Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

leran's HJT log


  • Please log in to reply
27 replies to this topic

#1 leran

leran

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 08 August 2007 - 09:22 AM

Mod Edit: This log was split, from this thread:
Ntkrnl


this is the hijack?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:29:39, on 08.08.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programfiler\PowerISO\PWRISOVM.EXE
C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Ventrilo mix\Ventrilo 2.1.4.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Programfiler\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programfiler\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Programfiler\Creative\Shared Files\CamTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: printers - {D489C2BA-8C4C-466C-930D-3CE9B529F810} - libmsns.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5044 bytes

Edited by leran, 08 August 2007 - 11:30 AM.

Games:Games:Games|and ofc MORE games.

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 13 August 2007 - 10:21 PM

Hi leran, sorry for the delay, the forums are relly swamped with people needing help.

You're infected with one or more bot trojans, that are backdoors, which means someone else has complete access to your computer and can do with it what they want. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS, even tho we can fix most of what is there. We can't guarantee we will find all of it or repair all the damage. Please read the following for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

At the very least you should change your passwords to any banking sites or other financial institutions, including PayPal accounts, Ebay, etc. Even if you just use this PC for gaming, there is value in that login data so you should change those passwords as well from a known clean computer.

I'm going to run you thru some fixes that will begin the process of removing what we can, but if you decide to reformat, the sooner you do that the better. Just let me know your decision.

Print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.
Please download Combofix to your desktop.

Doubleclick ComboFix.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt. Note that some cleaning may require a reboot, so it won't be finished until that is done.

Post this log in your next reply along with a new HijackThis log.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 leran

leran
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 14 August 2007 - 06:23 AM

My next apply with the log and the hijack log.


Sdfix log below:


SDFix: Version 1.98

Run by Aleksander on 14.08.2007 at 13:37

Microsoft Windows XP [Versjon 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service asc3550u - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\ILSA.DLL - Deleted
C:\144573~1 - Deleted
C:\Documents and Settings\Aleksander\aria.txt - Deleted
C:\WINDOWS\svchost.DLL - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programfiler\\Messenger\\msmsgs.exe"="C:\\Programfiler\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"="C:\\Programfiler\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programfiler\\MSN Messenger\\livecall.exe"="C:\\Programfiler\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"E:\\World of Warcraft\\WoW-1.12.0-enGB-downloader.exe"="E:\\World of Warcraft\\WoW-1.12.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\\World of Warcraft\\WoW-2.0.3-enGB-downloader.exe"="E:\\World of Warcraft\\WoW-2.0.3-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enGB-downloader.exe"="E:\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enGB-downloader.exe"="E:\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\\Utorrent\\utorrent.exe"="E:\\Utorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Documents and Settings\\Aleksander\\Skrivebord\\WoW-2.0.6.6337-to-0.0.7.6373-enGB-downloader.exe"="C:\\Documents and Settings\\Aleksander\\Skrivebord\\WoW-2.0.6.6337-to-0.0.7.6373-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Aleksander\\Skrivebord\\WoW-2.0.6.6337-to-0.0.7.6373-enGB-downloader(2).exe"="C:\\Documents and Settings\\Aleksander\\Skrivebord\\WoW-2.0.6.6337-to-0.0.7.6373-enGB-downloader(2).exe:*:Enabled:Blizzard Downloader"
"E:\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enGB-downloader.exe"="E:\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enGB-downloader.exe"="E:\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enGB-downloader.exe"="E:\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Aleksander\\Skrivebord\\WowExpansionMaster_1024_2100_B_English-avi-downloader.exe"="C:\\Documents and Settings\\Aleksander\\Skrivebord\\WowExpansionMaster_1024_2100_B_English-avi-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enGB-downloader.exe"="E:\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"E:\\Warcraft III\\Frozen Throne.exe"="E:\\Warcraft III\\Frozen Throne.exe:*:Enabled:Warcraft III - The Frozen Throne"
"E:\\World of Warcraft\\BackgroundDownloader.exe"="E:\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"E:\\Dawn of War\\DarkCrusade.exe"="E:\\Dawn of War\\DarkCrusade.exe:*:Enabled:DarkCrusade"
"C:\\Programfiler\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"="C:\\Programfiler\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe:*:Enabled:DarkCrusade"
"C:\\Programfiler\\Hamachi\\hamachi.exe"="C:\\Programfiler\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"E:\\Final Fantasy\\SquareEnix\\PlayOnlineViewer\\pol.exe"="E:\\Final Fantasy\\SquareEnix\\PlayOnlineViewer\\pol.exe:*:Enabled:PlayOnline Viewer"
"C:\\Programfiler\\McAfee\\MWL\\MwlSvc.exe"="C:\\Programfiler\\McAfee\\MWL\\MwlSvc.exe:*:Enabled:McAfee Wireless Network Security"
"C:\\Programfiler\\Fellesfiler\\McAfee\\MNA\\McNASvc.exe"="C:\\Programfiler\\Fellesfiler\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"="C:\\Programfiler\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programfiler\\MSN Messenger\\livecall.exe"="C:\\Programfiler\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Aleksander\Lokale innstillinger\Programdata\Microsoft\Messenger\se_1_kuer@hotmail.com\Sharing Folders\3xub3rl0lz0rz2k54tw1337@machomann.com\Thumbs.db
C:\Documents and Settings\Aleksander\Lokale innstillinger\Programdata\Microsoft\Messenger\se_1_kuer@hotmail.com\Sharing Folders\stine_sf89@hotmail.com\Thumbs.db
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

Finished




Hijack log below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:45:32, on 14.08.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Fellesfiler\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\programfiler\fellesfiler\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\FELLES~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\FELLES~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Programfiler\McAfee\MPF\MPFSrv.exe
C:\Programfiler\McAfee\MSK\MskSrver.exe
C:\Programfiler\Mcafee\MWL\MwlSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Programfiler\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee\MSC\mcregist.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programfiler\PowerISO\PWRISOVM.EXE
C:\Programfiler\McAfee\MSK\MskAgent.exe
C:\Programfiler\Mcafee\MWL\MWLGui.exe
C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe
C:\Programfiler\McAfee\MBK\McAfeeDataBackup.exe
C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Programfiler\SiteAdvisor\4144\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\programfiler\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Microsoft Office Helper - {8B4190F8-4828-387B-4164-2487A188A878} - C:\WINDOWS\system\wfcctd32.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programfiler\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Programfiler\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programfiler\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [MskAgentexe] C:\Programfiler\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Programfiler\Mcafee\MWL\MWLGui.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Backup] C:\Programfiler\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Programfiler\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Programfiler\Creative\Shared Files\CamTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\FELLES~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Programfiler\Fellesfiler\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\programfiler\fellesfiler\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\FELLES~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\FELLES~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Programfiler\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Programfiler\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Programfiler\Mcafee\MWL\MwlSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8546 bytes

Okay so now i will wait before i drive the combo fix, so you can see this first or should i just get on with it?

Edited by leran, 14 August 2007 - 06:48 AM.

Games:Games:Games|and ofc MORE games.

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 14 August 2007 - 08:05 AM

Please continue by running ComboFix and posting its log. :thumbsup:

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#5 leran

leran
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 14 August 2007 - 08:38 AM

Combofix log and hijack log. I did not run combofix in save mod :S forgot that part:S should i do it in save mod or not? if so i can delete the combo log and then do it in save mod and post the new log.


Combofix log below:


ComboFix 07-08-14.4 - "Aleksander" 2007-08-14 15:33:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.639 [GMT 2:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\images00.zip
C:\WINDOWS\images03.zip
C:\WINDOWS\images033.zip
C:\WINDOWS\images036.zip
C:\WINDOWS\images051.zip
C:\WINDOWS\images057.zip
C:\WINDOWS\images060.zip
C:\WINDOWS\images063.zip
C:\WINDOWS\images072.zip
C:\WINDOWS\images084.zip
C:\WINDOWS\images090.zip
C:\WINDOWS\smsys.dat


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC3550U


((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 )))))))))))))))))))))))))))))))


2007-08-14 15:31 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-14 15:02 <DIR> d-------- C:\DOCUME~1\LOCALS~1\PROGRA~1\SiteAdvisor
2007-08-14 13:46 0 --a------ C:\WINDOWS\system32\ilsa.dll
2007-08-14 13:29 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-13 16:10 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Siste
2007-08-13 15:56 <DIR> dr-h----- C:\DOCUME~1\ALEKSA~1\Siste
2007-08-13 15:31 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-13 14:56 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\.housecall6.6
2007-08-13 14:49 86,880 --a------ C:\WINDOWS\system32\drivers\WscNetDr.sys
2007-08-13 14:49 <DIR> d-------- C:\Programfiler\SiteAdvisor
2007-08-13 14:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SiteAdvisor
2007-08-13 14:49 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\SiteAdvisor
2007-08-13 14:48 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-08-13 14:48 35,048 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-08-13 14:48 34,120 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-08-13 14:48 31,944 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-08-13 14:48 168,392 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-08-13 14:48 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-08-13 14:48 100,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-08-13 14:48 <DIR> d-------- C:\Programfiler\McAfee.com
2007-08-13 14:48 <DIR> d-------- C:\Programfiler\McAfee
2007-08-13 14:48 <DIR> d-------- C:\Programfiler\Fellesfiler\McAfee
2007-08-12 23:56 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-08-10 17:59 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-10 17:59 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Programdata
2007-08-10 17:59 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Start-meny
2007-08-10 17:59 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Skrivere
2007-08-10 17:59 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Maler
2007-08-10 17:59 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Lokale innstillinger
2007-08-10 17:59 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\AndrMask
2007-08-10 17:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Skrivebord
2007-08-10 17:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Mine dokumenter
2007-08-10 17:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Favoritter
2007-08-10 03:39 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\McAfee
2007-08-10 03:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\McAfee.com
2007-08-08 22:27 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Skrivebord
2007-08-08 22:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\McAfee
2007-08-08 22:12 11,264 --a------ C:\WINDOWS\system\wfcctd32.dll
2007-08-08 20:20 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-08 16:18 <DIR> d-------- C:\Programfiler\Trend Micro
2007-08-08 14:51 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware
2007-08-08 14:51 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard
2007-08-08 14:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SUPERAntiSpyware.com
2007-08-08 14:51 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\SUPERAntiSpyware.com
2007-08-08 04:57 <DIR> d-------- C:\Programfiler\Microsoft Windows OneCare Live
2007-08-08 02:34 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\Media Player Classic
2007-08-08 02:33 86,016 --a------ C:\WINDOWS\system32\dpl100.dll
2007-08-08 02:33 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-08-08 02:33 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2007-08-08 02:33 6,144 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-08-08 02:33 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-08-08 02:33 574,976 --a------ C:\WINDOWS\system32\divx.dll
2007-08-08 02:33 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-08-08 02:33 457,234 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-08-08 02:33 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll
2007-08-08 02:33 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-08-08 02:33 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-08-08 02:33 339,968 --a------ C:\WINDOWS\system32\dpus11.dll
2007-08-08 02:33 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-08-08 02:33 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-08-08 02:33 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll
2007-08-08 02:33 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-08-08 02:33 200,704 --a------ C:\WINDOWS\system32\dtu100.dll
2007-08-08 02:33 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-08-08 02:33 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-08-08 02:33 157,696 --a------ C:\WINDOWS\system32\unrar.dll
2007-08-08 02:33 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll
2007-08-08 02:33 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-08-08 02:33 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll
2007-08-08 02:33 <DIR> d-------- C:\Programfiler\K-Lite Codec Pack
2007-08-08 02:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Real
2007-08-08 02:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Apple Computer
2007-08-08 02:33 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\Real
2007-08-04 21:49 <DIR> d-------- C:\Programfiler\OpenTTD
2007-08-04 21:44 304,128 --a------ C:\WINDOWS\IsUninst.exe
2007-08-04 21:43 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\WINDOWS
2007-08-04 21:40 <DIR> d-------- C:\Programfiler\Final Fantasy VII
2007-07-20 01:10 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-07-20 01:10 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-07-20 01:10 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-07-20 01:04 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-07-20 01:04 26,137 --a------ C:\WINDOWS\DIIUnin.dat
2007-07-20 01:04 2,829 --a------ C:\WINDOWS\DIIUnin.pif


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 23:57 --------- d-------- C:\Programfiler\AlienGUIse
2007-08-12 16:30 --------- d--h----- C:\Programfiler\InstallShield Installation Information
2007-08-10 16:57 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-08-10 03:12 --------- d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\uTorrent
2007-07-17 19:17 --------- d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\teamspeak2
2007-05-16 17:19 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:19 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:19 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:19 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 17:19 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:19 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B4190F8-4828-387B-4164-2487A188A878}]
2007-08-08 22:12 11264 --a------ C:\WINDOWS\system\wfcctd32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-11 12:36 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2006-11-17 17:29 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-11-17 17:29 C:\WINDOWS\system32\nvmctray.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-11-17 17:29]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-08-14 12:51]
"Easy SpyRemover"="C:\Programfiler\Easy SpyRemover\EasySpyRemover.exe" []
"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"PWRISOVM.EXE"="C:\Programfiler\PowerISO\PWRISOVM.EXE" [2007-04-09 14:23]
"McRegWiz"="C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" []
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2006-11-02 03:03]
"MskAgentexe"="C:\Programfiler\McAfee\MSK\MskAgent.exe" [2006-11-03 09:31]
"MWLExe"="C:\Programfiler\Mcafee\MWL\MWLGui.exe" [2006-11-14 19:55]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"McAfee Backup"="C:\Programfiler\McAfee\MBK\McAfeeDataBackup.exe" [2006-11-09 20:34]
"MBkLogOnHook"="C:\Programfiler\McAfee\MBK\LogOnHook.exe" [2006-11-01 10:35]
"SiteAdvisor"="C:\Programfiler\SiteAdvisor\6066\SiteAdv.exe" [2006-10-02 21:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"Creative WebCam Tray"="C:\Programfiler\Creative\Shared Files\CamTray.exe" []

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys


Contents of the 'Scheduled Tasks' folder
2007-08-13 12:50:02 C:\WINDOWS\Tasks\McDefragTask.job - c:\programfiler\mcafee\mqc\QcConsol.exe
2007-08-13 12:50:01 C:\WINDOWS\Tasks\McQcTask.job - c:\programfiler\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-14 15:35:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-14 15:36:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-14 15:36

--- E O F ---



Hijack log below:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:38:39, on 14.08.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Fellesfiler\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programfiler\PowerISO\PWRISOVM.EXE
C:\Programfiler\McAfee\MSK\MskAgent.exe
C:\Programfiler\Mcafee\MWL\MWLGui.exe
C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe
C:\Programfiler\McAfee\MBK\McAfeeDataBackup.exe
C:\Programfiler\SiteAdvisor\6066\SiteAdv.exe
C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\programfiler\fellesfiler\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\FELLES~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\FELLES~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Programfiler\McAfee\MPF\MPFSrv.exe
C:\Programfiler\McAfee\MSK\MskSrver.exe
C:\Programfiler\Mcafee\MWL\MwlSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Programfiler\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Programfiler\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\programfiler\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Microsoft Office Helper - {8B4190F8-4828-387B-4164-2487A188A878} - C:\WINDOWS\system\wfcctd32.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programfiler\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Programfiler\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programfiler\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [MskAgentexe] C:\Programfiler\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Programfiler\Mcafee\MWL\MWLGui.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Backup] C:\Programfiler\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Programfiler\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Programfiler\SiteAdvisor\6066\SiteAdv.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Programfiler\Creative\Shared Files\CamTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\FELLES~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Programfiler\Fellesfiler\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\programfiler\fellesfiler\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\FELLES~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\FELLES~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Programfiler\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Programfiler\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Programfiler\Mcafee\MWL\MwlSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Programfiler\SiteAdvisor\6066\SAService.exe

--
End of file - 8735 bytes

Edited by leran, 14 August 2007 - 08:42 AM.

Games:Games:Games|and ofc MORE games.

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 14 August 2007 - 12:14 PM

I did not run combofix in save mod :S forgot that part:S should i do it in save mod or not? if so i can delete the combo log and then do it in save mod and post the new log.

No ComboFix doesn't have to be run in Safe Mode and I didn't ask you to do that, just SDFix and you've already done that. I can see where you might have misunderstood, but no big deal, just please only do as I instruct and in order.

Also, please do not edit your posts--your Post #3 is completely different from what you posted originally. It's OK to make a new post rather than change what you've already posted and will avoid confusion. I'm not near as young and quick as you are.

You've made good progress though, most of it has been deactivated. There is still more to do, but some things have come up and I need for you to have a little more patience with me so I can get this right--should be little later today your time.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#7 leran

leran
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 14 August 2007 - 02:05 PM

Okay, i can wait ofc:D. but just now i got that error message again and it will shut down my computer. this is getting on my nerve!

But thank you for helping me :thumbsup:
Games:Games:Games|and ofc MORE games.

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 14 August 2007 - 08:24 PM

OK, do this.

1. Click Start, then Run and type Notepad and click OK.

2. Now copy/paste the entire contents of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/index.php?showtopic=103322&view=findpost&p=593542

Collect::[27]
C:\WINDOWS\system32\ilsa.dll
C:\WINDOWS\system\wfcctd32.dll

DirLook::
C:\DOCUME~1\ADMINI~1\Siste
C:\DOCUME~1\ALEKSA~1\Siste

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B4190F8-4828-387B-4164-2487A188A878}]

3. Name the Notepad file CFScript.txt and Save it to your desktop.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. ComboFix will generate the following files on your desktop
-A zipped file on your desktop called Submit [Date Time].zip
-And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. Next, a window will popup prompting you to "Submit Files for further analysis". Click "OK"

9. Your system's browser will automatically respond by loading the CF-Submit.htm file and open a window :
-Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
-Click on the file to Select it.
-Submit the file by clicking "OK"
10. Once the file has been submitted, you may DELETE both files on your desktop.

Please perform this online scan: Kaspersky Webscan
Note that you need to run this scan with Internet Explorer for it to work correctly.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. When the scan is complete choose save the results by clicking "Save Report As HTML" Give the Report a name and save it to your desktop. If you have any problem saving the report, copy its text to the clipboard, then paste it into an empty Notepad and save it to your desktop.
9. Post the Kaspersky scan results in your next reply.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Post back the ComboFix and Kaspersky logs along with a new HijackThis log and let me know how the computer is running now.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#9 leran

leran
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 15 August 2007 - 05:02 AM

8. Next, a window will popup prompting you to "Submit Files for further analysis". Click "OK"

9. Your system's browser will automatically respond by loading the CF-Submit.htm file and open a window :
-Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
-Click on the file to Select it.
-Submit the file by clicking "OK"
10. Once the file has been submitted, you may DELETE both files on your desktop.


Not sure i understand that, i did the combofix and got two file on my desktop, i got this window butting up i pressed okay now i see input a browser, i find the C:\DOCUME~1\ALEKSA~1\SKRIVE~1.\[27]-Submit_2007-08-15_115137,84.zip and but it on this window. Now shall i send this or just input it on the window?
Games:Games:Games|and ofc MORE games.

#10 leran

leran
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 15 August 2007 - 06:16 AM

Logs from combofix and virus scan:

Combofix below:



ComboFix 07-08-14.4 - "Aleksander" 2007-08-15 11:51:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.611 [GMT 2:00]
Command switches used :: C:\Documents and Settings\Aleksander\Skrivebord\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system\wfcctd32.dll
C:\WINDOWS\system32\ilsa.dll


((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 )))))))))))))))))))))))))))))))


2007-08-14 15:31 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-14 15:02 <DIR> d-------- C:\DOCUME~1\LOCALS~1\PROGRA~1\SiteAdvisor
2007-08-14 13:29 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-13 16:10 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Siste
2007-08-13 15:56 <DIR> dr-h----- C:\DOCUME~1\ALEKSA~1\Siste
2007-08-13 15:31 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-13 14:56 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\.housecall6.6
2007-08-13 14:49 86,880 --a------ C:\WINDOWS\system32\drivers\WscNetDr.sys
2007-08-13 14:49 <DIR> d-------- C:\Programfiler\SiteAdvisor
2007-08-13 14:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SiteAdvisor
2007-08-13 14:49 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\SiteAdvisor
2007-08-13 14:48 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-08-13 14:48 35,048 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-08-13 14:48 34,120 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-08-13 14:48 31,944 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-08-13 14:48 168,392 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-08-13 14:48 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-08-13 14:48 100,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-08-13 14:48 <DIR> d-------- C:\Programfiler\McAfee.com
2007-08-13 14:48 <DIR> d-------- C:\Programfiler\McAfee
2007-08-13 14:48 <DIR> d-------- C:\Programfiler\Fellesfiler\McAfee
2007-08-12 23:56 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-08-10 17:59 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-10 17:59 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Programdata
2007-08-10 17:59 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Start-meny
2007-08-10 17:59 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Skrivere
2007-08-10 17:59 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Maler
2007-08-10 17:59 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Lokale innstillinger
2007-08-10 17:59 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\AndrMask
2007-08-10 17:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Skrivebord
2007-08-10 17:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Mine dokumenter
2007-08-10 17:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Favoritter
2007-08-10 03:39 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\McAfee
2007-08-10 03:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\McAfee.com
2007-08-08 22:27 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Skrivebord
2007-08-08 22:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\McAfee
2007-08-08 20:20 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-08 16:18 <DIR> d-------- C:\Programfiler\Trend Micro
2007-08-08 14:51 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware
2007-08-08 14:51 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard
2007-08-08 14:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SUPERAntiSpyware.com
2007-08-08 14:51 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\SUPERAntiSpyware.com
2007-08-08 04:57 <DIR> d-------- C:\Programfiler\Microsoft Windows OneCare Live
2007-08-08 02:34 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\Media Player Classic
2007-08-08 02:33 86,016 --a------ C:\WINDOWS\system32\dpl100.dll
2007-08-08 02:33 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-08-08 02:33 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2007-08-08 02:33 6,144 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-08-08 02:33 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-08-08 02:33 574,976 --a------ C:\WINDOWS\system32\divx.dll
2007-08-08 02:33 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-08-08 02:33 457,234 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-08-08 02:33 446,464 --a------ C:\WINDOWS\system32\vp31vfw.dll
2007-08-08 02:33 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-08-08 02:33 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-08-08 02:33 339,968 --a------ C:\WINDOWS\system32\dpus11.dll
2007-08-08 02:33 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-08-08 02:33 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-08-08 02:33 286,720 --a------ C:\WINDOWS\system32\3ivxVfWCodec.dll
2007-08-08 02:33 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-08-08 02:33 200,704 --a------ C:\WINDOWS\system32\dtu100.dll
2007-08-08 02:33 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-08-08 02:33 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-08-08 02:33 157,696 --a------ C:\WINDOWS\system32\unrar.dll
2007-08-08 02:33 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll
2007-08-08 02:33 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-08-08 02:33 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll
2007-08-08 02:33 <DIR> d-------- C:\Programfiler\K-Lite Codec Pack
2007-08-08 02:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Real
2007-08-08 02:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Apple Computer
2007-08-08 02:33 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\Real
2007-08-04 21:49 <DIR> d-------- C:\Programfiler\OpenTTD
2007-08-04 21:44 304,128 --a------ C:\WINDOWS\IsUninst.exe
2007-08-04 21:43 <DIR> d-------- C:\DOCUME~1\ALEKSA~1\WINDOWS
2007-08-04 21:40 <DIR> d-------- C:\Programfiler\Final Fantasy VII
2007-07-20 01:10 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-07-20 01:10 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-07-20 01:10 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-07-20 01:04 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-07-20 01:04 26,137 --a------ C:\WINDOWS\DIIUnin.dat
2007-07-20 01:04 2,829 --a------ C:\WINDOWS\DIIUnin.pif


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-14 20:43 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-08-12 23:57 --------- d-------- C:\Programfiler\AlienGUIse
2007-08-12 16:30 --------- d--h----- C:\Programfiler\InstallShield Installation Information
2007-08-10 03:12 --------- d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\uTorrent
2007-07-17 19:17 --------- d-------- C:\DOCUME~1\ALEKSA~1\PROGRA~1\teamspeak2
2007-05-16 17:19 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:19 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:19 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:19 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 17:19 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:19 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\DOCUME~1\ADMINI~1\Siste ----

2007-08-13 16:10 150 --ahs---- C:\DOCUME~1\ADMINI~1\Siste\Desktop.ini

---- Directory of C:\DOCUME~1\ALEKSA~1\Siste ----

2007-08-15 11:50 417 --a------ C:\DOCUME~1\ALEKSA~1\Siste\CFScript.lnk
2007-08-14 22:54 687 --a------ C:\DOCUME~1\ALEKSA~1\Siste\Eragon[2006]DvDrip[Eng]-aXXo (2).lnk
2007-08-14 22:54 1092 --a------ C:\DOCUME~1\ALEKSA~1\Siste\Eragon[2006]DvDrip[Eng]-aXXo.lnk
2007-08-14 16:21 639 --a------ C:\DOCUME~1\ALEKSA~1\Siste\help.lnk
2007-08-14 16:21 474 --a------ C:\DOCUME~1\ALEKSA~1\Siste\Aleksander.lnk
2007-08-13 16:23 915 --a------ C:\DOCUME~1\ALEKSA~1\Siste\DSC00175.lnk
2007-08-13 16:23 915 --a------ C:\DOCUME~1\ALEKSA~1\Siste\DSC00158.lnk
2007-08-13 16:22 915 --a------ C:\DOCUME~1\ALEKSA~1\Siste\DSC00162.lnk
2007-08-13 16:22 915 --a------ C:\DOCUME~1\ALEKSA~1\Siste\DSC00161.lnk
2007-08-13 16:22 915 --a------ C:\DOCUME~1\ALEKSA~1\Siste\DSC00160.lnk
2007-08-13 16:22 915 --a------ C:\DOCUME~1\ALEKSA~1\Siste\DSC00159.lnk
2007-08-13 16:22 802 --a------ C:\DOCUME~1\ALEKSA~1\Siste\virus scan.lnk
2007-08-13 16:22 792 --a------ C:\DOCUME~1\ALEKSA~1\Siste\maleware.lnk
2007-08-13 16:22 547 --a------ C:\DOCUME~1\ALEKSA~1\Siste\Mine bilder.lnk
2007-08-13 16:21 822 --a------ C:\DOCUME~1\ALEKSA~1\Siste\Virus removed..lnk
2007-08-13 16:21 797 --a------ C:\DOCUME~1\ALEKSA~1\Siste\Uten navn.lnk
2007-08-13 16:21 756 --a------ C:\DOCUME~1\ALEKSA~1\Siste\fs.lnk
2007-08-13 15:56 150 --ahs---- C:\DOCUME~1\ALEKSA~1\Siste\Desktop.ini


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-11 12:36 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2006-11-17 17:29 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-11-17 17:29 C:\WINDOWS\system32\nvmctray.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-11-17 17:29]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-08-14 12:51]
"Easy SpyRemover"="C:\Programfiler\Easy SpyRemover\EasySpyRemover.exe" []
"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"PWRISOVM.EXE"="C:\Programfiler\PowerISO\PWRISOVM.EXE" [2007-04-09 14:23]
"McRegWiz"="C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" []
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2006-11-02 03:03]
"MskAgentexe"="C:\Programfiler\McAfee\MSK\MskAgent.exe" [2006-11-03 09:31]
"MWLExe"="C:\Programfiler\Mcafee\MWL\MWLGui.exe" [2006-11-14 19:55]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"McAfee Backup"="C:\Programfiler\McAfee\MBK\McAfeeDataBackup.exe" [2006-11-09 20:34]
"MBkLogOnHook"="C:\Programfiler\McAfee\MBK\LogOnHook.exe" [2006-11-01 10:35]
"SiteAdvisor"="C:\Programfiler\SiteAdvisor\6066\SiteAdv.exe" [2006-10-02 21:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"Creative WebCam Tray"="C:\Programfiler\Creative\Shared Files\CamTray.exe" []

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys


Contents of the 'Scheduled Tasks' folder
2007-08-13 12:50:02 C:\WINDOWS\Tasks\McDefragTask.job - c:\programfiler\mcafee\mqc\QcConsol.exe
2007-08-13 12:50:01 C:\WINDOWS\Tasks\McQcTask.job - c:\programfiler\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-15 11:53:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-15 11:54:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-15 11:54
C:\ComboFix2.txt ... 2007-08-14 15:36

--- E O F ---



Virus scanner below:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 15, 2007 1:15:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 15/08/2007
Kaspersky Anti-Virus database records: 381350
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 34963
Number of viruses found: 3
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 00:19:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Aleksander\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Aleksander\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aleksander\Lokale innstillinger\Logg\History.IE5\MSHist012007081520070816\index.dat Object is locked skipped
C:\Documents and Settings\Aleksander\Lokale innstillinger\Programdata\ApplicationHistory\McAfeeDataBackup.exe.8cb07a2d.ini.inuse Object is locked skipped
C:\Documents and Settings\Aleksander\Lokale innstillinger\Programdata\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Aleksander\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Aleksander\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Aleksander\Lokale innstillinger\Programdata\Mozilla\Firefox\Profiles\q34tyn6w.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Aleksander\Lokale innstillinger\Programdata\Mozilla\Firefox\Profiles\q34tyn6w.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Aleksander\Lokale innstillinger\Programdata\Mozilla\Firefox\Profiles\q34tyn6w.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Aleksander\Lokale innstillinger\Programdata\Mozilla\Firefox\Profiles\q34tyn6w.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Aleksander\Lokale innstillinger\Temp\fb_592.lck Object is locked skipped
C:\Documents and Settings\Aleksander\Lokale innstillinger\Temp\~DF3755.tmp Object is locked skipped
C:\Documents and Settings\Aleksander\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aleksander\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Aleksander\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Aleksander\Programdata\McAfee\MBK\ARBUSFILE.GDB Object is locked skipped
C:\Documents and Settings\Aleksander\Programdata\Mozilla\Firefox\Profiles\q34tyn6w.default\cert8.db Object is locked skipped
C:\Documents and Settings\Aleksander\Programdata\Mozilla\Firefox\Profiles\q34tyn6w.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Aleksander\Programdata\Mozilla\Firefox\Profiles\q34tyn6w.default\history.dat Object is locked skipped
C:\Documents and Settings\Aleksander\Programdata\Mozilla\Firefox\Profiles\q34tyn6w.default\key3.db Object is locked skipped
C:\Documents and Settings\Aleksander\Programdata\Mozilla\Firefox\Profiles\q34tyn6w.default\parent.lock Object is locked skipped
C:\Documents and Settings\Aleksander\Programdata\Mozilla\Firefox\Profiles\q34tyn6w.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Aleksander\Programdata\Mozilla\Firefox\Profiles\q34tyn6w.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Aleksander\Programdata\SiteAdvisor\SiteAdv.csh Object is locked skipped
C:\Documents and Settings\Aleksander\Programdata\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MSC\Logs\{514562AE-A45F-4C88-89A5-2749FC1DD511}.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MSC\Logs\{84142BD9-4CD7-46A0-8631-ED7B6AB3506F}.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MSK\APH.dat Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MSK\RBLDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MWL\Aleksander-PrestoGui_2007-08-15.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MWL\SYSTEM-apconfig_2007-08-15.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MWL\SYSTEM-netlib_2007-08-15.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\MWL\SYSTEM-PrestoSvc_2007-08-15.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Programdata\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-1202660629-1500820517-839522115-1004\Dc2.zip/wfcctd32.dll Infected: Trojan-Spy.Win32.Agent.ir skipped
C:\RECYCLER\S-1-5-21-1202660629-1500820517-839522115-1004\Dc2.zip ZIP: infected - 1 skipped
C:\SDFix\backups_old2\svchost.dll Infected: Trojan-Clicker.Win32.Small.kj skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F6DF1761-39F5-4FA5-B0CA-DBB09CE24F36}\RP10\change.log Object is locked skipped
C:\System Volume Information\_restore{F6DF1761-39F5-4FA5-B0CA-DBB09CE24F36}\RP2\A0000001.exe/EXE-file Infected: Trojan-Spy.Win32.Agent.ir skipped
C:\System Volume Information\_restore{F6DF1761-39F5-4FA5-B0CA-DBB09CE24F36}\RP2\A0000001.exe Embedded EXE: infected - 1 skipped
C:\System Volume Information\_restore{F6DF1761-39F5-4FA5-B0CA-DBB09CE24F36}\RP2\A0000001.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{F6DF1761-39F5-4FA5-B0CA-DBB09CE24F36}\RP8\A0002264.exe Infected: Trojan-Clicker.Win32.Small.kj skipped
C:\System Volume Information\_restore{F6DF1761-39F5-4FA5-B0CA-DBB09CE24F36}\RP8\A0002265.exe Infected: Trojan-Clicker.Win32.Small.kj skipped
C:\System Volume Information\_restore{F6DF1761-39F5-4FA5-B0CA-DBB09CE24F36}\RP8\A0002272.dll Infected: Backdoor.Win32.IRCBot.acd skipped
C:\System Volume Information\_restore{F6DF1761-39F5-4FA5-B0CA-DBB09CE24F36}\RP8\A0002277.dll Infected: Backdoor.Win32.IRCBot.acd skipped
C:\System Volume Information\_restore{F6DF1761-39F5-4FA5-B0CA-DBB09CE24F36}\RP8\A0002537.dll Infected: Trojan-Clicker.Win32.Small.kj skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_2Mk4VyQcI0G0Xt0 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_c6d1nblRNcMj2To Object is locked skipped
C:\WINDOWS\Temp\mcmsc_T28Aq4fcga17VP7 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_vKJWoX3PSIUSBol Object is locked skipped
C:\WINDOWS\Temp\mcmsc_zfnMkLUvvRGZKzg Object is locked skipped
C:\WINDOWS\Temp\s14k.tmp Object is locked skipped
C:\WINDOWS\Temp\sqlite_Eb6kCov9PisbGsv Object is locked skipped
C:\WINDOWS\Temp\sqlite_EY6iC3ULLOa2y6T Object is locked skipped
C:\WINDOWS\Temp\sqlite_hBlMxkzBWqRKslb Object is locked skipped
C:\WINDOWS\Temp\sqlite_JhXoINiJEnt7dq9 Object is locked skipped
C:\WINDOWS\Temp\sqlite_kDfPY30qgObqJ5x Object is locked skipped
C:\WINDOWS\Temp\sqlite_KeRM1f7rfdmhQSL Object is locked skipped
C:\WINDOWS\Temp\sqlite_mIPVEpxFTVoANiA Object is locked skipped
C:\WINDOWS\Temp\sqlite_MwmjjztE1Ba8An2 Object is locked skipped
C:\WINDOWS\Temp\sqlite_VGgxI0XVXIjI69Q Object is locked skipped
C:\WINDOWS\Temp\sqlite_W9hMRZo34pfYtGI Object is locked skipped
C:\WINDOWS\Temp\sqlite_WdyF3qGfv8Y2Pp2 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{F6DF1761-39F5-4FA5-B0CA-DBB09CE24F36}\RP10\change.log Object is locked skipped

Scan process completed.

Virus scanner report in html[post="html"]file:///C:/Documents%20and%20Settings/Aleksander/Mine%20dokumenter/kkom.html[/post] Sorry i most edit , i only add this text now afther the scan process completed. I don't know how to link the page link, but i assume you can just copy the link and add it on web adress.

Edited by leran, 15 August 2007 - 06:21 AM.

Games:Games:Games|and ofc MORE games.

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 15 August 2007 - 08:55 AM

Don't worry about that link to the Kaspersky log--that is actually to a file on your computer so I can't link to it to see it--but you have posted the log so all the information I wanted to see is there.

Not sure i understand that, i did the combofix and got two file on my desktop, i got this window butting up i pressed okay now i see input a browser, i find the C:\DOCUME~1\ALEKSA~1\SKRIVE~1.\[27]-Submit_2007-08-15_115137,84.zip and but it on this window. Now shall i send this or just input it on the window?

If I understand the question correctly, you have the filepath C:\DOCUME~1\ALEKSA~1\SKRIVE~1.\[27]-Submit_2007-08-15_115137,84.zip appearing in the box next to the Browse button? If that is the case and you still have your browser open on that page, just click on Send File. If that filepath is not in the box next to Browse, copy it from here and paste it in then click Send File.

If you've closed your browser down, then you won't be able to get back to that page again, I think. But you can still submit the zip file by doing the following.

Click to open this page: http://www.bleepingcomputer.com/submit-malware.php

Fill in the required fields and paste C:\DOCUME~1\ALEKSA~1\SKRIVE~1.\[27]-Submit_2007-08-15_115137,84.zip in the box next to Browse. Then click on the Send File button.

Then continue with the instructions I gave to post a fresh HijackThis log and let me know how the computer is running now.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#12 leran

leran
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 15 August 2007 - 09:54 AM

I have done all that you have said, i send the file as well. But still i get that error message, is there something else you are planing to do, or are we finished with all this hijack and fixing?

If so then i will deliver my computer to where i both it and ask them to re-format it and clean it as it was from the first time i got it. Ofc i you still can fix my problem with out doing a re-format then i will follow your orders^^.

But i really don't want to re-format, i will lose all my stuff which is sad:(, but if it comes to that then i will do it. I don't want to keep any of the files i got and then transfer it after the re-format, am afraid that it is infected so i wont take that chance, so i would like to avoid the re-format.
Games:Games:Games|and ofc MORE games.

#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 15 August 2007 - 11:49 AM

I plan on doing anything I can to fix your computer so you don't get the error message and so that the malware is gone. This is a process that may not be easy and is a lot of work, but as I explained in Post #2 I can't promise that everything can be found and if it were me I would reformat. Because the infection you have is very sophisticated and if you start over with a clean computer and pay more attention to preventing infection then you won't have to go thru this headache again very soon.

I think we can find more if we continue it will just take some time. You may have a rootkit still, but the decision to reformat is yours. If you do decide to reformat you can save yourself some money by doing it yourself. Read the last part of this article I linked you to: http://www.dslreports.com/faq/10063

Any data you save to backup that you want to restore can be scanned by your AV--mostly with trojans, you won't have infected files that you need to restore for your system to work, you can just delete the file completely. It may be quicker to pay someone to do it, but maybe not--you will be without your computer for a certain amount of time in any event and if you do it yourself you will know how to do it quicker next time if needed.

Just let me know if you decide to reformat. At the moment we are in the middle of the process, and what needs to be done depends on the information I ask for--I still have a few tricks up my sleeve yet.

If you want to continue--I would still like to see a HJT log, but the next steps will show one.

First, you have your computer set to shutdown on error and we can change that. It won't prevent your games from being interupted, but will give better information on the problem.

Right click My Computer then Properties.
Under Advanced tab, click Settings next to Startup and Recovery.
Under System Failure, uncheck Automatically restart.
Make sure Small memory dump (64kb) is selected under Write debugging information. If not, click on the drop down menu arrow and set it there.
OK your way out.

Next time the PC crashes you will see an onscreen message.
Write down exactly what these messages says and post it back here.
In particular the STOP code message and file names if mentioned.

You can try to translate it to English the best you can, but I want to see the exact message as is so do that separately.

Download and install CCleaner.
(Starting with v1.27.260, the standard build installs the Yahoo Toolbar as an option which is checkmarked by default during the installation. IF you do NOT want it, remove the checkmark when provided with the option OR download the toolbarfree Basic version instead.)

*After installation, see the Using and Understanding CCleaner Tutorial.

Reboot your computer into Safe Mode--and let me know if you still have to use msconfig to get there.

Run CCleaner to clear out your Java cache and other junk files--I don't trust the issues function, so suggest you leave that button alone for now. Make sure your recycle bin is cleared.

When done reboot normally.

Please run a GMER Rootkit scan:

Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop and start GMER.exe
Click the Rootkit tab.
Make sure the "Show all" checkbox is unchecked and leave it that way.
Click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results here in your next reply.

If you're having problems with running GMER.exe, try it in safe mode. This tool works in safe mode. Most other rootkit revealers don't.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.
DSS will run HijackThis for you so I don't need to see a separate HJT log.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#14 leran

leran
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 15 August 2007 - 01:13 PM

Hey, i will re-format my pc, if you can help me and show me i will gladly do it, Anyway i already have the auto-shutdown of always had, and i Ccleaner my favorite cleaning program:D, i used it to remove java, your right i don't trust java my self, heard bad things. The post you have just done is very long so i will need sometime to read it fully and make sure i understand every little word of it, my English is okay(at least i think so) but when it comes to computer English then it drops down :thumbsup:, Anyway ill do as you have told me now, I will reply when i am done.

Thanks you.
Games:Games:Games|and ofc MORE games.

#15 leran

leran
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 15 August 2007 - 01:50 PM

Log on rootkit below: Sorry need to edit this text only. As you see this is 1-5 part artical, the rotkit scan log that is, it was big and i felt i needed to post all, if you see what is not needed to be just remove, sorry for the long post log.

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-15 20:44:23
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!ZwYieldExecution 80509014 7 Bytes JMP B9767303 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 805793A1 7 Bytes JMP B97672D9 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtCreateFile 8057D3C4 5 Bytes JMP B97672C5 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057E2A3 5 Bytes JMP B976732F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E71B 7 Bytes JMP B9767319 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwTerminateProcess 8058C399 5 Bytes JMP B97672B1 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteValueKey 805969F3 7 Bytes JMP B9767285 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteKey 80598177 7 Bytes JMP B9767259 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateProcess 805C0BF0 5 Bytes JMP B97672EF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwRenameKey 8065410B 7 Bytes JMP B976726F \SystemRoot\system32\drivers\mfehidk.sys
? C:\WINDOWS\system32\drivers\sptd.sys Prosessen får ikke tilgang til filen fordi den brukes av en annen prosess.
.text USBPORT.SYS!DllUnload F646162C 5 Bytes JMP 865301C8

---- User code sections - GMER 1.0.13 ----

.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01E50000
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01E5008A
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01E5006F
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01E50F97
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01E50FA8
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01E50FD4
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01E500C2
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01E50F70
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01E50F44
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01E50F5F
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01E50F29
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01E50FB9
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01E50025
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01E5009B
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01E50040
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01E50FEF
.text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01E500DD
.text C:\WINDOWS\Explorer.EXE[324] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 01490025
.text C:\WINDOWS\Explorer.EXE[324] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 01490051
.text C:\WINDOWS\Explorer.EXE[324] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 01490FD4
.text C:\WINDOWS\Explorer.EXE[324] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 01490FEF
.text C:\WINDOWS\Explorer.EXE[324] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 01490F94
.text C:\WINDOWS\Explorer.EXE[324] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 01490FAF
.text C:\WINDOWS\Explorer.EXE[324] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 0149000A
.text C:\WINDOWS\Explorer.EXE[324] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 01490036
.text C:\WINDOWS\Explorer.EXE[324] WININET.dll!InternetOpenA 4448C869 5 Bytes JMP 01EE0000
.text C:\WINDOWS\Explorer.EXE[324] WININET.dll!InternetOpenW 4448CEA1 5 Bytes JMP 01EE0FEF
.text C:\WINDOWS\Explorer.EXE[324] WININET.dll!InternetOpenUrlA 444906DD 5 Bytes JMP 01EE0FD4
.text C:\WINDOWS\Explorer.EXE[324] WININET.dll!InternetOpenUrlW 444DAB2D 5 Bytes JMP 01EE0FB9
.text C:\WINDOWS\Explorer.EXE[324] WS2_32.dll!socket 71AA3B91 5 Bytes JMP 01EF0000
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009E0FE5
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009E0078
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009E0067
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009E0F83
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009E0F94
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009E0FC0
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009E009F
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009E0F57
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009E0F21
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009E0F32
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009E00DF
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 009E0FA5
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009E0F68
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 009E002C
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 009E001B
.text C:\WINDOWS\system32\services.exe[988] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009E00B0
.text C:\WINDOWS\system32\services.exe[988] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 009C0040
.text C:\WINDOWS\system32\services.exe[988] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 009C0073
.text C:\WINDOWS\system32\services.exe[988] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 009C0025
.text C:\WINDOWS\system32\services.exe[988] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\services.exe[988] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 009C0FB6
.text C:\WINDOWS\system32\services.exe[988] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 009C0062
.text C:\WINDOWS\system32\services.exe[988] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\services.exe[988] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 009C0051
.text C:\WINDOWS\system32\services.exe[988] WS2_32.dll!socket 71AA3B91 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F20F80
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F20F9B
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F20073
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F20062
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F20040
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F20F48
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F20F65
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F20F12
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F200AB
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00F20F01
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00F20051
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00F20090
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00F20025
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00F20FD4
.text C:\WINDOWS\system32\lsass.exe[1000] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00F20F2D
.text C:\WINDOWS\system32\lsass.exe[1000] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 00E80FA8
.text C:\WINDOWS\system32\lsass.exe[1000] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 00E80047
.text C:\WINDOWS\system32\lsass.exe[1000] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 00E80FB9
.text C:\WINDOWS\system32\lsass.exe[1000] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 00E80FD4
.text C:\WINDOWS\system32\lsass.exe[1000] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 00E80036
.text C:\WINDOWS\system32\lsass.exe[1000] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 00E80025
.text C:\WINDOWS\system32\lsass.exe[1000] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\lsass.exe[1000] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 00E8000A
.text C:\WINDOWS\system32\lsass.exe[1000] WS2_32.dll!socket 71AA3B91 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02610000
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02610F81
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02610F92
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0261006C
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02610FAF
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02610FCA
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 026100A9
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02610098
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02610F1A
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02610F2B
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 026100CE
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 02610051
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02610FE5
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 02610087
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0261002C
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 02610011
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 02610F46
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 025E0FD4
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 025E0F9E
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 025E0FE5
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 025E001B
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 025E0FB9
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 025E005B
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 025E0000
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 025E0036
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.DLL!socket 71AA3B91 5 Bytes JMP 02630000
.text C:\WINDOWS\system32\svchost.exe[1168] WININET.DLL!InternetOpenA 4448C869 5 Bytes JMP 0262000A
.text C:\WINDOWS\system32\svchost.exe[1168] WININET.DLL!InternetOpenW 4448CEA1 5 Bytes JMP 0262001B
.text C:\WINDOWS\system32\svchost.exe[1168] WININET.DLL!InternetOpenUrlA 444906DD 5 Bytes JMP 02620FEF
.text C:\WINDOWS\system32\svchost.exe[1168] WININET.DLL!InternetOpenUrlW 444DAB2D 5 Bytes JMP 02620FCA
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C60F97
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C6008C
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C6007B
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C60FB2
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C60F55
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C60F72
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C60F30
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C600C9
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00C600DA
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00C60FC3
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00C6009D
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00C60036
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00C60025
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00C600B8
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 00C50FCA
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 00C50F97
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 00C50FDB
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 00C50011
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 00C50FA8
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 00C50040
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 00C50FB9
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.DLL!socket 71AA3B91 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.DLL!InternetOpenA 4448C869 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.DLL!InternetOpenW 4448CEA1 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.DLL!InternetOpenUrlA 444906DD 5 Bytes JMP 00C70FCA
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.DLL!InternetOpenUrlW 444DAB2D 5 Bytes JMP 00C70011
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01D20FEF
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01D20F75
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01D20060
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01D20F86
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01D20F97
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01D20FB2
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01D200A2
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01D20F5A
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01D200CE
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01D200BD
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01D200E9
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01D20039
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01D20FDE
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01D2007B
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01D20FC3
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01D20014
.text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01D20F49
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 01D1000A
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 01D10036
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 01D10FB9
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 01D10FD4
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 01D10025
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 01D10F83
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 01D10FEF
.text C:\WINDOWS\System32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 01D10F9E
.text C:\WINDOWS\System32\svchost.exe[1400] WS2_32.DLL!socket 71AA3B91 5 Bytes JMP 01D40FEF
.text C:\WINDOWS\System32\svchost.exe[1400] WININET.DLL!InternetOpenA 4448C869 5 Bytes JMP 01D30000
.text C:\WINDOWS\System32\svchost.exe[1400] WININET.DLL!InternetOpenW 4448CEA1 5 Bytes JMP 01D30FE5
.text C:\WINDOWS\System32\svchost.exe[1400] WININET.DLL!InternetOpenUrlA 444906DD 5 Bytes JMP 01D30011
.text C:\WINDOWS\System32\svchost.exe[1400] WININET.DLL!InternetOpenUrlW 444DAB2D 5 Bytes JMP 01D30FB6
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00810FEF
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00810058
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00810047
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0081002C
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0081001B
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00810F9E
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00810F3C
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00810084
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00810F21
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008100BA
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00810F10
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00810F83
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00810FD4
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00810073
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00810FAF
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00810000
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 0081009F
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 0080001B
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 00800F83
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 00800FCA
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 00800036
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 00800F94
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 00800FE5
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 00800FA5
.text C:\WINDOWS\system32\svchost.exe[1444] WS2_32.DLL!socket 71AA3B91 5 Bytes JMP 00830000
.text C:\WINDOWS\system32\svchost.exe[1444] WININET.DLL!InternetOpenA 4448C869 5 Bytes JMP 00820FEF
.text C:\WINDOWS\system32\svchost.exe[1444] WININET.DLL!InternetOpenW 4448CEA1 5 Bytes JMP 00820FDE
.text C:\WINDOWS\system32\svchost.exe[1444] WININET.DLL!InternetOpenUrlA 444906DD 5 Bytes JMP 00820FCD
.text C:\WINDOWS\system32\svchost.exe[1444] WININET.DLL!InternetOpenUrlW 444DAB2D 5 Bytes JMP 0082001E
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0F1F
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0F3A
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0F4B
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0F68
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0EEC
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0EFD
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0063
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B0ECA
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B007E
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B0014
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B0F0E
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B0EDB
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 002F0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 002F0080
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 002F0036
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 002F0025
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 002F0065
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 002F0FC3
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 002F000A
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 002F0FDE
.text C:\WINDOWS\system32\wuauclt.exe[1524] WS2_32.dll!socket 71AA3B91 5 Bytes JMP 00680000
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0093006E
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00930F79
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00930F8A
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00930047
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00930FA5
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoW 7C801E50 1 Byte [ E9 ]
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoW + 2 7C801E52 3 Bytes [ F0, 12, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0093009C
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00930F28
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009300C1
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009300DC
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0093007F
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00930F43
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 0089001B
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 00890FB9
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 00890FCA
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 00890000
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 0089006C
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 0089005B
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 00890FE5
.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 00890036
.text C:\WINDOWS\system32\svchost.exe[1532] WS2_32.DLL!socket 71AA3B91 5 Bytes JMP 00950000
.text C:\WINDOWS\system32\svchost.exe[1532] WININET.DLL!InternetOpenA 4448C869 5 Bytes JMP 00940000
.text C:\WINDOWS\system32\svchost.exe[1532] WININET.DLL!InternetOpenW 4448CEA1 5 Bytes JMP 00940FE5
.text C:\WINDOWS\system32\svchost.exe[1532] WININET.DLL!InternetOpenUrlA 444906DD 5 Bytes JMP 00940FCA
.text C:\WINDOWS\system32\svchost.exe[1532] WININET.DLL!InternetOpenUrlW 444DAB2D 5 Bytes JMP 00940FB9
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009E0FE5
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009E0F7C
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009E0067
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009E0056
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009E0039
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009E0FB2
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009E00B3
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009E0F6B
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009E0F35
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009E0F50
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009E00E9
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 009E0FA1
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009E0FD4
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009E008C
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 009E0014
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 009E0FC3
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009E00CE
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 009D0FC3
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 009D0F8D
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 009D0FD4
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 009D0FE5
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 009D0F9E
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 009D0040
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 009D0025
.text C:\WINDOWS\system32\svchost.exe[1648] WS2_32.DLL!socket 71AA3B91 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.DLL!InternetOpenA 4448C869 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.DLL!InternetOpenW 4448CEA1 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.DLL!InternetOpenUrlA 444906DD 5 Bytes JMP 009F0FCA
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.DLL!InternetOpenUrlW 444DAB2D 5 Bytes JMP 009F0FAF
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00AB0FE5
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00AB0F5E
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00AB0053
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00AB0042
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00AB001B
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00AB0F94
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00AB0F1C
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00AB0064
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00AB0EF7
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00AB0090
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00AB00AB
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00AB0F79
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00AB0F43
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00AB0FA5
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00AB0FCA
.text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00AB007F
.text C:\WINDOWS\system32\svchost.exe[2328] ADVAPI32.dll!RegOpenKeyExW 77DC6A78 5 Bytes JMP 00AA0FD1
.text C:\WINDOWS\system32\svchost.exe[2328] ADVAPI32.dll!RegCreateKeyExW 77DC7535 5 Bytes JMP 00AA0FAC
.text C:\WINDOWS\system32\svchost.exe[2328] ADVAPI32.dll!RegOpenKeyExA 77DC761B 5 Bytes JMP 00AA0022
.text C:\WINDOWS\system32\svchost.exe[2328] ADVAPI32.dll!RegOpenKeyW 77DC770F 5 Bytes JMP 00AA0011
.text C:\WINDOWS\system32\svchost.exe[2328] ADVAPI32.dll!RegCreateKeyExA 77DCEAF4 5 Bytes JMP 00AA0069
.text C:\WINDOWS\system32\svchost.exe[2328] ADVAPI32.dll!RegCreateKeyW 77DE8F7D 5 Bytes JMP 00AA0058
.text C:\WINDOWS\system32\svchost.exe[2328] ADVAPI32.dll!RegOpenKeyA 77DEC41B 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\svchost.exe[2328] ADVAPI32.dll!RegCreateKeyA 77DED5BB 5 Bytes JMP 00AA0047
.text C:\WINDOWS\system32\svchost.exe[2328] WS2_32.DLL!socket 71AA3B91 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[2328] WININET.DLL!InternetOpenA 4448C869 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[2328] WININET.DLL!InternetOpenW 4448CEA1 5 Bytes JMP 00A70FE5
.text C:\WINDOWS\system32\svchost.exe[2328] WININET.DLL!InternetOpenUrlA 444906DD 5 Bytes JMP 00A70FD4
.text C:\WINDOWS\system32\svchost.exe[2328] WININET.DLL!InternetOpenUrlW 444DAB2D 5 Bytes JMP 00A70FC3

Edited by leran, 15 August 2007 - 01:58 PM.

Games:Games:Games|and ofc MORE games.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users