Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with virtumonde trojan


  • This topic is locked This topic is locked
9 replies to this topic

#1 dilbone56

dilbone56

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 05 December 2008 - 03:50 PM

This is a work computer that I am working on. I do have administrative rights, but our IT department is a joke. I started having an insane amount of popups two days ago. I scanned with McAfee, (what our IT administrator decided would be best) and it didn't find anything. I got Spybot S&D and it found hundreds of problems. All were fixed but a few. I then rebooted and tried again, 24 problems found three unable to fix. They were the same three. They were cmdservice registry keys. After much fussing, I finally booted in safe mode and manually removed those keys. (Each time I scanned virtumonde was there, and it was fixed each time) Then the next scan revealed hkey local machine\software\microsoft\removeRP, and the two virtumonde files (...system32\qtAbaGgh.ini2 and ...system32\qtAbaGgh.ini) Now I can't even search my files, because windows explorer won't stay open for long enough to do so. I've run the RSIT, so here's the results.

info.txt logfile of random's system information tool 1.04 2008-12-05 14:37:23

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat - Reader 6.0.2 Update-->MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Acrobat 6.0.1 Standard-->MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001}
Adobe Acrobat and Reader 6.0.3 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603}
Adobe Acrobat and Reader 6.0.4 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000604}
Adobe Acrobat and Reader 6.0.5 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000605}
Adobe Acrobat and Reader 6.0.6 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000606}
Adobe Atmosphere Player for Acrobat and Adobe Reader-->C:\WINDOWS\atmoUn.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Advanced SystemCare 3-->"C:\Program Files\IObit\Advanced SystemCare 3\unins000.exe"
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Autodesk Data Management Server 5-->MsiExec.exe /I{1D9151C2-FBDB-48B9-B3BF-69A8274820D6}
Autodesk DWF Viewer-->C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove /q0
Autodesk Express Viewer-->C:\PROGRA~1\Autodesk\AUTODE~3\Setup.exe /remove
Autodesk Inventor 10-->MsiExec.exe /I{7F4DD591-1000-0409-0000-7107D70F3DB4}
Autodesk Inventor 11-->MsiExec.exe /I{7F4DD591-1100-0409-0000-7107D70F3DB4}
Autodesk Mechanical Desktop 2006-->MsiExec.exe /I{5783F2D7-4003-0409-0002-0060B0CE6BBA}
Autodesk Mechanical Desktop 2007-->MsiExec.exe /I{5783F2D7-5003-0409-0002-0060B0CE6BBA}
Autodesk Vault 5 for Microsoft Office-->MsiExec.exe /I{CBD187B5-1AE1-4CA7-BF83-7AD9DFF56EAF}
Autodesk Vault 5-->MsiExec.exe /I{CDB1F1FE-C07A-454B-8B6F-3863C2B29ADC}
Avanquest update-->C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe -runfromtemp -l0x0009 -removeonly
Broadcom Advanced Control Suite-->MsiExec.exe /I{058B32E2-6310-4359-B2D4-1988390C3B83}
CNetX Pocket SlideShow-->"C:\Program Files\Microsoft ActiveSync\CNetX\Pocket SlideShow\uInstall.exe" C:\Program Files\Microsoft ActiveSync\CNetX\Pocket SlideShow\slideshw.uil
Deewoo Network Manager removal-->C:\WINDOWS\system32\ocntmsdl.exe -UPop
Dell Software Uninstall-->C:\Program Files\Dell_HostCD\Install\x86\Uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java 2 Runtime Environment, SE v1.4.2_03-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Logitech SetPoint-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9 -removeonly
Macromedia Flash Player 8-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
McAfee VirusScan Enterprise-->MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft ActiveSync-->MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Basic Edition 2003-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Office PowerPoint Viewer 2003-->MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (AUTODESKVAULT)-->MsiExec.exe /X{689404D2-1C94-44B3-9203-BEC5594FDA7A}
Microsoft SQL Server Desktop Engine (INVENTORCONTENT)-->MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft WSE 2.0 SP3 Runtime-->MsiExec.exe /X{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}
Motorola Driver Installation 3.5.0-->MsiExec.exe /I{D2BD3C8F-9D7F-472B-BDF9-7309A5CB813A}
Motorola Phone Tools-->C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe -runfromtemp -l0x0009 -removeonly
Motorola Software Update-->MsiExec.exe /I{922D9CCA-4317-425F-9AA5-94829DF8BA6D}
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
PowerDVD 5.5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sound Volume Hotkeys 1.2-->"C:\Program Files\Sound Volume Hotkeys\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
WinASO Registry Optimizer 2.6-->"C:\Program Files\WinASO\Registry Optimizer 2.6\unins000.exe"
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
WordPerfect Office 12-->MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: McAfee VirusScan Enterprise

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;C:\Program Files\Autodesk\Data Management Server 5\Server\Web\Services\bin\;Autodesk Shared;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Common Files\Autodesk Shared\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0404
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"VSEDEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"DEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection

-----------------EOF-----------------


Logfile of random's system information tool 1.04 (written by random/random)
Run by dilbone at 2008-12-05 14:36:53
Microsoft Windows XP Professional Service Pack 2
System drive C: has 119 GB (78%) free of 153 GB
Total RAM: 1022 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:19 PM, on 12/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\dilbone\Desktop\RSIT.exe
C:\Program Files\trend micro\dilbone.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.passport.com/ppsecure/secure....73487816d476156
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1048C0A7-66FC-4741-975F-DF8A4C34A927} - C:\WINDOWS\system32\hgGabAtq.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: {03fbc976-76bc-5299-f454-d865ef60e63c} - {c36e06fe-568d-454f-9925-cb67679cbf30} - C:\WINDOWS\system32\krhkti.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=120508 serial=WS12WUX-0117966-FZQ
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}] C:\Program Files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe -a
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hpnt.local
O17 - HKLM\Software\..\Telephony: DomainName = hpnt.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{7894FA37-5ED2-4DBD-B4CB-FCDEB5BD17DF}: NameServer = 10.1.1.47,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hpnt.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hpnt.local
O20 - AppInit_DLLs: mgpdvc.dll wisroz.dll krhkti.dll
O20 - Winlogon Notify: pmnnLcbC - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk Inc - C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - - C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: dkab_device - Dell - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

--
End of file - 8141 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\hzxnljne.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1048C0A7-66FC-4741-975F-DF8A4C34A927}]
C:\WINDOWS\system32\hgGabAtq.dll [2008-12-02 302592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2008-05-22 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c36e06fe-568d-454f-9925-cb67679cbf30}]
C:\WINDOWS\system32\krhkti.dll [2008-12-04 129024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2004-10-14 1404928]
"Logitech Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2004-12-10 49152]
"WordPerfect Office 1215"=C:\Program Files\WordPerfect Office 12\Programs\Registration.exe [2004-02-10 733184]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\UdaterUI.exe [2008-07-18 136512]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2008-05-22 111952]
"SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}"=C:\Program Files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe [2008-04-12 136704]
"ATIModeChange"=C:\WINDOWS\system32\Ati2mdxx.exe [2005-06-01 25088]
"SRFirstRun"=rundll32 srclient.dll []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\Wcescomm.exe [2006-11-13 1289000]
"Advanced SystemCare 3"=C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2008-11-26 2235920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-05-31 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2005-02-23 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e0ff151c]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe [2003-11-19 32881]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrotray.exe [2003-10-23 217194]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="mgpdvc.dll wisroz.dll krhkti.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnnLcbC]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\hgGabAtq

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableCAD"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoResolveSearch"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\DKabcoms.exe"="C:\WINDOWS\system32\DKabcoms.exe:*:Enabled:Dell Enhanced TCP/IP"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:*:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:*:Enabled:ActiveSync Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\DKabcoms.exe"="C:\WINDOWS\system32\DKabcoms.exe:*:Enabled:Dell Enhanced TCP/IP"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:*:Enabled:ActiveSync Connection Manager"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29f2fce3-5434-11dd-8265-0014225ec417}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe


======File associations======

.scr - open - "" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2008-12-05 14:36:53 ----D---- C:\rsit
2008-12-05 13:54:36 ----D---- C:\VundoFix Backups
2008-12-05 13:54:36 ----A---- C:\VundoFix.txt
2008-12-05 09:57:28 ----D---- C:\Program Files\Trend Micro
2008-12-05 08:32:00 ----D---- C:\WINDOWS\Prefetch
2008-12-05 08:17:13 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2008-12-05 08:00:26 ----A---- C:\WINDOWS\system32\spxcoins.dll
2008-12-05 08:00:26 ----A---- C:\WINDOWS\system32\irclass.dll
2008-12-05 07:59:56 ----RA---- C:\WINDOWS\SET8C.tmp
2008-12-05 07:59:49 ----RA---- C:\WINDOWS\SET80.tmp
2008-12-05 07:59:46 ----RA---- C:\WINDOWS\SET7D.tmp
2008-12-05 01:46:31 ----D---- C:\WINDOWS\dell
2008-12-04 16:47:33 ----ASH---- C:\WINDOWS\system32\qtAbaGgh.ini2
2008-12-04 16:47:31 ----ASH---- C:\WINDOWS\system32\qtAbaGgh.ini
2008-12-04 15:29:25 ----ASH---- C:\WINDOWS\system32\cgasgnga.ini
2008-12-04 15:26:23 ----A---- C:\WINDOWS\system32\krhkti.dll
2008-12-04 15:26:20 ----A---- C:\WINDOWS\system32\teblfvbw.dll
2008-12-04 13:48:59 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-04 13:37:30 ----D---- C:\Documents and Settings\dilbone\Application Data\IObit
2008-12-04 13:37:29 ----D---- C:\Program Files\IObit
2008-12-03 15:27:49 ----ASH---- C:\WINDOWS\system32\pcfavctj.ini
2008-12-03 15:24:50 ----A---- C:\WINDOWS\system32\wisroz.dll
2008-12-03 15:24:48 ----A---- C:\WINDOWS\system32\ussniheh.dll
2008-12-03 14:53:07 ----A---- C:\WINDOWS\system32\mgpdvc.dll
2008-12-03 14:52:36 ----A---- C:\WINDOWS\system32\xwbdmywk.dll
2008-12-03 14:52:30 ----ASH---- C:\WINDOWS\system32\kwoopqah.ini
2008-12-03 12:00:09 ----D---- C:\Program Files\WinASO
2008-12-03 07:59:08 ----A---- C:\WINDOWS\wininit.ini
2008-12-03 07:27:11 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-03 07:27:11 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 06:57:13 ----D---- C:\Program Files\Mozilla Firefox
2008-12-02 22:49:30 ----A---- C:\WINDOWS\system32\gside.exe
2008-12-02 14:52:17 ----A---- C:\WINDOWS\system32\rrxnsp.dll
2008-12-02 14:52:14 ----A---- C:\WINDOWS\system32\uavvreff.dll
2008-12-02 14:48:34 ----A---- C:\WINDOWS\system32\rrwnw64k.exe
2008-12-02 09:59:33 ----A---- C:\WINDOWS\system32\beavfw(2).dll
2008-12-02 09:58:18 ----A---- C:\WINDOWS\system32\ebdcd162-.txt
2008-12-02 09:56:05 ----A---- C:\WINDOWS\system32\hgGabAtq.dll
2008-12-02 09:52:11 ----A---- C:\qmhqfeu.exe
2008-12-02 09:52:06 ----A---- C:\fjytg.exe
2008-12-02 09:45:18 ----A---- C:\WINDOWS\system32\ocntmsdl.exe
2008-12-02 09:45:17 ----SHD---- C:\WINDOWS\Q2hhZCBEaWxib25l
2008-12-02 09:45:17 ----A---- C:\WINDOWS\system32\g81.exe
2008-12-02 09:45:02 ----D---- C:\WINDOWS\system32\uv9
2008-12-02 09:45:02 ----D---- C:\WINDOWS\system32\hov
2008-12-02 09:45:00 ----D---- C:\WINDOWS\system32\ki3
2008-12-02 09:44:59 ----D---- C:\WINDOWS\system32\VC
2008-12-02 09:44:59 ----D---- C:\WINDOWS\system32\bin
2008-12-02 09:44:53 ----A---- C:\WINDOWS\system32\tUlKdbbc.dll
2008-12-02 09:44:50 ----D---- C:\Temp
2008-12-02 09:44:45 ----D---- C:\Documents and Settings\dilbone\Application Data\NI.GSCNS
2008-11-15 08:58:56 ----A---- C:\WINDOWS\ModemLog_Motorola USB Modem #5.txt
2008-11-13 15:16:39 ----A---- C:\WINDOWS\ModemLog_Motorola USB Modem #4.txt
2008-11-13 13:49:12 ----SHD---- C:\Config.Msi

======List of files/folders modified in the last 1 months======

2008-12-05 14:12:13 ----D---- C:\WINDOWS
2008-12-05 14:08:40 ----D---- C:\WINDOWS\Temp
2008-12-05 13:38:07 ----A---- C:\WINDOWS\ModemLog_Standard Modem.txt
2008-12-05 13:36:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-05 09:58:39 ----D---- C:\WINDOWS\system32\FxsTmp
2008-12-05 09:57:28 ----RD---- C:\Program Files
2008-12-05 08:53:48 ----D---- C:\WINDOWS\system32
2008-12-05 08:53:48 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-05 08:47:06 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-05 08:46:47 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-05 08:36:54 ----SHD---- C:\System Volume Information
2008-12-05 08:36:54 ----D---- C:\WINDOWS\system32\Restore
2008-12-05 08:36:23 ----D---- C:\WINDOWS\SoftwareDistribution
2008-12-05 08:36:17 ----D---- C:\WINDOWS\Help
2008-12-05 08:36:16 ----D---- C:\WINDOWS\Registration
2008-12-05 08:36:07 ----HD---- C:\WINDOWS\inf
2008-12-05 08:35:16 ----D---- C:\WINDOWS\security
2008-12-05 08:34:45 ----A---- C:\WINDOWS\setuplog.txt
2008-12-05 08:31:08 ----D---- C:\WINDOWS\system32\inetsrv
2008-12-05 08:31:08 ----D---- C:\WINDOWS\system32\drivers
2008-12-05 08:31:08 ----D---- C:\WINDOWS\system32\config
2008-12-05 08:20:34 ----AC---- C:\WINDOWS\OEWABLog.txt
2008-12-05 08:20:27 ----AC---- C:\WINDOWS\ODBCINST.INI
2008-12-05 08:19:11 ----D---- C:\WINDOWS\system32\ias
2008-12-05 08:17:23 ----RD---- C:\WINDOWS\Web
2008-12-05 08:16:51 ----RAHC---- C:\WINDOWS\system32\cdplayer.exe.manifest
2008-12-05 08:16:11 ----A---- C:\WINDOWS\win.ini
2008-12-05 08:15:47 ----D---- C:\WINDOWS\system32\oobe
2008-12-05 08:15:44 ----D---- C:\WINDOWS\srchasst
2008-12-05 08:15:42 ----D---- C:\Program Files\Windows Media Player
2008-12-05 08:15:36 ----D---- C:\Program Files\Movie Maker
2008-12-05 08:15:25 ----D---- C:\Program Files\NetMeeting
2008-12-05 08:15:21 ----D---- C:\Program Files\Outlook Express
2008-12-05 08:15:21 ----D---- C:\Program Files\Common Files\System
2008-12-05 08:15:06 ----D---- C:\Program Files\Internet Explorer
2008-12-05 08:13:50 ----D---- C:\WINDOWS\system32\Com
2008-12-05 08:12:43 ----D---- C:\WINDOWS\system32\wbem
2008-12-05 08:12:40 ----D---- C:\Program Files\Windows NT
2008-12-05 08:10:57 ----SH---- C:\boot.ini
2008-12-05 08:03:32 ----D---- C:\DRIVERS
2008-12-05 08:01:21 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-05 08:00:37 ----A---- C:\WINDOWS\system.ini
2008-12-05 08:00:26 ----D---- C:\WINDOWS\system
2008-12-05 08:00:09 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini
2008-12-05 01:53:58 ----D---- C:\WINDOWS\system32\Setup
2008-12-05 01:53:48 ----D---- C:\WINDOWS\system32\usmt
2008-12-05 01:53:37 ----D---- C:\WINDOWS\AppPatch
2008-12-05 01:53:25 ----D---- C:\WINDOWS\mui
2008-12-05 01:53:25 ----D---- C:\WINDOWS\ehome
2008-12-05 01:53:24 ----D---- C:\WINDOWS\ime
2008-12-05 01:53:23 ----RSD---- C:\WINDOWS\Fonts
2008-12-05 01:53:22 ----D---- C:\WINDOWS\Media
2008-12-05 01:53:06 ----D---- C:\WINDOWS\PeerNet
2008-12-05 01:52:48 ----D---- C:\WINDOWS\system32\npp
2008-12-05 01:52:39 ----D---- C:\WINDOWS\msagent
2008-12-05 01:49:24 ----D---- C:\WINDOWS\twain_32
2008-12-05 01:48:29 ----D---- C:\WINDOWS\system32\icsxml
2008-12-05 01:47:43 ----D---- C:\WINDOWS\system32\1033
2008-12-05 01:46:31 ----D---- C:\WINDOWS\Driver Cache
2008-12-05 01:46:30 ----D---- C:\WINDOWS\WinSxS
2008-12-04 16:16:06 ----D---- C:\Quarantine
2008-12-04 09:45:45 ----D---- C:\Documents and Settings\dilbone\Application Data\U3
2008-12-03 15:54:36 ----SHD---- C:\WINDOWS\CSC
2008-12-03 06:57:31 ----D---- C:\Documents and Settings\dilbone\Application Data\Mozilla
2008-12-02 09:45:02 ----SD---- C:\WINDOWS\Tasks
2008-11-13 15:07:48 ----A---- C:\WINDOWS\ModemLog_Motorola USB Modem #3.txt
2008-11-13 14:11:02 ----A---- C:\WINDOWS\ModemLog_Motorola USB Modem #2.txt
2008-11-13 13:50:35 ----SHD---- C:\WINDOWS\Installer
2008-11-13 13:49:26 ----D---- C:\Program Files\Microsoft ActiveSync
2008-11-12 16:51:04 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-12 16:51:01 ----A---- C:\WINDOWS\imsins.BAK
2008-11-11 16:18:12 ----D---- C:\warehouse

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2008-05-22 52104]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-06-01 1198080]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2005-04-01 132608]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 LHidKe;Logitech SetPoint HID Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidKE.Sys [2004-12-10 24704]
R3 LHidUsbK;Logitech SetPoint USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsbK.Sys [2004-12-10 36480]
R3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2004-12-10 68992]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2008-05-22 64232]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-05-22 72936]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-05-22 33960]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-05-22 174952]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-01-27 260352]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 recagentt;recagentt; C:\WINDOWS\System32\drivers\recagentt.sys []
S1 usbstorr;usbstorr; C:\WINDOWS\System32\drivers\usbstorr.sys []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 motccgp;Motorola USB Composite Device Driver; C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
S3 motccgpfl;MotCcgpFlService; C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 motport;Motorola USB Diagnostic Port; C:\WINDOWS\system32\DRIVERS\motport.sys [2007-06-18 23680]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 StMp3Rec;Player Recovery Device Control Driver; C:\WINDOWS\System32\Drivers\StMp3Rec.sys [2007-06-15 19840]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2004-08-03 12672]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2004-08-04 31744]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2004-08-03 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2004-08-03 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2004-08-03 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2004-08-03 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2004-08-04 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2004-08-04 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2004-08-03 41088]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-03 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-06-01 368640]
R2 Autodesk Data Management Job Dispatch;Autodesk Data Management Job Dispatch; C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe [2006-03-09 40960]
R2 Autodesk EDM Server;Autodesk EDM Server; C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe [2006-03-09 49152]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2008-07-18 103744]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [2008-05-22 144704]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [2008-05-22 54608]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 MSSQL$AUTODESKVAULT;MSSQL$AUTODESKVAULT; C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe [2005-05-03 9150464]
R2 MSSQL$INVENTORCONTENT;MSSQL$INVENTORCONTENT; C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe [2002-12-17 7520337]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2006-06-20 72704]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 dkab_device;dkab_device; C:\WINDOWS\system32\DKabcoms.exe [2005-05-23 487424]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2005-05-03 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SQLAgent$AUTODESKVAULT;SQLAgent$AUTODESKVAULT; C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlagent.EXE [2005-05-03 323584]
S3 SQLAgent$INVENTORCONTENT;SQLAgent$INVENTORCONTENT; C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlagent.EXE [2002-12-17 311872]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 06 December 2008 - 04:11 PM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following....


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.



NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Post me these logs in your next reply..


1. SDFix
2. ComboFix
3. A fresh HijackThis log (after ComboFix step)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 dilbone56

dilbone56
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 08 December 2008 - 04:58 PM

Seems as though everything has worked great. You're awesome. Here's the info you requested.


SDFix: Version 1.240
Run by Administrator on Mon 12/08/2008 at 07:45 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\winpfz33.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 07:56:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\DKabcoms.exe"="C:\\WINDOWS\\system32\\DKabcoms.exe:*:Enabled:Dell Enhanced TCP/IP"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:*:Enabled:ActiveSync Application"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\DKabcoms.exe"="C:\\WINDOWS\\system32\\DKabcoms.exe:*:Enabled:Dell Enhanced TCP/IP"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:ActiveSync Connection Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Tue 2 Aug 2005 187,904 A.SHR --- "C:\WINDOWS\Q2hhZCBEaWxib25l\asappsrv.dll"
Tue 2 Aug 2005 293,888 A.SHR --- "C:\WINDOWS\Q2hhZCBEaWxib25l\command.exe"
Fri 19 Sep 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 15 Nov 2005 78,104 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Tue 15 Nov 2005 12,912 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Thu 23 Jan 2003 65,952 A.SHR --- "C:\Program Files\Autodesk\Autodesk Express Viewer\Setup.exe"
Fri 6 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Tue 23 Oct 2007 3,350,528 A..H. --- "C:\Documents and Settings\dilbone\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

ComboFix 08-12-06.06 - dilbone 2008-12-08 8:15:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.532 [GMT -6:00]
Running from: c:\documents and settings\dilbone\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\dilbone\Application Data\NI.GSCNS
c:\documents and settings\dilbone\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\dilbone\Application Data\NI.GSCNS\IUpd721.exe
c:\documents and settings\dilbone\Application Data\NI.GSCNS\settings.ini
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\windows\system32\bin
c:\windows\system32\gside.exe
c:\windows\system32\hgGabAtq.dll
c:\windows\system32\ki3
c:\windows\system32\krhkti.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\qtAbaGgh.ini
c:\windows\system32\qtAbaGgh.ini2
c:\windows\system32\rrwnw64k.exe
c:\windows\system32\teblfvbw.dll
c:\windows\system32\uv9
c:\windows\system32\uv9\peco85IV.exe
c:\windows\system32\VC
c:\windows\system32\VC\MTK63G.exe
c:\windows\Tasks\hzxnljne.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-08 08:12 . 2008-12-08 08:12 <DIR> d-------- C:\32788R22FWJFW
2008-12-08 07:38 . 2008-12-08 07:39 <DIR> d-------- c:\windows\ERUNT
2008-12-08 07:36 . 2008-12-08 07:59 <DIR> d-------- C:\SDFix
2008-12-05 14:36 . 2008-12-05 14:37 <DIR> d-------- C:\rsit
2008-12-05 13:54 . 2008-12-05 13:54 <DIR> d-------- C:\VundoFix Backups
2008-12-05 13:44 . 2008-08-14 04:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-05 13:44 . 2008-08-14 03:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-05 13:44 . 2008-08-14 03:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-05 13:44 . 2008-08-14 03:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-05 13:43 . 2008-06-13 07:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-05 13:42 . 2008-10-24 05:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-05 09:57 . 2008-12-05 14:37 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 08:24 . 2004-08-04 06:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2008-12-05 08:23 . 2004-08-04 06:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2008-12-05 08:22 . 2004-08-04 06:00 1,677,824 --a--c--- c:\windows\system32\dllcache\chsbrkr.dll
2008-12-05 08:21 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2008-12-05 08:17 . 2008-12-05 08:17 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-12-05 08:16 . 2008-12-05 08:16 749 -rah----- c:\windows\WindowsShell.Manifest
2008-12-05 08:16 . 2008-12-05 08:16 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-12-05 08:16 . 2008-12-05 08:16 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-12-05 08:16 . 2008-12-05 08:16 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2008-12-05 08:16 . 2008-12-05 08:16 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-12-05 08:15 . 2004-08-04 06:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2008-12-05 07:59 . 2004-08-04 06:00 1,086,058 -ra------ c:\windows\SET80.tmp
2008-12-05 07:59 . 2004-08-04 06:00 1,042,903 -ra------ c:\windows\SET7D.tmp
2008-12-05 07:59 . 2004-08-04 06:00 13,753 -ra------ c:\windows\SET8C.tmp
2008-12-05 01:46 . 2008-12-05 01:46 <DIR> d-------- c:\windows\dell
2008-12-04 15:29 . 2008-12-04 15:29 121 --ahs---- c:\windows\system32\cgasgnga.ini
2008-12-04 13:59 . 2008-12-04 13:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\IObit
2008-12-04 13:37 . 2008-12-04 13:37 <DIR> d-------- c:\program files\IObit
2008-12-04 13:37 . 2008-12-04 13:37 <DIR> d-------- c:\documents and settings\dilbone\Application Data\IObit
2008-12-04 08:57 . 2008-12-04 09:08 551,100,721 --a------ C:\Support.zip
2008-12-03 15:27 . 2008-12-03 15:27 121 --ahs---- c:\windows\system32\pcfavctj.ini
2008-12-03 14:52 . 2008-12-03 14:52 121 --ahs---- c:\windows\system32\kwoopqah.ini
2008-12-03 12:00 . 2008-12-03 12:00 <DIR> d-------- c:\program files\WinASO
2008-12-03 07:59 . 2008-12-03 07:59 287 --a------ c:\windows\wininit.ini
2008-12-03 07:27 . 2008-12-04 07:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-03 07:27 . 2008-12-03 08:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 09:52 . 2008-12-02 09:52 1,024 --a------ C:\qmhqfeu.exe
2008-12-02 09:52 . 2008-12-02 09:52 1,024 --a------ C:\fjytg.exe
2008-12-02 09:45 . 2008-12-02 09:45 <DIR> d-------- c:\windows\system32\hov
2008-12-02 09:45 . 2008-12-02 09:45 <DIR> d--hs---- c:\windows\Q2hhZCBEaWxib25l
2008-12-02 09:45 . 2008-12-02 09:45 548,928 --a------ c:\windows\system32\ocntmsdl.exe
2008-12-02 09:45 . 2008-12-02 09:45 30,730 --a------ c:\windows\system32\g81.exe
2008-12-02 09:44 . 2008-12-08 08:15 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 15:45 --------- d-----w c:\documents and settings\dilbone\Application Data\U3
2008-11-13 19:49 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-30 21:01 --------- d-----w c:\program files\Motorola Phone Tools
2008-10-30 21:01 --------- d-----w c:\program files\Motorola
2008-10-30 18:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-30 18:44 --------- d-----w c:\program files\Avanquest update
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-13 19:22 --------- d-----w c:\documents and settings\dilbone\Application Data\AdobeUM
2008-01-02 20:35 24,192 ----a-w c:\documents and settings\dilbone\usbsermptxp.sys
2008-01-02 20:35 22,768 ----a-w c:\documents and settings\dilbone\usbsermpt.sys
2005-08-02 22:46 187,904 --sha-r c:\windows\Q2hhZCBEaWxib25l\asappsrv.dll
2005-08-02 22:58 293,888 --sha-r c:\windows\Q2hhZCBEaWxib25l\command.exe
2005-07-29 22:24 472 --sha-r c:\windows\Q2hhZCBEaWxib25l\kZ11tF1HuqU2vZc5.vbs
2008-08-28 13:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082820080829\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2008-11-26 2235920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"WordPerfect Office 1215"="c:\program files\WordPerfect Office 12\Programs\Registration.exe" [2004-02-10 733184]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2008-07-18 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}"="c:\program files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe" [2008-04-12 136704]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-03-23 11000]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-02-21 434176]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mgpdvc.dll wisroz.dll krhkti.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e0ff151c
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2005-05-31 21:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a--c--- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2003-11-19 17:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\DKabcoms.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 MSSQL$INVENTORCONTENT;MSSQL$INVENTORCONTENT;c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT []
S1 recagentt;recagentt;c:\windows\system32\drivers\recagentt.sys []
S1 usbstorr;usbstorr;c:\windows\system32\drivers\usbstorr.sys []
S3 dkab_device;dkab_device;c:\windows\system32\DKabcoms.exe -service []
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-01-03 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-01-03 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2008-01-03 23680]
S3 SQLAgent$AUTODESKVAULT;SQLAgent$AUTODESKVAULT;"c:\program files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlagent.EXE" -i AUTODESKVAULT [2005-05-03 323584]
S3 SQLAgent$INVENTORCONTENT;SQLAgent$INVENTORCONTENT;c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlagent.EXE -i INVENTORCONTENT []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29f2fce3-5434-11dd-8265-0014225ec417}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{21CAAE76-E3EF-4F05-A706-86AE8EA76FCA} - c:\windows\system32\hgGabAtq.dll
BHO-{c36e06fe-568d-454f-9925-cb67679cbf30} - c:\windows\system32\krhkti.dll
Notify-pmnnLcbC - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = https://login.passport.com/ppsecure/secure....73487816d476156
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.storageguardsoft.com
TCP: {7894FA37-5ED2-4DBD-B4CB-FCDEB5BD17DF} = 10.1.1.47,4.2.2.2
FireFox -: Profile - c:\documents and settings\dilbone\Application Data\Mozilla\Firefox\Profiles\t6hm0kiu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF -: plugin - c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 08:28:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
c:\program files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2008-12-08 8:31:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-08 14:31:55

Pre-Run: 124,752,830,464 bytes free
Post-Run: 124,634,722,304 bytes free

230 --- E O F --- 2008-12-05 22:37:04

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53 PM, on 12/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.passport.com/ppsecure/secure....73487816d476156
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=122308 serial=WS12WUX-0117966-FZQ
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}] C:\Program Files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hpnt.local
O17 - HKLM\Software\..\Telephony: DomainName = hpnt.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{7894FA37-5ED2-4DBD-B4CB-FCDEB5BD17DF}: NameServer = 10.1.1.47,4.2.2.2
O20 - AppInit_DLLs: mgpdvc.dll wisroz.dll krhkti.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk Inc - C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - - C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: dkab_device - Dell - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

--
End of file - 8069 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 08 December 2008 - 09:57 PM

Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis



NEXT



1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
recagentt
usbstorr

File::
c:\windows\SET80.tmp
c:\windows\SET7D.tmp
c:\windows\SET8C.tmp
c:\windows\system32\cgasgnga.ini
c:\windows\system32\pcfavctj.ini
c:\windows\system32\kwoopqah.ini
C:\qmhqfeu.exe
C:\fjytg.exe
c:\windows\system32\ocntmsdl.exe
c:\windows\system32\g81.exe
c:\windows\system32\drivers\recagentt.sys
c:\windows\system32\drivers\usbstorr.sys

Folder::
c:\windows\system32\hov
c:\windows\Q2hhZCBEaWxib25l

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29f2fce3-5434-11dd-8265-0014225ec417}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 dilbone56

dilbone56
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 09 December 2008 - 08:42 AM

The Combofix log is too large to post so I have attached it. If there is a better way, please let me know, and I will do whatever you need. Thank you again, for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:34, on 2008-12-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.passport.com/ppsecure/secure....73487816d476156
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=122308 serial=WS12WUX-0117966-FZQ
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}] C:\Program Files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hpnt.local
O17 - HKLM\Software\..\Telephony: DomainName = hpnt.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{7894FA37-5ED2-4DBD-B4CB-FCDEB5BD17DF}: NameServer = 10.1.1.47,4.2.2.2
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk Inc - C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - - C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: dkab_device - Dell - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

--
End of file - 7587 bytes

Attached Files



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 09 December 2008 - 09:45 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.


Post these logs in your next reply..

1. Malwarebytes'
2. GMER

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 dilbone56

dilbone56
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 09 December 2008 - 05:53 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1478
Windows 5.1.2600 Service Pack 3

2008-12-09 16:24:56
mbam-log-2008-12-09 (16-24-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 147702
Time elapsed: 1 hour(s), 13 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\Q2hhZCBEaWxib25l\asappsrv.dll.vir (Adware.CommAd) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Q2hhZCBEaWxib25l\command.exe.vir (Adware.CommAd) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hgGabAtq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\krhkti.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\teblfvbw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hov\BATU2I3X.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\uv9\peco85IV.exe.vir (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\VC\MTK63G.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP11\A0005259.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP11\A0005260.exe (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP11\A0005264.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000573.exe (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000574.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000605.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000606.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000607.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000769.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000770.dll (Trojan.Vundo) -> Quarantined and deleted successfully.



GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-09 16:53:00
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAE20DABB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAE20DA3B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAE20DAE5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAE20DA4F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAE20DA7B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAE20DB0F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAE20DA27]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAE20DACF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAE20DA65]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAE20DA91]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAE20DAA7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAE20DB25]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAE20DAF9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP AE20DAFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP AE20DABF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP AE20DB13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP AE20DB29 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP AE20DAD3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP AE20DAE9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP AE20DAAB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP AE20DA95 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP AE20DA69 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP AE20DA3F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP AE20DA53 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP AE20DA7F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP AE20DA2B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? phncgoie.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 037B0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 037B0078
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 037B005D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 037B0F83
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 037B0F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 037B002F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 037B0F68
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 037B00A4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 037B0F28
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 037B0F4D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 037B00E6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 037B0040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 037B0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 037B0089
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 037B000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 037B0FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 037B00CB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 037A002F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 037A0F97
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 037A0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 037A0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 037A005E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 037A000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 037A0FB2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 9A, 8B ]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 037A0FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[180] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F81
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F9C
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B005B
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F44
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F55
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00BB
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F22
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B00CC
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B006C
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B0F70
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[292] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B0F33
.text C:\WINDOWS\system32\wuauclt.exe[292] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B0025
.text C:\WINDOWS\system32\wuauclt.exe[292] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B0F8A
.text C:\WINDOWS\system32\wuauclt.exe[292] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[292] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[292] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B0051
.text C:\WINDOWS\system32\wuauclt.exe[292] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[292] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002B0040
.text C:\WINDOWS\system32\wuauclt.exe[292] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B0FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F50F41
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50F5C
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50036
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50F79
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F5001B
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50F09
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50051
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F50EC2
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F50EE7
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F50EA7
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F50F94
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F50FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F50F26
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F50FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F5000A
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F50EF8
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F40036
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F40FA8
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F4001B
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F40FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F4005B
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F4000A
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F40FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 14, 89 ]
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F40FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe[296] WS2_32.dll!socket 00EA4211 5 Bytes JMP 00F20000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC0F59
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0058
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0F7E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0047
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0F37
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0F48
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC0F04
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC0F15
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DC0EE9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DC0FA5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DC0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DC0069
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DC0FC0
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DC001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DC0F26
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DB0051
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DB0076
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DB0036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DB0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DB0FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DB0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00DB0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ FB, 88 ]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DB0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[632] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D9000A
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB000A
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB0F8A
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB0F9B
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB0075
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB0FAC
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB0FC7
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB0F5E
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB00A4
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB0F28
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB0F43
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DB0F17
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DB0058
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DB001B
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DB0F79
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DB003D
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DB002C
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DB00C1
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] ADVAPI32.DLL!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DA0FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] ADVAPI32.DLL!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DA0065
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] ADVAPI32.DLL!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DA001B
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] ADVAPI32.DLL!RegOpenKeyW 77DD7936 5 Bytes JMP 00DA0000
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] ADVAPI32.DLL!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DA0040
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] ADVAPI32.DLL!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DA0FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] ADVAPI32.DLL!RegCreateKeyW 77DFBA25 2 Bytes JMP 00DA0F9E
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] ADVAPI32.DLL!RegCreateKeyW + 3 77DFBA28 2 Bytes [ FA, 88 ]
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] ADVAPI32.DLL!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DA0FAF
.text C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe[672] WS2_32.dll!socket 00D04211 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F5A
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F75
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F86
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070043
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F18
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F33
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700AA
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F07
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00070EF6
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070FA1
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0007006A
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070014
.text C:\WINDOWS\system32\services.exe[760] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 0007007B
.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060FA5
.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060FC0
.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00060062
.text C:\WINDOWS\system32\services.exe[760] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E400B5
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E400A4
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40089
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E4006C
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40F80
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E400C6
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E40108
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessA 7C80236B 1 Byte [ E9 ]
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessA + 2 7C80236D 3 Bytes [ EB, 63, 84 ]
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E40123
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E4005B
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E40FA5
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E4002C
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E40011
.text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E400ED
.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E30FCA
.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E3003D
.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E3001B
.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E3000A
.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E30F8A
.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E3002C
.text C:\WINDOWS\system32\lsass.exe[772] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E30FAF
.text C:\WINDOWS\system32\lsass.exe[772] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E0000A
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F4006F
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40F70
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40F8D
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40F9E
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40036
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F44
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40080
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40F0E
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F400A7
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F400C2
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F40FB9
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F40FDB
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F40F5F
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F40FCA
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F40011
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F40F29
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F30FCD
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F30F97
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F30FDE
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F30FA8
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00F30054
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F30039
.text C:\WINDOWS\system32\svchost.exe[960] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0F50
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA004F
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0F6B
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0028
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0F8D
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA008E
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA007D
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0F06
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA009F
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CA0EF5
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CA0F7C
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CA0060
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CA0FA8
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CA0FC3
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CA0F21
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C90FAF
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C90F79
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C90FD4
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C90F94
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C90036
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C9001B
.text C:\WINDOWS\system32\svchost.exe[1048] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F5E
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F79
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0051
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0F9E
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0089
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F4D
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F26
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC00BF
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BC00E4
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BC0FCA
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BC006E
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BC0FAF
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BC00AE
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BB002F
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BB0F7C
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BB0F97
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00BB0FA8
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ DB, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D40FE5
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D40075
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D4005A
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D40049
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D40022
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D40011
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D40F3E
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D40F5B
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D400B5
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D40F12
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02D400D0
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02D40F8A
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02D40000
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02D40086
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02D40FA5
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02D40FCA
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02D40F23
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02D20FB2
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02D20043
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02D20FCD
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02D20FDE
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02D20032
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02D20FEF
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02D20F90
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ F2, 8A ]
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02D20FA1
.text C:\WINDOWS\System32\svchost.exe[1136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02C70FEF
.text C:\WINDOWS\System32\svchost.exe[1136] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02D30000
.text C:\WINDOWS\System32\svchost.exe[1136] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02D3001B
.text C:\WINDOWS\System32\svchost.exe[1136] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02D30FE5
.text C:\WINDOWS\System32\svchost.exe[1136] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02D30036
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650F57
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650F72
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650F83
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650F94
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650036
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00650F3A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650082
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006500B8
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0065009D
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 006500D3
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00650FAF
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00650067
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00650FC0
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00650F1F
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0064002C
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0064006C
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0064001B
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00640FA5
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00640FB6
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 84, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00640047
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660F83
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660082
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660065
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660054
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660FC3
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00660F44
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00660F55
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006600B1
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00660F18
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00660F07
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00660FB2
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00660F72
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00660FD4
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00660025
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00660F33
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0065004A
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00650FD4
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00650F8D
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00650FE5
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00650FA8
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 85, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00650FB9
.text C:\WINDOWS\system32\svchost.exe[1232] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E70F5C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E70051
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E70F6D
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E70F8A
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E70FAF
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E70F26
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E70F37
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E70EFA
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E70F15
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E70EDF
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E7002C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E70FDB
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E70062
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E70FC0
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E70011
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E70089
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E5001E
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E5006F
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E50FCD
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E50FDE
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E50054
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E50039
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E50FB2
.text C:\WINDOWS\system32\svchost.exe[1332] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\svchost.exe[1332] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[1332] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00E60FE5
.text C:\WINDOWS\system32\svchost.exe[1332] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00E6001B
.text C:\WINDOWS\system32\svchost.exe[1332] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00E60FD4
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02670000
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02670F5F
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02670F70
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02670F81
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02670F9E
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02670FCD
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026700A7
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0267008C
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02670F29
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02670F3A
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02670F18
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0267004A
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02670FEF
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0267006F
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02670FDE
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02670025
.text C:\WINDOWS\Explorer.EXE[1952] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 026700B8
.text C:\WINDOWS\Explorer.EXE[1952] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02650FD4
.text C:\WINDOWS\Explorer.EXE[1952] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02650087
.text C:\WINDOWS\Explorer.EXE[1952] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02650FE5
.text C:\WINDOWS\Explorer.EXE[1952] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0265001B
.text C:\WINDOWS\Explorer.EXE[1952] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02650062
.text C:\WINDOWS\Explorer.EXE[1952] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0265000A
.text C:\WINDOWS\Explorer.EXE[1952] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 02650047
.text C:\WINDOWS\Explorer.EXE[1952] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02650036
.text C:\WINDOWS\Explorer.EXE[1952] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02660FEF
.text C:\WINDOWS\Explorer.EXE[1952] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 0266000A
.text C:\WINDOWS\Explorer.EXE[1952] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 0266001B
.text C:\WINDOWS\Explorer.EXE[1952] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02660FD4
.text C:\WINDOWS\Explorer.EXE[1952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 024C0000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 10 December 2008 - 12:14 AM

Looks good.. How is the computer now? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 dilbone56

dilbone56
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 10 December 2008 - 07:50 AM

My computer is awesome. Thank you so much. I would have never been able to get it as clean and fast as it is now without formatting and starting over. This is a work computer, and unfortunately our "IT administrator" is more interested in deciding who gets internet access than actually maintaining our network. Thanks again.

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 10 December 2008 - 08:25 AM

Think you are good to go now...


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between combofix and /u is needed

    Posted Image


To learn more about how to protect yourself while on the internet read this excellent article by Grinler: How did I get infected?, With steps so it does not happen again!

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbsup:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users