Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91803 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] McAfee has failed me, Now I only Google ads.


  • This topic is locked This topic is locked
10 replies to this topic

#1 Snacker

Snacker

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 02 October 2009 - 10:01 PM

In a moment of utter stupid, I downloaded something that I knew that I shouldn't and ended up infected. McAfee didn't even catch it. At first it wouldn't even let McAfee update, and it was stopping all attempts to fight it, but thanks to McAfee support, it at least updates now. Futher info on that can be found in the thread I had on thier message board:

http://community.mca...ad.php?t=233478

After that it seemed somewhat okay, other than a pop-up that kept showing up. Then my machine would randomly lock-up. Add to that the fact that any link I click on Google now forwards me to places other than where the link should have gone, and I have major problems still. I was hoping that a McAfee update would take care of these too if I kept scanning, but no luck. Please help me, and if there is a better anti-virus than McAfee, could you point me to that too please?

Here are my logs:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/02 22:39
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEEB53000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8BAD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE67C000 Size: 49152 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: C:\WINDOWS\system32\svchost.exe
PID: 200 Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\csrss.exe
PID: 1232 Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\svchost.exe
PID: 1540 Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\svchost.exe
PID: 1744 Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\svchost.exe
PID: 1912 Status: Locked to the Windows API!

SSDT
-------------------
#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "IPVNMon.sys" at address 0xf847e803

Hidden Services
-------------------
Service Name: ESQULserv.sys
Image Path: C:\WINDOWS\system32\drivers\ESQULdoynkjewifxmiolcoexemslitfquujjk.sys

==EOF==




DDS (Ver_09-09-29.01) - NTFSx86
Run by michele cook at 22:27:08.52 on Fri 10/02/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.139 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
D:\James\programs\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
D:\Winamp3\Winamp\winampa.exe
D:\James\programs\java\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
D:\James\BitTorrent\bittorrent.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\James\programs\java\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\michele cook\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.careerbuilder.com/
uSearch Page = hxxp://rd.yahoo.com/customize/sbcy/defaults/sp/*http://www.yahoo.com
uWindow Title = is mine. Dibs! I called it!
uSearch Bar = hxxp://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Microsoft Internet Explorer provided by Comcast
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\james\programs\java\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\james\programs\java\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\ycomp5_3_19_0.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [BitTorrent] "d:\james\bittorrent\bittorrent.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [D-Link RangeBooster G WUA-2340] d:\james\programs\AirPlusCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinampAgent] d:\winamp3\winamp\winampa.exe
mRun: [QuickTime Task] "d:\james\programs\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "d:\james\programs\java\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - d:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {165B3239-2565-49DB-8A82-F28631CE44ED} - hxxp://www.cme-equotes.com/webstart/webstart.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/mickey/us/win/QuickTimeFullInstaller.exe
DPF: {64697663-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/cinepak.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219781184625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: igfxcui - igfxsrvc.dll
Notify: SMDEn - c:\windows\system32\m482lelo1hqc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-7-31 214024]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2006-6-19 91136]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-30 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2006-7-31 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-7-24 24652]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2006-5-8 347648]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-7-31 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-7-31 35272]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2006-6-19 23180]
S2 Windows MSI;Windows MSI;\\?\globalroot\systemroot\system32\msihost.exe --> \\?\globalroot\systemroot\system32\msihost.exe [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-7-31 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-7-31 40552]
S3 SMALUSB;Digital Camera Driver;c:\windows\system32\drivers\smalidt.sys [2003-10-18 9216]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2006-7-31 606736]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\james\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2009-09-18 19:40 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-18 16:46 <DIR> --d----- c:\docume~1\michel~1\applic~1\Malwarebytes
2009-09-10 15:29 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 15:29 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-10 15:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2005-03-14 21:37 32 ac---r-- c:\documents and settings\all users\hash.dat
2005-02-01 13:47 44 ac------ c:\docume~1\michel~1\applic~1\Sskuknwrd.dll
2005-02-01 13:45 30 ac------ c:\docume~1\michel~1\applic~1\Sskcwrd.dll
2004-01-27 14:23 3,149 ac------ c:\program files\common files\remove_tools.html
2003-08-18 20:42 812 ac------ c:\program files\INSTALL.LOG
2006-04-25 17:37 10,022 ac-sh--- c:\windows\system32\KGyGaAv0.sys

============= FINISH: 22:28:08.69 ===============

Attached Files


    Advertisements

Register to Remove


#2 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 05 October 2009 - 11:14 PM

Hi Snacker,

:welcome:

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#3 Snacker

Snacker

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 06 October 2009 - 02:52 AM

Thank you. I was starting to get worried. I ran the program and it completed, but several times something called PEV.cfxxe wanted to send an error report (which I didn't let it), and it restarted my computer due to root kit problems. It told me 4 file names that were the problem, and I wrote them down, but they are long jumbles of random letters, and the only important part I'm guessing is the first part that was the same for all four: ESQUL, two of which were .dll files in the system32 folder, and two were .sys files in the system32\drivers folder. Anyway, here is the log:



ComboFix 09-10-04.01 - michele cook 10/06/2009 1:43.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.152 [GMT -5:00]
Running from: c:\documents and settings\michele cook\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\michele cook\Application Data\Sskcwrd.dll
c:\documents and settings\michele cook\Application Data\Sskuknwrd.dll
c:\program files\INSTALL.LOG
c:\recycler\S-1-5-21-1390774377-2385200199-1500318138-1003
c:\recycler\S-1-5-21-1801674531-764733703-725345543-1003
c:\recycler\S-1-5-21-2558430661-1340648803-2597014688-1003
c:\recycler\S-1-5-21-3728447159-2152579179-162068669-1003
c:\recycler\S-1-5-21-3818769647-1456451836-867213556-1003
c:\recycler\S-1-5-21-81932072-2099459701-3103979217-1003
c:\recycler\S-1-5-21-823864489-1945211297-4234179203-1003
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\105b7a81.msp
c:\windows\Installer\12293b.msp
c:\windows\Installer\5e174.msi
c:\windows\Installer\a9468.msi
c:\windows\nhnoea.dll
c:\windows\patch.exe
c:\windows\system32\drivers\ESQULbkhbrowhhrbppiwgqebuakjarvdxbpfo.sys
c:\windows\system32\drivers\ESQULdoynkjewifxmiolcoexemslitfquujjk.sys
c:\windows\system32\ESQULoayxykggucpqowsuvgnrgujuvfmtamra.dll
c:\windows\system32\ESQULyyjnalsmrnqihqfnpepsggbugujdxcma.dll
c:\windows\system32\logs
c:\windows\system32\logs\{7D6EA752-00A7-40D0-83CC-FB13CFCFEE98}.log
c:\windows\system32\uninstall.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Legacy_ESQULserv.sys
-------\Legacy_WINDOWS_MSI
-------\Service_Windows MSI
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-10-04 02:53 . 2009-10-04 02:53 -------- d-----w- c:\program files\iPod
2009-10-04 02:52 . 2009-10-04 02:54 -------- d-----w- c:\program files\iTunes
2009-10-04 02:52 . 2009-10-04 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-19 00:40 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-18 21:46 . 2009-09-18 21:46 -------- d-----w- c:\documents and settings\michele cook\Application Data\Malwarebytes
2009-09-10 20:29 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 20:29 . 2009-09-10 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-10 20:29 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 07:05 . 2005-03-31 00:40 -------- d-----w- c:\documents and settings\michele cook\Application Data\BitTorrent
2009-10-06 07:03 . 2008-10-18 16:49 -------- d-----w- c:\program files\DNA
2009-10-06 07:03 . 2008-10-18 16:49 -------- d-----w- c:\documents and settings\michele cook\Application Data\DNA
2009-10-04 08:25 . 2006-07-31 06:10 -------- d-----w- c:\program files\McAfee
2009-10-04 02:53 . 2008-01-22 21:21 -------- d-----w- c:\program files\Common Files\Apple
2009-09-19 17:22 . 2007-07-25 02:25 -------- d-----w- c:\program files\Common Files\Viewpoint
2009-09-19 05:16 . 2004-01-17 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-19 00:26 . 2003-08-24 18:07 47544 -c--a-w- c:\documents and settings\michele cook\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 21:10 . 2009-08-17 21:10 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 00:24 . 2004-08-17 15:08 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-17 15:08 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-17 15:08 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2003-01-15 23:52 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2003-01-15 22:43 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-17 15:08 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-08-27 12:00 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-07-19 03:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2003-01-15 23:52 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2003-01-15 22:43 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-04-09 03:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2003-01-15 22:43 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 17:32 . 2006-07-31 06:18 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-14 04:43 . 2004-02-07 21:29 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 18:44 . 2006-07-31 06:19 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 18:44 . 2006-07-31 06:19 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 18:44 . 2006-07-31 06:19 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 18:44 . 2006-07-31 06:19 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 18:43 . 2006-07-31 06:19 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2004-01-27 19:23 . 2004-05-20 14:43 3149 -c--a-w- c:\program files\Common Files\remove_tools.html
2006-04-25 22:37 . 2005-02-15 08:23 10022 -csha-w- c:\windows\system32\KGyGaAv0.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"BitTorrent"="d:\james\BitTorrent\bittorrent.exe" [2009-08-19 653104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-04-21 57344]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-07-04 40960]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"D-Link RangeBooster G WUA-2340"="d:\james\programs\AirPlusCFG.exe" [2007-06-12 1654784]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"WinampAgent"="d:\winamp3\Winamp\winampa.exe" [2009-07-01 37888]
"SunJavaUpdateSched"="d:\james\programs\java\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="d:\james\programs\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-9-8 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SMDEn]
2005-02-16 07:56 56 ----a-w- c:\windows\system32\m482lelo1hqc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"d:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"d:\\James\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [6/19/2006 1:52 PM 91136]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/24/2007 9:26 PM 24652]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [5/8/2006 7:10 PM 347648]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [6/19/2006 1:50 PM 23180]
S2 0109441254719877mcinstcleanup;McAfee Application Installer Cleanup (0109441254719877);c:\windows\TEMP\010944~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\010944~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 SMALUSB;Digital Camera Driver;c:\windows\system32\drivers\smalidt.sys [10/18/2003 8:12 PM 9216]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\james\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\65d85c91-938c-4194-bc98-e1c98b843f59]
c:\windows\system32\lhzawp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2003-01-15 00:12]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-07-31 02:26]

2003-06-20 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-01-15 00:12]

2003-06-20 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-01-15 00:12]

2009-10-05 c:\windows\Tasks\User_Feed_Synchronization-{37AFD519-5AB7-4E32-A6CB-2D5B73A4789B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.careerbuilder.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Microsoft Internet Explorer provided by Comcast
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {165B3239-2565-49DB-8A82-F28631CE44ED} - hxxp://www.cme-equotes.com/webstart/webstart.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
AddRemove-Recommended Hotfix - 421701D - c:\program files\Recommended Hotfix - 421701D\v15\RH.EXE
AddRemove-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\CDAUninstall.exe
AddRemove-Yahoo! SiteBuilder - c:\progra~1\Java\J2RE14~1.1_0\bin\javaw.exe
AddRemove-{120E090D-9136-4b78-8258-F0B44B4BD2AC} - c:\windows\System32\ms.exe
AddRemove-{8F9FBEB8-D216-4d6c-8D21-513157E09C0D} - c:\windows\System32\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 02:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3207943277-3986855577-483379819-1005\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=dword:00000000

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3872)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Lexmark X6100 Series\lxbfbmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
d:\james\programs\java\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Sony\VAIO Media Music Server\SSSvr.exe
c:\program files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-10-06 2:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-06 07:15

Pre-Run: 1,171,537,920 bytes free
Post-Run: 1,387,151,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

254 --- E O F --- 2009-09-19 05:19

#4 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 06 October 2009 - 10:22 AM

Snacker,

Looking better. :thumbup:

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    c:\program files\Common Files\remove_tools.html
    c:\windows\system32\m482lelo1hqc.dll
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Download Rooter.exe to your desktop

  • Then doubleclick it to start the tool
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#5 Snacker

Snacker

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 06 October 2009 - 02:39 PM

Day of the missing progams. First ComboFix disappeared on me, so I redownloaded it, then Malwarebytes, which I already had, but had to rename to get it to run the first time, refused to run, so I redownloaded that too. Sigh. Here are the logs:

ComboFix 09-10-05.01 - michele cook 10/06/2009 15:03.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.263 [GMT -5:00]
Running from: c:\documents and settings\michele cook\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\michele cook\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\program files\Common Files\remove_tools.html"
"c:\windows\system32\m482lelo1hqc.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\remove_tools.html
c:\windows\system32\m482lelo1hqc.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-10-04 02:53 . 2009-10-04 02:53 -------- d-----w- c:\program files\iPod
2009-10-04 02:52 . 2009-10-04 02:54 -------- d-----w- c:\program files\iTunes
2009-10-04 02:52 . 2009-10-04 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-19 00:40 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-18 21:46 . 2009-09-18 21:46 -------- d-----w- c:\documents and settings\michele cook\Application Data\Malwarebytes
2009-09-10 20:29 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 20:29 . 2009-09-10 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-10 20:29 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 20:12 . 2005-03-31 00:40 -------- d-----w- c:\documents and settings\michele cook\Application Data\BitTorrent
2009-10-06 20:11 . 2008-10-18 16:49 -------- d-----w- c:\documents and settings\michele cook\Application Data\DNA
2009-10-06 07:03 . 2008-10-18 16:49 -------- d-----w- c:\program files\DNA
2009-10-04 08:25 . 2006-07-31 06:10 -------- d-----w- c:\program files\McAfee
2009-10-04 02:53 . 2008-01-22 21:21 -------- d-----w- c:\program files\Common Files\Apple
2009-09-19 17:22 . 2007-07-25 02:25 -------- d-----w- c:\program files\Common Files\Viewpoint
2009-09-19 05:16 . 2004-01-17 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-19 00:26 . 2003-08-24 18:07 47544 -c--a-w- c:\documents and settings\michele cook\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 21:10 . 2009-08-17 21:10 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 00:24 . 2004-08-17 15:08 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-17 15:08 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-17 15:08 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2003-01-15 23:52 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2003-01-15 22:43 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-17 15:08 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-08-27 12:00 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-07-19 03:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2003-01-15 23:52 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2003-01-15 22:43 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-04-09 03:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2003-01-15 22:43 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 17:32 . 2006-07-31 06:18 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-14 04:43 . 2004-02-07 21:29 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2006-04-25 22:37 . 2005-02-15 08:23 10022 -csha-w- c:\windows\system32\KGyGaAv0.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-06_07.05.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-06 07:03 . 2009-10-06 07:03 16384 c:\windows\Temp\Perflib_Perfdata_1f0.dat
+ 2003-01-15 23:57 . 2009-10-06 19:50 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-01-15 23:57 . 2009-10-06 04:39 81920 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-06 09:17 . 2009-10-06 19:50 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2003-01-15 23:57 . 2009-10-06 04:39 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"BitTorrent"="d:\james\BitTorrent\bittorrent.exe" [2009-08-19 653104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-04-21 57344]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-07-04 40960]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"D-Link RangeBooster G WUA-2340"="d:\james\programs\AirPlusCFG.exe" [2007-06-12 1654784]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"WinampAgent"="d:\winamp3\Winamp\winampa.exe" [2009-07-01 37888]
"SunJavaUpdateSched"="d:\james\programs\java\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="d:\james\programs\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-9-8 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"d:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"d:\\James\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [6/19/2006 1:52 PM 91136]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [5/8/2006 7:10 PM 347648]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [6/19/2006 1:50 PM 23180]
S2 0109441254719877mcinstcleanup;McAfee Application Installer Cleanup (0109441254719877);c:\windows\TEMP\010944~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\010944~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 SMALUSB;Digital Camera Driver;c:\windows\system32\drivers\smalidt.sys [10/18/2003 8:12 PM 9216]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\james\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\65d85c91-938c-4194-bc98-e1c98b843f59]
c:\windows\system32\lhzawp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2003-01-15 00:12]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-07-31 02:26]

2003-06-20 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-01-15 00:12]

2003-06-20 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-01-15 00:12]

2009-10-05 c:\windows\Tasks\User_Feed_Synchronization-{37AFD519-5AB7-4E32-A6CB-2D5B73A4789B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.careerbuilder.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Microsoft Internet Explorer provided by Comcast
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {165B3239-2565-49DB-8A82-F28631CE44ED} - hxxp://www.cme-equotes.com/webstart/webstart.cab
.
- - - - ORPHANS REMOVED - - - -

Notify-SMDEn - c:\windows\system32\m482lelo1hqc.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 15:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3207943277-3986855577-483379819-1005\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=dword:00000000

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
Completion time: 2009-10-06 15:18
ComboFix-quarantined-files.txt 2009-10-06 20:17
ComboFix2.txt 2009-10-06 07:15

Pre-Run: 1,515,540,480 bytes free
Post-Run: 1,496,014,848 bytes free

181 --- E O F --- 2009-09-19 05:19



Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 2 Stepping 7, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:15 Go - Free:1 Go )
D:\ [Fixed-NTFS] .. ( Total:0 Go - Free:0 Go )
E:\ [CD_Rom]
F:\ [CD_Rom]
.
Scan : 15:21.51
Path : C:\Documents and Settings\michele cook\Desktop\Rooter.exe
User : michele cook ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (1196)
______ \??\C:\WINDOWS\system32\csrss.exe (1244)
______ \??\C:\WINDOWS\system32\winlogon.exe (1268)
______ C:\WINDOWS\system32\services.exe (1312)
______ C:\WINDOWS\system32\lsass.exe (1324)
______ C:\WINDOWS\system32\svchost.exe (1476)
______ C:\WINDOWS\system32\svchost.exe (1536)
______ C:\WINDOWS\System32\svchost.exe (1676)
______ C:\WINDOWS\System32\svchost.exe (1724)
______ C:\WINDOWS\system32\svchost.exe (1784)
______ C:\WINDOWS\system32\LEXBCES.EXE (636)
______ C:\WINDOWS\system32\spoolsv.exe (652)
______ C:\WINDOWS\system32\LEXPPS.EXE (740)
______ C:\WINDOWS\System32\svchost.exe (1936)
______ C:\WINDOWS\system32\hkcmd.exe (316)
______ C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe (336)
______ C:\Program Files\McAfee.com\Agent\mcagent.exe (380)
______ C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe (392)
______ D:\James\programs\AirPlusCFG.exe (400)
______ C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (436)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (580)
______ D:\James\programs\java\bin\jusched.exe (832)
______ C:\Program Files\Bonjour\mDNSResponder.exe (904)
______ C:\Program Files\iTunes\iTunesHelper.exe (924)
______ C:\Program Files\DNA\btdna.exe (968)
______ D:\James\BitTorrent\bittorrent.exe (996)
______ D:\James\programs\java\bin\jqs.exe (496)
______ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (1056)
______ c:\program files\common files\mcafee\mna\mcnasvc.exe (1720)
______ c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (1964)
______ C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (1232)
______ C:\Program Files\McAfee\MPF\MPFSrv.exe (2112)
______ C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (3692)
______ C:\WINDOWS\System32\svchost.exe (3924)
______ C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe (3940)
______ C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe (4084)
______ C:\Program Files\Viewpoint\Common\ViewpointService.exe (588)
______ C:\Program Files\iPod\bin\iPodService.exe (1364)
______ C:\WINDOWS\System32\alg.exe (1032)
______ C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (2936)
______ C:\WINDOWS\System32\svchost.exe (2216)
______ C:\WINDOWS\system32\ctfmon.exe (3812)
______ C:\WINDOWS\system32\wscntfy.exe (3284)
______ D:\Winamp3\Winamp\winamp.exe (2824)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (1632)
______ C:\WINDOWS\explorer.exe (3988)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (3976)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (1572)
______ C:\Documents and Settings\michele cook\Desktop\Rooter.exe (2244)
______ C:\WINDOWS\system32\wuauclt.exe (2060)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:5379300864)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:5379333120 | Length:16113323520)
\Device\Harddisk0\Partition0 (Start_Offset:21492656640 | Length:98538854400)
\Device\Harddisk0\Partition3 (Start_Offset:21492688896 | Length:98538822144)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\McDefragTask.job
C:\WINDOWS\Tasks\McQcTask.job
C:\WINDOWS\Tasks\Registration reminder 2.job
C:\WINDOWS\Tasks\Registration reminder 3.job
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\User_Feed_Synchronization-{37AFD519-5AB7-4E32-A6CB-2D5B73A4789B}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 15:22.28
.
C:\Rooter$\Rooter_1.txt - (06/10/2009 | 15:22.28)



Malwarebytes' Anti-Malware 1.41
Database version: 2916
Windows 5.1.2600 Service Pack 3

10/6/2009 3:33:34 PM
mbam-log-2009-10-06 (15-33-34).txt

Scan type: Quick Scan
Objects scanned: 113304
Time elapsed: 6 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 06 October 2009 - 03:54 PM

Snacker,

I don't understand the missing programs. Or why Mbam would need renamed. Better look again for rootkits.

Please download gmer.zip from Gmer and save it to your desktop.

  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on gmer.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the Gmer scan log and post it in your next reply.

Note: Do not run any programs while Gmer is running.



Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#7 Snacker

Snacker

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 07 October 2009 - 09:33 PM

Sorry, I think I might have confused you. What I meant to say is that I already had Malwarebytes on my machine because I downloaded it when the infection was at its worst, and I was being helped by McAfee support. It was back then that I had to rename it to get it to work. This last time it ran fine. Anyway, I ran the two new scans you requested, though they took a long time to run, especially the online one, which ran for 6 hours! What's worse is that I had to run it three times! The first time the window shut for some reason (it may be because I forgot to stop McAfee first, I then tried to run it overnight, but it seems we had a minor power outage that shut my computer off. Can't blame the infection for that one since more things than just the computer were affected. Anyway, the logs:

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-06 23:49:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp\uwroquow.sys


---- System - GMER 1.0.15 ----

SSDT IPVNMon.sys (IPVNMon/Visual Networks) ZwDeviceIoControlFile [0xF84B4803]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEF45D4EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEF45D581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEF45D498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEF45D4AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEF45D595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEF45D5C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEF45D62F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEF45D619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEF45D52A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEF45D65B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEF45D56D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEF45D470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEF45D484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEF45D4FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEF45D697]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEF45D603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEF45D5ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEF45D5AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEF45D683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEF45D66F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEF45D4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEF45D4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEF45D5D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEF45D559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEF45D645]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEF45D540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEF45D514]
Code \??\C:\ComboFix\catchme.sys pIofCallDriver
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EF45D518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP EF45D571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP EF45D5F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP EF45D4EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP EF45D4C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP EF45D585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP EF45D69B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 7 Bytes JMP EF45D633 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP EF45D474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP EF45D502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP EF45D5DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP EF45D544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP EF45D52E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP EF45D4B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP EF45D55D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP EF45D488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP EF45D65F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP EF45D61D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP EF45D5C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP EF45D599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EF45D49C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD17 5 Bytes JMP EF45D4DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064D9DA 7 Bytes JMP EF45D649 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E300 7 Bytes JMP EF45D607 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E77C 7 Bytes JMP EF45D5AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064EC71 5 Bytes JMP EF45D673 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F0DC 5 Bytes JMP EF45D687 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010E0FEF
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010E007D
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010E0062
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010E0051
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010E0F94
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010E0025
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010E0F59
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010E00AB
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010E0F23
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010E0F3E
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010E0F12
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010E0040
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010E0FD4
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010E008E
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0DD 3 Bytes JMP 010E0014
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!CreateNamedPipeW + 4 7C82F0E1 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010E0FC3
.text C:\WINDOWS\system32\services.exe[1312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010E00BC
.text C:\WINDOWS\system32\services.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0039
.text C:\WINDOWS\system32\services.exe[1312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0FB2
.text C:\WINDOWS\system32\services.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\services.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0014
.text C:\WINDOWS\system32\services.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\services.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FF0065
.text C:\WINDOWS\system32\services.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF004A
.text C:\WINDOWS\system32\services.exe[1312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE005D
.text C:\WINDOWS\system32\services.exe[1312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0FD2
.text C:\WINDOWS\system32\services.exe[1312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE002E
.text C:\WINDOWS\system32\services.exe[1312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\services.exe[1312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0FE3
.text C:\WINDOWS\system32\services.exe[1312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE001D
.text C:\WINDOWS\system32\services.exe[1312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\services.exe[1312] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60F77
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C6006C
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60F9E
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60051
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60036
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60F3A
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C60F4B
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60F1F
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C600AE
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C600D3
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60FAF
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C60FDE
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60F5C
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60025
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C60014
.text C:\WINDOWS\system32\lsass.exe[1324] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C6009D
.text C:\WINDOWS\system32\lsass.exe[1324] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C50FCA
.text C:\WINDOWS\system32\lsass.exe[1324] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C50F9E
.text C:\WINDOWS\system32\lsass.exe[1324] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C50FDB
.text C:\WINDOWS\system32\lsass.exe[1324] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C5001B
.text C:\WINDOWS\system32\lsass.exe[1324] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C5005B
.text C:\WINDOWS\system32\lsass.exe[1324] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\lsass.exe[1324] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C50FB9
.text C:\WINDOWS\system32\lsass.exe[1324] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E5, 88] {IN EAX, 0x88}
.text C:\WINDOWS\system32\lsass.exe[1324] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C50036
.text C:\WINDOWS\system32\lsass.exe[1324] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00FC3
.text C:\WINDOWS\system32\lsass.exe[1324] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\lsass.exe[1324] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C00033
.text C:\WINDOWS\system32\lsass.exe[1324] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\lsass.exe[1324] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00044
.text C:\WINDOWS\system32\lsass.exe[1324] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C00018
.text C:\WINDOWS\system32\lsass.exe[1324] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\lsass.exe[1324] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02470FEF
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02470065
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02470054
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02470F7A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02470F97
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0247002F
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024700A2
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02470091
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02470F09
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02470F24
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02470EF8
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02470FB2
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0247000A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02470076
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02470FC3
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02470FD4
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02470F35
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02460FA8
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02460039
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02460FB9
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02460FD4
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0246001E
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02460FEF
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02460F7C
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [66, 8A]
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02460F97
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02450F92
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!system 77C293C7 5 Bytes JMP 02450FA3
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0245000C
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02450FEF
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0245001D
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02450FDE
.text C:\WINDOWS\system32\svchost.exe[1476] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1476] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CD0093
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CD0078
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CD005B
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CD0040
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CD0FB9
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CD0F57
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CD0F68
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CD00DF
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CD0F3C
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CD0F2B
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CD0F9E
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CD000A
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CD0F79
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CD0FCA
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CD0025
.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CD00BA
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CC0FCA
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CC0F79
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CC001B
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CC0FE5
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CC0F94
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CC0FB9
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EC, 88]
.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CC0036
.text C:\WINDOWS\system32\svchost.exe[1536] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB006C
.text C:\WINDOWS\system32\svchost.exe[1536] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB0047
.text C:\WINDOWS\system32\svchost.exe[1536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB001B
.text C:\WINDOWS\system32\svchost.exe[1536] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[1536] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text C:\WINDOWS\system32\svchost.exe[1536] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB002C
.text C:\WINDOWS\system32\svchost.exe[1536] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[1536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1536] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00CA0014
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03440FEF
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03440F7A
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03440F95
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03440FA6
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03440FC3
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0344005B
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03440F4C
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03440094
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 034400B6
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03440F27
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 034400D1
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03440FD4
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0344000A
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03440F69
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03440040
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0344002F
.text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 034400A5
.text C:\WINDOWS\System32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0343002C
.text C:\WINDOWS\System32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03430073
.text C:\WINDOWS\System32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0343001B
.text C:\WINDOWS\System32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0343000A
.text C:\WINDOWS\System32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03430058
.text C:\WINDOWS\System32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03430FE5
.text C:\WINDOWS\System32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03430FB6
.text C:\WINDOWS\System32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [63, 8B]
.text C:\WINDOWS\System32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0343003D
.text C:\WINDOWS\System32\svchost.exe[1676] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02F10F9C
.text C:\WINDOWS\System32\svchost.exe[1676] msvcrt.dll!system 77C293C7 5 Bytes JMP 02F10027
.text C:\WINDOWS\System32\svchost.exe[1676] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02F1000C
.text C:\WINDOWS\System32\svchost.exe[1676] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02F10FEF
.text C:\WINDOWS\System32\svchost.exe[1676] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02F10FB7
.text C:\WINDOWS\System32\svchost.exe[1676] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02F10FD2
.text C:\WINDOWS\System32\svchost.exe[1676] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02F00000
.text C:\WINDOWS\System32\svchost.exe[1676] WS2_32.dll!bind 71AB4480 5 Bytes JMP 02F00011
.text C:\WINDOWS\System32\svchost.exe[1676] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 02EA0000
.text C:\WINDOWS\System32\svchost.exe[1676] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 02EA0FDB
.text C:\WINDOWS\System32\svchost.exe[1676] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 02EA0FCA
.text C:\WINDOWS\System32\svchost.exe[1676] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 02EA0FB9
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00790FEF
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00790098
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0079007D
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 0079006C
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [83]
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00790FB9
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0079004A
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00790F6B
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007900B3
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00790F3F
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00790F50
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007900FD
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0079005B
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00790FDE
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00790F88
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00790039
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0079001E
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007900CE
.text C:\WINDOWS\System32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00780036
.text C:\WINDOWS\System32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780FB6
.text C:\WINDOWS\System32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00780025
.text C:\WINDOWS\System32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0078000A
.text C:\WINDOWS\System32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00780073
.text C:\WINDOWS\System32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00780FEF
.text C:\WINDOWS\System32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00780062
.text C:\WINDOWS\System32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00780047
.text C:\WINDOWS\System32\svchost.exe[1724] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00770067
.text C:\WINDOWS\System32\svchost.exe[1724] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770FD2
.text C:\WINDOWS\System32\svchost.exe[1724] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0077001D
.text C:\WINDOWS\System32\svchost.exe[1724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00770000
.text C:\WINDOWS\System32\svchost.exe[1724] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00770038
.text C:\WINDOWS\System32\svchost.exe[1724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770FE3
.text C:\WINDOWS\System32\svchost.exe[1724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00760FE5
.text C:\WINDOWS\System32\svchost.exe[1724] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B60076
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B60065
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B60054
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B60F97
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B60039
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B600A2
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B60091
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B60F1D
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B60F2E
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B60EF8
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B60FB2
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B60FDE
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B60F66
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B60FCD
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B6001E
.text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B60F3F
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B50051
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B50FD1
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B50036
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B5001B
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B50084
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B50073
.text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B50062
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B40F94
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B40FAF
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B40FE5
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B4000C
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B40FCA
.text C:\WINDOWS\system32\svchost.exe[1784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B4001D
.text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B3000A
.text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00B3001B
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F99
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0084
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0073
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0062
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0040
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F72
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB00BA
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0F46
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F57
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB00FA
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0051
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB00A9
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0025
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB000A
.text C:\WINDOWS\System32\svchost.exe[1936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB00D5
.text C:\WINDOWS\System32\svchost.exe[1936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660014
.text C:\WINDOWS\System32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660F86
.text C:\WINDOWS\System32\svchost.exe[1936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660FC3
.text C:\WINDOWS\System32\svchost.exe[1936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FDE
.text C:\WINDOWS\System32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660039
.text C:\WINDOWS\System32\svchost.exe[1936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FEF
.text C:\WINDOWS\System32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00660FA1
.text C:\WINDOWS\System32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [86, 88]
.text C:\WINDOWS\System32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FB2
.text C:\WINDOWS\System32\svchost.exe[1936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650069
.text C:\WINDOWS\System32\svchost.exe[1936] msvcrt.dll!system 77C293C7 5 Bytes JMP 0065004E
.text C:\WINDOWS\System32\svchost.exe[1936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650029
.text C:\WINDOWS\System32\svchost.exe[1936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650000
.text C:\WINDOWS\System32\svchost.exe[1936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FDE
.text C:\WINDOWS\System32\svchost.exe[1936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FEF
.text C:\WINDOWS\System32\svchost.exe[1936] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00630FEF
.text C:\WINDOWS\System32\svchost.exe[1936] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00630000
.text C:\WINDOWS\System32\svchost.exe[1936] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00630011
.text C:\WINDOWS\System32\svchost.exe[1936] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 0063002C
.text C:\WINDOWS\System32\svchost.exe[1936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640FEF
.text C:\WINDOWS\System32\svchost.exe[1936] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00640FDE
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F5E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260F79
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260F8A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260047
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0026002C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0026009F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260F4D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002600D2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002600C1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002600ED
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260FA5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0026000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0026006E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260FC0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0026001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002600B0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350F9E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00350025
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0035000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350051
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00350FAF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 88]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360FAD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360038
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0036001D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360FC8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360FE3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00CC0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00CC0FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00CC0025
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00CC0FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] ws2_32.dll!socket 71AB4211 3 Bytes JMP 01370FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] ws2_32.dll!socket + 4 71AB4215 1 Byte [8F]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] ws2_32.dll!bind 71AB4480 3 Bytes JMP 01370000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2156] ws2_32.dll!bind + 4 71AB4484 1 Byte [8F]
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F66
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F81
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A005B
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0040
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F44
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A008C
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0EFD
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F0E
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EEC
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F55
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A001B
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F29
.text C:\WINDOWS\System32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FDB
.text C:\WINDOWS\System32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0029007D
.text C:\WINDOWS\System32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290022
.text C:\WINDOWS\System32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290011
.text C:\WINDOWS\System32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0029006C
.text C:\WINDOWS\System32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\System32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290051
.text C:\WINDOWS\System32\svchost.exe[2216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E005F
.text C:\WINDOWS\System32\svchost.exe[2216] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FD4
.text C:\WINDOWS\System32\svchost.exe[2216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FEF
.text C:\WINDOWS\System32\svchost.exe[2216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[2216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E004E
.text C:\WINDOWS\System32\svchost.exe[2216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E001D
.text C:\WINDOWS\System32\svchost.exe[2216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[2216] WS2_32.dll!bind 71AB4480 5 Bytes JMP 006E001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0026006C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260047
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260025
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0026000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260087
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260F3F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260F02
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260F13
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002600B6
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260F83
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260F5C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260F9E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00260FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00260F2E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0035001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0035006C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00350FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00350000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350051
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00350040
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360044
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0036001D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 01BF0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 01BF0FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 01BF001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 01BF0FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ws2_32.dll!socket 71AB4211 5 Bytes JMP 022A0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ws2_32.dll!bind 71AB4480 5 Bytes JMP 022A0FDB
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0080
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD006F
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0054
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F97
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD00AE
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD009D
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F30
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD00C9
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0F1F
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0FB2
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F66
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD002F
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0014
.text C:\WINDOWS\System32\svchost.exe[3924] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F4B
.text C:\WINDOWS\System32\svchost.exe[3924] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC002C
.text C:\WINDOWS\System32\svchost.exe[3924] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0FA5
.text C:\WINDOWS\System32\svchost.exe[3924] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC001B
.text C:\WINDOWS\System32\svchost.exe[3924] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC000A
.text C:\WINDOWS\System32\svchost.exe[3924] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0062
.text C:\WINDOWS\System32\svchost.exe[3924] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\System32\svchost.exe[3924] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BC0051
.text C:\WINDOWS\System32\svchost.exe[3924] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0FCA
.text C:\WINDOWS\System32\svchost.exe[3924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB002C
.text C:\WINDOWS\System32\svchost.exe[3924] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB001B
.text C:\WINDOWS\System32\svchost.exe[3924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FBC
.text C:\WINDOWS\System32\svchost.exe[3924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0000
.text C:\WINDOWS\System32\svchost.exe[3924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FAB
.text C:\WINDOWS\System32\svchost.exe[3924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FE3
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F83
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0078
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0040
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F5E
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00B0
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00F7
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00D2
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F39
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A005B
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0093
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0025
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\explorer.exe[3988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00C1
.text C:\WINDOWS\explorer.exe[3988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0029002C
.text C:\WINDOWS\explorer.exe[3988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290062
.text C:\WINDOWS\explorer.exe[3988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FDB
.text C:\WINDOWS\explorer.exe[3988] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290011
.text C:\WINDOWS\explorer.exe[3988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290FA5
.text C:\WINDOWS\explorer.exe[3988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\explorer.exe[3988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0029003D
.text C:\WINDOWS\explorer.exe[3988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FB6
.text C:\WINDOWS\explorer.exe[3988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A002C
.text C:\WINDOWS\explorer.exe[3988] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FAB
.text C:\WINDOWS\explorer.exe[3988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A000A
.text C:\WINDOWS\explorer.exe[3988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FE3
.text C:\WINDOWS\explorer.exe[3988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A001B
.text C:\WINDOWS\explorer.exe[3988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FC6
.text C:\WINDOWS\explorer.exe[3988] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 002C0000
.text C:\WINDOWS\explorer.exe[3988] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 002C001B
.text C:\WINDOWS\explorer.exe[3988] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 002C002C
.text C:\WINDOWS\explorer.exe[3988] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 002C0047
.text C:\WINDOWS\explorer.exe[3988] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\explorer.exe[3988] WS2_32.dll!bind 71AB4480 5 Bytes JMP 00F80FD4

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [F84B4744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [F84B451E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F84B471A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F84B46A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [F84B4744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F84B4380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [F84B451E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F84B4380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F84B46A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F84B471A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMSetAttributesEx] [F84B4744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMRegisterMiniport] [F84B451E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [F84B4744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [F84B451E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisIMRegisterLayeredMiniport] [F84B448B] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F84B4380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F84B46A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisMSetAttributesEx] [F84B4744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F84B471A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMSetAttributesEx] [F84B4744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMRegisterMiniport] [F84B451E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F84B4380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F84B471A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F84B46A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F84B471A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F84B46A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F84B4380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F84B4380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F84B46A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F84B471A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F84B4380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F84B471A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F84B46A7] IPVNMon.sys (IPVNMon/Visual Networks)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Sony\PictureGear Studio\SharedData\Illust\Season\019Hallowe\x0081fen.png 1

---- EOF - GMER 1.0.15 ----




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, October 7, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, October 07, 2009 21:25:45
Records in database: 2930717
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 119450
Threats found: 4
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 06:14:56


File name / Threat / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULyyjnalsmrnqihqfnpepsggbugujdxcma.dll.vir Infected: Trojan.Win32.Agent.cvkv 1
C:\System Volume Information\_restore{0768B94C-A9C5-4980-AAC7-F2FA66E33BB8}\RP556\A0059067.sys Infected: Packed.Win32.TDSS.z 1
C:\System Volume Information\_restore{0768B94C-A9C5-4980-AAC7-F2FA66E33BB8}\RP556\A0059068.dll Infected: Trojan-Downloader.Win32.Agent.clvx 1
C:\System Volume Information\_restore{0768B94C-A9C5-4980-AAC7-F2FA66E33BB8}\RP556\A0059069.dll Infected: Trojan.Win32.Agent.cvkv 1
C:\System Volume Information\_restore{0768B94C-A9C5-4980-AAC7-F2FA66E33BB8}\RP556\A0059070.sys Infected: Packed.Win32.TDSS.z 1

Selected area has been scanned.

#8 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 08 October 2009 - 12:23 AM

Snacker,

That makes perfect sense. You are right. I was confused. :wacko:

Everything found has already been dealt with, So... Log looks good :D


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Note the space between the X and the U, it needs to be there.
  • Posted Image
The above procedure will:
  • Implement some cleanup procedures.
  • Reset System Restore.

Please re-enable any security that was disabled.

Now to remove most of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.


The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved. :thumbup:

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#9 Snacker

Snacker

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 08 October 2009 - 01:07 AM

Yep. All stuff that I more or less knew or already did. Like I said, it was a moment of utter stupid that caused this in the first place. I did a quick check for the problems that I was having, and they seem to be gone now. Thank you for all of your help.

#10 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 08 October 2009 - 07:39 AM

Snacker, You are very welcome. Good Luck and Be Well. :thumbup:

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#11 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 08 October 2009 - 07:39 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users