Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop infected - unable to open IE and Windows Updates.


  • This topic is locked This topic is locked
9 replies to this topic

#1 jcarissimo

jcarissimo

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 28 December 2008 - 08:09 PM

Hi all - looking for some assistance with a laptop I'm working on. I have read your "Read this before posting a log" post. I will not make any additional attempts to fix this laptop until I hear from you. Here is what I've done so far and some of the symptoms I've encountered.

Symptoms:
- extremely slow startup and shutdown
- unable to open Internet Explorer
- unable to open/modify McAfee Antivirus Protection
- unable to install several malware removal programs due to Windows Installer failure
- system will hang for very long time at unexpected intervals

Already have tried:
- Malwarebytes - found some and tried to fix but laptop hung during cure/removal
- Adaware 2008 - found one or two objects but no viruses

I have run the required DDS.scr scan. I am pasting the DDS.txt results and attaching the Attach.zip as directed.

DDS.txt Log Results:

DDS (Version 1.1.0) - NTFSx86
Run by Dad at 19:32:45.50 on Sun 12/28/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.619 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Acrobat Speed Launch] "c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R?3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-20 605512]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-20 207656]
R2 A92C76B4020562B8;A92C76B4020562B8;\??\c:\documents and settings\dana dewey\desktop\a92c76b4020562b8\A92C76B4020562B8 []
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;"c:\program files\broadcom\asfipmon\AsfIpMon.exe" -service [2006-12-19 79432]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe" [2008-1-11 30312]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\mcafee\siteadvisor\McSACore.exe" [2008-9-6 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-20 358736]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-9-1 24652]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75} [2004-8-11 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-20 144704]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-20 79240]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-20 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-20 34152]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-20 40488]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe" -sMSSMLBIZ [2008-2-26 29183504]

=============== Created Last 30 ================

2008-12-27 21:06 <DIR> --d----- c:\program files\Trend Micro
2008-12-27 19:00 <DIR> --d----- c:\program files\Lavasoft
2008-12-27 17:28 <DIR> --d----- c:\documents and settings\dad\DoctorWeb
2008-12-27 16:05 <DIR> --d----- C:\Combo-Fix
2008-12-27 16:05 389,120 a------- c:\windows\system32\CF7243.exe
2008-12-26 16:45 389,120 a------- c:\windows\system32\CF27918.exe
2008-12-26 14:37 <DIR> --d----- c:\windows\ERUNT
2008-12-26 14:36 <DIR> --d----- C:\!FixIEDef
2008-12-26 03:23 <DIR> --d----- c:\program files\AVG
2008-12-26 03:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-26 03:19 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-26 02:48 <DIR> --d----- c:\docume~1\dad\applic~1\Malwarebytes
2008-12-26 01:40 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-26 01:39 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 01:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 01:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-25 21:45 <DIR> --d----- c:\windows\pss
2008-12-25 21:44 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-07 19:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AcrobatInstall
2008-12-04 22:26 <DIR> --d----- c:\program files\avrlabs

==================== Find3M ====================

2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 11:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll

============= FINISH: 19:33:05.21 ===============


I look forward to hearing back from you and getting your support.

Thank you,
jcarissimo

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 06 January 2009 - 03:41 PM

Hello jcarissimo.

Please post the contents of C:\ComboFix.txt if it still exists.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

If you can't open McAfee to disable it, skip this step.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode. However, do not use the MsConfig method to edit the Boot.ini.
Important!:Please do not select the Show all checkbox during the scan..

In your next reply include:
-the ComboFix log
-the GMER scan log

Please give me an update on the symptoms.

With Regards,
The Panda

#3 jcarissimo

jcarissimo
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 09 January 2009 - 10:12 AM

Hi Panda, thank you for getting back to me.

Ok, so I've shut down all the real-time protection as instructed. I downloaded the most recent copy of ComboFix, but when I double click to run it I just get a small blue screen that looks similar to a command prompt window, it has a flashing cursor and next to the icon in the top left corner of the page is just a "." dot. So I assume that the ComboFix is not running, even though I let it sit like that for a good 30 minutes. I never received any messages or anything from it, so I'll just shut it down.

No log was produced and in fact I had a hard time simply closing that window. I had to re-start the laptop to get back to my desktop.

Do you recommend skipping this and going right to the GMER step?

I will wait for your response before trying anything else.
Please advise.

Thank you,
jcarissimo

#4 jcarissimo

jcarissimo
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 09 January 2009 - 11:01 AM

Ok Panda, I stand corrected... I have used my "smarts" and started the laptop in Safe Mode and then disabled McAfee and was able to begin the ComboFix process. I will let you know what the results are upon completion.

Regards,
jcarissimo

#5 jcarissimo

jcarissimo
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 09 January 2009 - 11:45 AM

Hi Panda, ok, update on the symptoms - the laptop seems to be running much better. I am able to access the internet with no problem, I am able to access McAfee settings also and it is no longer hanging.

Here are the log results from the two scans:

ComboFix Log:
ComboFix 09-01-08.05 - Dad 2009-01-09 11:02:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.610 [GMT -6:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dana Dewey\Application Data\WeatherDPA
c:\documents and settings\Dana Dewey\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\documents and settings\Dana Dewey\Application Data\Zango
c:\documents and settings\Dana Dewey\Desktop\A92C76B4020562B8\
c:\documents and settings\Dana Dewey\Desktop\A92C76B4020562B8\\A92C76B4020562B8.x86
c:\documents and settings\Dana Dewey\Desktop\A92C76B4020562B8\A92C76B4020562B8
c:\documents and settings\Guest\Application Data\Zango
c:\program files\avrlabs
c:\windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2008-12-27 21:06 . 2008-12-27 21:06 <DIR> d-------- c:\program files\Trend Micro
2008-12-27 19:00 . 2008-12-27 19:00 <DIR> d-------- c:\program files\Lavasoft
2008-12-27 19:00 . 2008-12-27 19:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-27 17:28 . 2008-12-27 17:28 <DIR> d-------- c:\documents and settings\Dad\DoctorWeb
2008-12-27 16:05 . 2008-12-27 18:17 <DIR> d-------- C:\Combo-Fix
2008-12-26 14:37 . 2008-12-26 14:37 <DIR> d-------- c:\windows\ERUNT
2008-12-26 14:37 . 2008-12-26 14:37 <DIR> d-------- C:\ERDNT
2008-12-26 03:23 . 2008-12-26 03:23 <DIR> d-------- c:\program files\AVG
2008-12-26 03:23 . 2008-12-26 14:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-26 03:19 . 2008-12-26 03:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-26 02:48 . 2008-12-26 02:48 <DIR> d-------- c:\documents and settings\Dad\Application Data\Malwarebytes
2008-12-26 01:41 . 2008-12-26 01:41 <DIR> d-------- c:\documents and settings\Dana Dewey\Application Data\Malwarebytes
2008-12-26 01:40 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-26 01:39 . 2008-12-26 01:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 01:39 . 2008-12-26 01:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 01:39 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-19 15:08 . 2008-12-19 15:08 <DIR> d-------- c:\documents and settings\Dad\Application Data\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 22:01 --------- d-----w c:\program files\Java
2008-12-19 20:43 --------- d-----w c:\documents and settings\Dad\Application Data\Apple Computer
2008-12-18 17:22 --------- d-----w c:\documents and settings\Dana Dewey\Application Data\FrostWire
2008-12-08 01:05 --------- d-----w c:\documents and settings\All Users\Application Data\AcrobatInstall
2008-12-05 14:38 --------- d-----w c:\program files\McAfee
2008-12-04 01:35 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-21 20:55 --------- d-----w c:\program files\iTunes
2008-11-21 20:55 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 20:54 --------- d-----w c:\program files\iPod
2008-11-21 20:54 --------- d-----w c:\program files\Common Files\Apple
2008-11-21 20:52 --------- d-----w c:\program files\QuickTime
2008-11-14 02:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-10 19:23 --------- d-----w c:\program files\AIMTunes
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-16 1838592]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-01-17 17920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-04-16 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 14:20 73728 c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-02 97536]
R4 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 79432]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-06 203280]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-09-01 24652]
R4 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-08-11 5120]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
.
Contents of the 'Scheduled Tasks' folder

2008-12-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-08-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 11:06:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(644)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\stacsv.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\msdtc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-01-09 11:09:45 - machine was rebooted [Dad]
ComboFix-quarantined-files.txt 2009-01-09 17:09:41

Pre-Run: 63,740,334,080 bytes free
Post-Run: 63,707,373,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

171 --- E O F --- 2008-11-14 02:04:52


Gmer Log:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-09 11:36:28
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA94859D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA948597D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA9485996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9485A12]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA9485950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA9485964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA94859E6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA94859BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA94859AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9485A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9485A28]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA94859FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A9485A00 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A94859D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP A9485A16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP A9485A2C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP A94859EA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP A9485954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP A9485968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP A94859AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP A948599A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP A9485981 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP A94859C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP A9485A45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F57
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F7C
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007001E
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070089
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070078
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700B5
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700A4
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700C6
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070067
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FCD
.text C:\WINDOWS\system32\services.exe[632] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070F1C
.text C:\WINDOWS\system32\services.exe[632] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\services.exe[632] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060FBD
.text C:\WINDOWS\system32\services.exe[632] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[632] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[632] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0006007A
.text C:\WINDOWS\system32\services.exe[632] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[632] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00060069
.text C:\WINDOWS\system32\services.exe[632] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060058
.text C:\WINDOWS\system32\services.exe[632] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0F79
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD006E
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0F94
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0FA5
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0036
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD00B7
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD00A6
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD0F2F
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD00D2
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FD00E3
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FD0047
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FD007F
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FD0FCA
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\lsass.exe[644] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FD0F54
.text C:\WINDOWS\system32\lsass.exe[644] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\system32\lsass.exe[644] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E40040
.text C:\WINDOWS\system32\lsass.exe[644] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\lsass.exe[644] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E40FD4
.text C:\WINDOWS\system32\lsass.exe[644] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E40025
.text C:\WINDOWS\system32\lsass.exe[644] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\lsass.exe[644] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E40F83
.text C:\WINDOWS\system32\lsass.exe[644] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 04, 89 ]
.text C:\WINDOWS\system32\lsass.exe[644] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E40F94
.text C:\WINDOWS\system32\lsass.exe[644] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A006E
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0053
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F79
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F8A
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FA5
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A009A
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0089
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F1C
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F41
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00D0
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0036
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0011
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F5E
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FD1
.text C:\WINDOWS\system32\dllhost.exe[780] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00B5
.text C:\WINDOWS\system32\dllhost.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002A0FC3
.text C:\WINDOWS\system32\dllhost.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002A0065
.text C:\WINDOWS\system32\dllhost.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\system32\dllhost.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002A0014
.text C:\WINDOWS\system32\dllhost.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002A0054
.text C:\WINDOWS\system32\dllhost.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002A0039
.text C:\WINDOWS\system32\dllhost.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002A0FA8
.text C:\WINDOWS\system32\dllhost.exe[780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02460FEF
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02460056
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02460045
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02460F6B
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02460F7C
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0246001E
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02460F1F
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02460F30
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024600B8
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02460093
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 024600C9
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02460F8D
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02460FDE
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02460067
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02460FB2
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02460FC3
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02460082
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02450051
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 024500A2
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02450040
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02450025
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02450FDB
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02450000
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 02450087
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02450062
.text C:\WINDOWS\system32\svchost.exe[812] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02430FEF
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF000A
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF008C
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF0F8D
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF0071
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF0FA8
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF0FCA
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF0F5F
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF0F7C
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF0F44
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF00DD
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00EF0F29
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00EF0FB9
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00EF001B
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00EF009D
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00EF002C
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00EF0FE5
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00EF00C2
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00EE0025
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00EE0073
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00EE0FD4
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00EE0FE5
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00EE0062
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00EE0051
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00EE0040
.text C:\WINDOWS\system32\svchost.exe[860] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC0FE5
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02DE0FEF
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02DE0080
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02DE0F81
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02DE005B
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02DE0F9E
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02DE0FD4
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02DE0F38
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02DE0F5F
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02DE0F0C
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02DE00A5
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02DE00CA
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02DE0FC3
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02DE0000
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02DE0F70
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02DE0036
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02DE001B
.text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02DE0F27
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02CC0FA8
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02CC0040
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02CC0FB9
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02CC0FDE
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02CC002F
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02CC0FEF
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02CC0F83
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ EC, 8A ]
.text C:\WINDOWS\System32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02CC0014
.text C:\WINDOWS\System32\svchost.exe[952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02B10000
.text C:\WINDOWS\System32\svchost.exe[952] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02DD0FEF
.text C:\WINDOWS\System32\svchost.exe[952] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02DD000A
.text C:\WINDOWS\System32\svchost.exe[952] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02DD0FCA
.text C:\WINDOWS\System32\svchost.exe[952] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02DD0FAF
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800FE5
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800047
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800036
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800F5E
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800F6F
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800FAF
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00800F21
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00800073
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0080008E
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00800EF5
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00800EDA
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00800F8A
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00800062
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00800FC0
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0080001B
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00800F06
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007F0FCA
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007F007D
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007F001B
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007F0FE5
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007F0062
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007F000A
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 007F0051
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007F0036
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0FE5
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60090
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60F9B
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60075
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60FB6
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C6003D
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60F65
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C600A1
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C600ED
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C600C8
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C60108
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C60058
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C60F80
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C6002C
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C60FDB
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C60F54
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 009F0080
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 009F0036
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 009F0025
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 009F0065
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 009F0FB9
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ BF, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 009F0FD4
.text C:\WINDOWS\system32\svchost.exe[1096] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00A00025
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02290FEF
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02290F9E
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02290FAF
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0229007D
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0229006C
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02290047
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 022900DC
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 022900BF
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02290F68
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02290F83
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02290F4D
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02290FC0
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0229000A
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 022900AE
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0229002C
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0229001B
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02290101
.text C:\WINDOWS\Explorer.EXE[1720] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02270FC3
.text C:\WINDOWS\Explorer.EXE[1720] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02270F83
.text C:\WINDOWS\Explorer.EXE[1720] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02270FD4
.text C:\WINDOWS\Explorer.EXE[1720] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0227000A
.text C:\WINDOWS\Explorer.EXE[1720] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02270040
.text C:\WINDOWS\Explorer.EXE[1720] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02270FEF
.text C:\WINDOWS\Explorer.EXE[1720] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02270F9E
.text C:\WINDOWS\Explorer.EXE[1720] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 47, 8A ]
.text C:\WINDOWS\Explorer.EXE[1720] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02270025
.text C:\WINDOWS\Explorer.EXE[1720] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02280FEF
.text C:\WINDOWS\Explorer.EXE[1720] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 0228000A
.text C:\WINDOWS\Explorer.EXE[1720] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02280FD4
.text C:\WINDOWS\Explorer.EXE[1720] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02280FC3
.text C:\WINDOWS\Explorer.EXE[1720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02250FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2152] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B008E
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B007D
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B006C
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0051
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F7E
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00BA
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00FC
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F63
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B010D
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B00A9
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[2260] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B00E1
.text C:\WINDOWS\system32\wuauclt.exe[2260] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B0FBC
.text C:\WINDOWS\system32\wuauclt.exe[2260] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B0065
.text C:\WINDOWS\system32\wuauclt.exe[2260] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FCD
.text C:\WINDOWS\system32\wuauclt.exe[2260] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[2260] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B0054
.text C:\WINDOWS\system32\wuauclt.exe[2260] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2260] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002B0043
.text C:\WINDOWS\system32\wuauclt.exe[2260] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B0028
.text C:\WINDOWS\system32\wuauclt.exe[2260] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0FEF
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A3008E
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A30F99
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A3007D
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A30062
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A30040
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A30F48
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A30F63
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A300B5
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A30F1C
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A30F01
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A30051
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A30F74
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A3002F
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A30FD4
.text C:\WINDOWS\system32\dllhost.exe[2848] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A30F37
.text C:\WINDOWS\system32\dllhost.exe[2848] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A20FB9
.text C:\WINDOWS\system32\dllhost.exe[2848] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A20054
.text C:\WINDOWS\system32\dllhost.exe[2848] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\dllhost.exe[2848] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A20FDE
.text C:\WINDOWS\system32\dllhost.exe[2848] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A20F8D
.text C:\WINDOWS\system32\dllhost.exe[2848] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\dllhost.exe[2848] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00A2002F
.text C:\WINDOWS\system32\dllhost.exe[2848] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A20FA8
.text C:\WINDOWS\system32\dllhost.exe[2848] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A00000
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0084
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F8F
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0073
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0062
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00B5
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F63
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00F2
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00E1
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A010D
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0051
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F74
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0036
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0025
.text C:\WINDOWS\System32\svchost.exe[3724] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00C6
.text C:\WINDOWS\System32\svchost.exe[3724] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0029001B
.text C:\WINDOWS\System32\svchost.exe[3724] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290F6F
.text C:\WINDOWS\System32\svchost.exe[3724] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FC0
.text C:\WINDOWS\System32\svchost.exe[3724] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FE5
.text C:\WINDOWS\System32\svchost.exe[3724] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290F8A
.text C:\WINDOWS\System32\svchost.exe[3724] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[3724] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FA5
.text C:\WINDOWS\System32\svchost.exe[3724] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 88 ]
.text C:\WINDOWS\System32\svchost.exe[3724] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0029002C
.text C:\WINDOWS\System32\svchost.exe[3724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B000A

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A7BF7D20
Device \FileSystem\Fastfat \Fat A7C07428

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----


I will wait for your next instructions before making any additional changes.

Thank you and I look forward to hearing back from you soon,
jcarissimo

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 09 January 2009 - 04:28 PM

Hello jcarissimo.

Looks like ComboFix handled that infection without a problem.

F-Secure Online Scan
Please run F-Secure Online Scanner to check for anything remaining.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Also include a new DDS log.

With Regards,
The Panda

#7 jcarissimo

jcarissimo
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 10 January 2009 - 02:26 AM

Hi Panda, I've just run both scans as you requested - F-Secure and DDS. I will paste both logs below.

F-Secure Log:
Scanning Report
Friday, January 09, 2009 23:44:53 - 01:10:59
Computer name: DSF140MU
Scanning type: Scan system for malware, rootkits
Target: C:\


-----------------------------------------------------------------

---------------

Result: 4 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Adrevolver (spyware)
System
TrackingCookie.Webtrends (spyware)
System
TrackingCookie.Yieldmanager (spyware)
System

-----------------------------------------------------------------

---------------

Statistics
Scanned:
Files: 30992
System: 3169
Not scanned: 19
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 4
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\MCAFEE_WIXJF61V0ZQGCB9
C:\WINDOWS\TEMP\MCMSC_A02VK8HNB4GCYB9
C:\WINDOWS\TEMP\MCMSC_AQUWZ2VMPVYF0AA
C:\WINDOWS\TEMP\MCMSC_K13QKZICFBJVKJY
C:\WINDOWS\TEMP\SQLITE_3HGH5DFCCFMASQQ
C:\WINDOWS\TEMP\SQLITE_6QZCBKWAU0LS6YW
C:\WINDOWS\TEMP\SQLITE_KLVJQWA0AFHXQJY
C:\WINDOWS\TEMP\SQLITE_MMPKBUVZOWEKLZY
C:\WINDOWS\TEMP\SQLITE_OY4X5W5FHZ6MGAB
C:\WINDOWS\TEMP\SQLITE_PBKVAOUVF8HCKS2
C:\WINDOWS\TEMP\SQLITE_QATFHVBTF2MTVXX
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\PREFETCH\LAYOUT.INI

-----------------------------------------------------------------

---------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Blacklight: 0.0.0
F-Secure Hydra: 2.8.8110, 2009-01-10
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure AVP: 7.0.171, 2009-01-10
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT

VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM

ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP

WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM

EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG

LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics
------------------------------------------------------------------------------

DDS Log:

DDS (Version 1.1.0) - NTFSx86
Run by Dad at 1:15:18.05 on Sat 01/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.563 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\Dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Acrobat Speed Launch] "c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-20 207656]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;"c:\program files\broadcom\asfipmon\AsfIpMon.exe" -service [2006-12-19 79432]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe" [2008-1-11 30312]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\mcafee\siteadvisor\McSACore.exe" [2008-9-6 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-20 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-20 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-9-1 24652]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75} [2004-8-11 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-20 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-20 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-20 34152]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-20 40488]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe" -sMSSMLBIZ [2008-2-26 29183504]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-20 605512]

=============== Created Last 30 ================

2009-01-09 23:41 <DIR> --d----- C:\fsaua.data
2009-01-09 11:21 345 a------- c:\windows\gmer.ini
2009-01-09 10:59 <DIR> a-dshr-- C:\cmdcons
2009-01-09 10:58 161,792 a------- c:\windows\SWREG.exe
2009-01-09 10:58 98,816 a------- c:\windows\sed.exe
2008-12-27 21:06 <DIR> --d----- c:\program files\Trend Micro
2008-12-27 19:00 <DIR> --d----- c:\program files\Lavasoft
2008-12-27 17:28 <DIR> --d----- c:\documents and settings\dad\DoctorWeb
2008-12-27 16:05 <DIR> --d----- C:\Combo-Fix
2008-12-26 14:37 <DIR> --d----- c:\windows\ERUNT
2008-12-26 03:23 <DIR> --d----- c:\program files\AVG
2008-12-26 03:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-26 03:19 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-26 02:48 <DIR> --d----- c:\docume~1\dad\applic~1\Malwarebytes
2008-12-26 01:40 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-26 01:39 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 01:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 01:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-25 21:45 <DIR> --d----- c:\windows\pss
2008-12-25 21:44 <DIR> --d----- c:\windows\system32\appmgmt

==================== Find3M ====================

2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll

============= FINISH: 1:15:58.24 ===============


Again, I will wait for your next instruction and thank you for all your help.
Regards,
jcarissimo

Attached Files



#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 10 January 2009 - 09:36 AM

Hello.

Looks to be clean of malware. Unless you have any other problems, we can clear out our tools and wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#9 jcarissimo

jcarissimo
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 10 January 2009 - 12:09 PM

PropagandaPanda, I really appreciate all your help with this one. Everything is running well and my niece will be thrilled to get her laptop back - running the way it was before being infected. Now if I can only convnice her not to use certain websites she should be fine...

Thank you again,

jcarissimo

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 10 January 2009 - 01:38 PM

Glad I could help :thumbsup: .

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users