windows\System32\svchost.exe[1128] WS2_32.dll!socket 77C636D1 5 Bytes JMP 00730FEF
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 0172006C
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 01720F26
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 01720F01
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 01720098
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 01720F5C
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 01720FB9
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 0172000A
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 01720047
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 01720F6D
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 0172002C
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 01720F8A
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 0172001B
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 01720F37
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 01720EE6
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 01720FD4
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 01720FEF
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 01720087
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 015B0040
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!system 7722804B 5 Bytes JMP 015B0FB5
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 015B0FC6
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_open&nb
-
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
Here is the ESET log. Also, I still cannot uninstall DivX.
Thanks for your time SuperDave.
ESET Log:
C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM13.zip
Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
_______________________________________ ________________
C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM40.zip
Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
_______________________________________ ________________
C:\Users\Tyler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\cb1f76c-392348b5
multiple threats deleted - quarantined
_______________________________________ ________________
C:\Users\Tyler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\5340ebba-2fe81f69
multiple threats deleted - quarantined
-
How's your computer running now? Let's try to get rid of DivX this way. Don't post the log. Just tell me if it was removed.
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
Folder::
c:\program files\DivX
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
-
Hey again.. Ok, I did what you said and DivX is gone now. I had to delete the shortcuts but everything else appears to be gone. I havent been on this pc much yet using IE since the last scan so I am not certin if it won't crash anymore.. But I will test it out.
Is there anything else you need me to do in the meantime? If not I'll reply here soon if anything bad happens, if not I'll still let ya know if things are better..
Thanks a ton for all your time SuperDave, You have been an awesome help. Keep up the good work!
Thanks again!
-
Also my McAfee scan still runs extremely slow still... Its been on all night about 5 hours and its only at 29%... It'll probaly run all day too. I am wondering if this is caused by something else or if I should conctact McAfee about the problem..
Thanks for your time SuperDave
-
Another update.. My IE is still crashing and throwing up the DEP info... So something is still wrong with my PC it seems. Any ideas?? Thanks for your ongoing help Superdave
-
Download WhoCrashed (http://www.resplendence.com/download/whocrashedSetup.exe) from here
This program checks for any drivers which may have been causing your computer to crash....
Click on the file you just downloaded and run it.
Put a tick in Accept then click on Next
Put a tick in the Don't create a start menu folder then click Next
Put a tick in Create a Desktop Icon then click on Install and make sure there is a tick in Launch Whocrashed before clicking Finish
Click Analyze
It will want to download the Debugger and install it say Yes
WhoCrashed will create report but you have to scroll down to see it
Copy and paste it into your next reply
-
Here is the report for WhoCrashed
Thanks for your time and ongoing support with my PC issues SuperDave
--------------------------------------------------------------------------------
Analysis
--------------------------------------------------------------------------------
Crash dump directory: C:\Windows\Minidump
Crash dumps are enabled on your computer.
On Thu 9/9/2010 4:59:07 AM your computer crashed
This was likely caused by the following module: csrss.exe
Bugcheck code: 0xF4 (0x3, 0x88A202E0, 0x88A2042C, 0x82A60710)
Error: CRITICAL_OBJECT_TERMINATION
Dump file: C:\Windows\Minidump\Mini090910-02.dmp
file path: C:\Windows\system32\csrss.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: Client Server Runtime Process
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit is in another driver on your system which cannot be identified at this time.
On Thu 9/9/2010 5:24:06 AM your computer crashed
This was likely caused by the following module: csrss.exe
Bugcheck code: 0xF4 (0x3, 0x88C6EC48, 0x88C6ED94, 0x82A2F710)
Error: CRITICAL_OBJECT_TERMINATION
Dump file: C:\Windows\Minidump\Mini090910-01.dmp
file path: C:\Windows\system32\csrss.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: Client Server Runtime Process
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit is in another driver on your system which cannot be identified at this time.
--------------------------------------------------------------------------------
Conclusion
--------------------------------------------------------------------------------
2 crash dumps have been found and analyzed. Note that it's not always possible to state with certainty whether a reported driver is really responsible for crashing your system or that the root cause is in another module. Nonetheless it's suggested you look for updates for the products that these drivers belong to and regularly visit Windows update or enable automatic updates for Windows. In case a piece of malfunctioning hardware is causing trouble, a search with Google on the bug check errors together with the model name and brand of your computer may help you investigate this further.
-
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
FileLook::
C:\Windows\system32\csrss.exe
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
************************************
Please try this even if you don't have the OS disk. If it finds an error it will ask for the disk. If not, we'll know that the files are ok.
Do you have an XP CD?
If so, place it in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
-
Hey again, I ran that how you said and nothing popped up but the log afterwards.. So that means that csrss.exe isnt messed up? I wonder whats causing that DEP. I will continue doing what you tell me if there is more to try...
Thanks a million for ur help and time SuperDave
Also here is the log on that "Look"
--- c:\windows\system32\csrss.exe ---
Company: Microsoft Corporation
File Description: Client Server Runtime Process
File Version: 6.0.6000.16386 (vista_rtm.061101-2205)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: CSRSS.Exe.MUI
File size: 6144
Created time: 2008-01-21 02:24
Modified time: 2008-01-21 02:24
MD5: ABCA209EBA02CB59233614DB83B4F50D
SHA1: F3A49C0D42455DAA097BCFB6455F8F31C20AFBF 8
-
I'm going to consult with my mentor about this problem. If I don't get back to you in a few days please pm me.
-
Have you been in the control panel and adjusted any of the settings in there?
DEP warnings are not necessarily a bad thing, it could be some software not agreeing with Windows. Many people choose to turn DEP warnings off.
Is there something that you installed around the time these warnings started happening>
-
No not that I can think of... My IE has been crashing A LOT more in the last 24 hours too... Like every 10 minutes when I click on a lot of stuff. From the way this sounds would it be unsafe to turn off DEP?
I will check over my programs tho to make sure I didnt install anything, but I havent I am almost certin.
Thanks for ur reply Evilfantasy.
-
This is happening now.. In the Problems reports and solutions manager.
Is this normal?
"Solve a problem with PSIKey
PSIKey has stopped working properly.
An update is available that solves this problem.
Click to download the update from the Protexis Inc. website
Download instructions
In the File Download dialog box, click Run or Open. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
Follow the steps in the installation wizard."
-
Have a look here. How to Disable and Uninstall Protexis Licensing Service (PSIService.exe) (http://www.mydigitallife.info/2009/07/19/how-to-disable-and-uninstall-protexis-licensing-service-psiservice-exe/)
Let us know....
-
This is all I could find with CCleaner and HiJackthis.. Is there some other way to find and delete that item??
[img=http://s2.postimage.org/4pLd0.jpg] (http://postimage.org/image/8y9uf338/)
-
Look in the Protexis folder and see if there is an uninstaller in it.
-
I don't have a Protexsis folder, I never accepted that update or "Solution". I declined it both times its popped up because it seems weird..
Hopin' I get the right words out to explain what I mean..
I don't have the protexsis folder tho.
-
Try this. How do I turn off Data Execution Prevention errors? (http://ask-leo.com/how_do_i_turn_off_data_execution_prevention_errors.html)