Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Key Change/Hijack This Assistance Requested


  • This topic is locked This topic is locked
12 replies to this topic

#1 JPBT

JPBT

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 31 January 2009 - 04:30 PM

Hello,

Earlier this week I noticed an issue with my parent's computer whereby the first page of links given when a topic was entered into a search engine were misdirected. The description and Page Name of the link was correct, but the website address associated with the result was not. Subsequent results pages had the correct link information. My assumption is that one of my younger brothers or sisters did something not so bright. Since then I have run a variety of virus and malware scans to see if I could fix the problem (specifically, McCafee, Microsoft Windows Defender, Malwarebytes and AdAware). The first few scans found some registrey key changes and identified some files as Trojans and aparently fixed those problems, but recent scans have not found any errors. The problem, however, persists. Any help that could be given in solving this problem would be much appreciated. Below find the DDS report as requested; please let me know if you need more information:

DDS (Ver_09-01-19.01) - NTFSx86
Run by Owner at 15:02:13.30 on Sat 01/31/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.40 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\LTMSG.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uDefault_Page_URL = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: NoExplorer - No File
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: FCTBPos00Pos Class: {a1023bb9-453c-463f-9288-56ae96c52807} - c:\program files\susan g. komen for the cureā® toolbar\Toolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Susan G. Komen for the Cure® Toolbar: {bb0cbe93-cd99-45b9-bf11-291f1b260698} - c:\program files\susan g. komen for the cureā® toolbar\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LTMSG] LTMSG.exe 7
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [LXBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBXtime.dll,_RunDLLEntry@16
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\office
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE}
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE}
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE}
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149525105375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149566683234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9}
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\azada\images\armhelper.ocx
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {B58EE835-12D6-41E7-B68F-FB75B23E7AF9} = 10.0.0.2
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\kbzd4e7n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-24 64160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-2 99376]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-24 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-24 35240]

=============== Created Last 30 ================

2009-01-25 18:51 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-01-25 18:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-25 18:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 18:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-25 18:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 17:08 <DIR> --d----- c:\program files\Trend Micro
2009-01-24 20:50 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-24 19:49 8,033 a------- c:\windows\system32\Config.MPF
2009-01-24 19:43 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-01-24 19:43 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-01-24 19:43 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-01-24 19:43 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-01-24 19:43 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-01-24 19:43 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-01-24 19:42 <DIR> --d----- c:\program files\McAfee.com
2009-01-24 19:41 <DIR> --d----- c:\program files\common files\McAfee
2009-01-24 19:40 <DIR> --d----- c:\program files\McAfee
2009-01-24 17:18 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-24 17:16 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-24 14:15 0 a------- c:\windows\MSDraw.ini
2009-01-20 12:33 <DIR> --d----- c:\program files\DivX
2009-01-18 20:31 <DIR> --d----- C:\spoolerlogs
2009-01-17 19:49 <DIR> --d----- c:\program files\Amazon
2009-01-17 19:12 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-17 19:12 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2008-12-30 17:07 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-30 17:07 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-30 17:06 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-30 15:26 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-30 15:23 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-25 20:10 497 a------- c:\documents and settings\owner\xrt_log.dat
2008-11-16 13:15 1,739 a------- c:\windows\Sysvxd.exe
2008-11-10 12:23 243,840 a------- c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 60,032 a------- c:\windows\system32\ZuneBusEnum.exe
2008-11-10 12:09 73,728 a------- c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 12:09 18,944 a------- c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 12:09 57,344 a------- c:\windows\system32\ZuneRegUtil.dll
2008-11-10 12:09 12,800 a------- c:\windows\system32\ZunePTDNS.dll
2008-11-10 12:09 310,272 a------- c:\windows\system32\ZuneNetProxy.dll
2008-11-10 12:09 145,920 a------- c:\windows\system32\ZuneMTPZ.dll
2008-11-06 10:35 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-06 10:35 200,704 a------- c:\windows\system32\ssldivx.dll
2007-02-10 18:59 32 a----r-- c:\documents and settings\all users\hash.dat
2008-10-04 20:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100420081005\index.dat

============= FINISH: 15:04:34.92 ===============


Thanks,

JPBT

Attached Files



BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:07 PM

Posted 08 February 2009 - 03:13 PM

Hello, JPBT
:thumbup2: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • GMER's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 JPBT

JPBT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 09 February 2009 - 08:31 PM

Hello Billy,

Many thanks for the assistance! Here is the GMER log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-09 19:24:58
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF74D787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF74D7C10]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF53689AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF5368958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF536896C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF5368A57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF5368A83]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF5368AF1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF5368ADB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF53689EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF5368B1D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF5368A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF5368930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF5368944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF53689BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF5368B59]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF5368AC5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF5368AAF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF5368A6D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF5368B45]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF5368B31]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF5368996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF5368982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF5368A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF5368B07]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF5368A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF53689D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP F53689D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP F5368A31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP F5368AB3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP F53689AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP F5368986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP F5368B5D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 7 Bytes JMP F5368AF5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP F5368934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP F53689C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP F5368A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP F53689EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP F5368970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP F5368A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP F5368948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP F5368B21 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP F5368ADF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP F5368A87 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP F5368A5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP F536895C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DCF7 5 Bytes JMP F536899A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA12 7 Bytes JMP F5368B0B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E338 7 Bytes JMP F5368AC9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E7B6 7 Bytes JMP F5368A71 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ECA9 5 Bytes JMP F5368B35 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F112 5 Bytes JMP F5368B49 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[548] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[548] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011D0000
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011D008E
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011D007D
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011D006C
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011D0FAF
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011D0FD1
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011D00AB
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011D0F63
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011D0F23
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011D00C6
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 011D00E1
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 011D0FC0
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 011D0011
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 011D0F74
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 011D0047
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 011D0036
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 011D0F48
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 011C0FE5
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 011C0098
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 011C0040
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 011C001B
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 011C007D
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 011C0000
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 011C006C
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 011C005B
.text C:\WINDOWS\system32\services.exe[764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011A0FEF
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0089
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0F8A
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0FA5
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB0FC0
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0051
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB00D2
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB00C1
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB0119
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB00FE
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CB0F65
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CB0062
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CB001B
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CB009A
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CB0036
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CB00ED
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CA0F9E
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CA0036
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CA0FB9
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CA0025
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CA0FE5
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00CA0014
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CA0F8D
.text C:\WINDOWS\system32\lsass.exe[780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA000A
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0054
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0F55
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0F7C
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0F8D
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0039
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA0F29
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA0F3A
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0EF3
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA0F18
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CA00B1
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CA0FA8
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CA0065
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CA0FCD
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CA008C
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C90FCA
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C90F79
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C90025
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C90F9E
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C90040
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C90FAF
.text C:\WINDOWS\system32\svchost.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E20084
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E20069
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E20F9B
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E20FAC
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E2004E
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E20F32
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E20F59
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E20F10
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E20F21
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E200BA
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E20FC7
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E20011
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E20F74
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E2003D
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E20022
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E2009F
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E10040
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E10FB9
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E1001B
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E1000A
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E10FCA
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E10FEF
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E1006C
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E1005B
.text C:\WINDOWS\system32\svchost.exe[1020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF000A
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 026F0000
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 026F0F8A
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 026F007F
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 026F006E
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 026F0FA5
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 026F0036
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026F0090
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026F0F54
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026F0F08
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026F0F19
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 026F00C6
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 026F0047
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 026F0011
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 026F0F6F
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 026F0FC0
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 026F0FD1
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 026F00A1
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CB0FCA
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CB0040
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CB0025
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CB0F83
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CB0000
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00CB0F94
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ EB, 88 ]
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CB0FAF
.text C:\WINDOWS\System32\svchost.exe[1152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C90000
.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00CC0000
.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00CC0025
.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00CC0FE5
.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00CC0036
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00760095
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0076007A
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00760069
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0076004E
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00760FD1
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00760F68
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007600B0
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00760F32
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00760F4D
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00760F17
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00760FAC
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00760011
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00760F85
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0076003D
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0076002C
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 007600CB
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0075002C
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0075007A
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0075001B
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0075000A
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0075005F
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00750FEF
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0075004E
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0075003D
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00730FEF
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DE008C
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DE0067
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DE004A
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DE0F8D
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DE0FB9
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DE00C9
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DE00B8
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DE0F66
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DE0109
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DE011A
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DE0FA8
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DE0FDE
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DE00A7
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DE0025
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DE0014
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DE00E4
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DD0036
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DD0062
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DD0025
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DD0000
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DD0FAF
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DD0FE5
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00DD0FC0
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ FD, 88 ]
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DD0047
.text C:\WINDOWS\System32\svchost.exe[1328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DB0000
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60000
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60073
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60058
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60047
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60F94
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60FAF
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D600B2
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60095
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600F9
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D600E8
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D60114
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D60036
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D60FE5
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D60084
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D6001B
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D60FCA
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D600D7
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00AD0FB9
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00AD0F83
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00AD0FD4
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00AD0FE5
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00AD0036
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00AD000A
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00AD0025
.text C:\WINDOWS\System32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00AD0F9E
.text C:\WINDOWS\System32\svchost.exe[1404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AB0000
.text C:\WINDOWS\System32\svchost.exe[1404] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00AE0FE5
.text C:\WINDOWS\System32\svchost.exe[1404] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00AE0FCA
.text C:\WINDOWS\System32\svchost.exe[1404] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00AE0FAF
.text C:\WINDOWS\System32\svchost.exe[1404] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00AE0F9E
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01460000
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01460095
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0146007A
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01460FA0
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01460069
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01460047
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01460F74
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01460F85
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01460F45
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014600E8
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01460F2A
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01460058
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01460011
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 014600A6
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0146002C
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01460FDB
.text C:\WINDOWS\Explorer.EXE[1424] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 014600CD
.text C:\WINDOWS\Explorer.EXE[1424] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E10FCA
.text C:\WINDOWS\Explorer.EXE[1424] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E10047
.text C:\WINDOWS\Explorer.EXE[1424] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E10FDB
.text C:\WINDOWS\Explorer.EXE[1424] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E1001B
.text C:\WINDOWS\Explorer.EXE[1424] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E10036
.text C:\WINDOWS\Explorer.EXE[1424] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E1000A
.text C:\WINDOWS\Explorer.EXE[1424] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E10F94
.text C:\WINDOWS\Explorer.EXE[1424] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 01, 89 ]
.text C:\WINDOWS\Explorer.EXE[1424] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E10FAF
.text C:\WINDOWS\Explorer.EXE[1424] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01450FEF
.text C:\WINDOWS\Explorer.EXE[1424] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01450FD4
.text C:\WINDOWS\Explorer.EXE[1424] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01450000
.text C:\WINDOWS\Explorer.EXE[1424] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 01450FAF
.text C:\WINDOWS\Explorer.EXE[1424] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C4000A
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB009D
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB0FA8
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB0082
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB0FB9
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB0051
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB00C9
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB0F81
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB00FC
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB00EB
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DB0F48
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DB0FCA
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DB0014
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DB00B8
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DB0040
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DB002F
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DB00DA
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DA002C
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DA0FAC
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DA001B
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DA0073
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DA000A
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00DA0058
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DA003D
.text C:\WINDOWS\System32\svchost.exe[1928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F6A
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F7B
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A005F
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A004E
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F21
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F3E
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A009F
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0084
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00B0
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A003D
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F59
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0022
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0011
.text C:\WINDOWS\System32\svchost.exe[3248] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F10
.text C:\WINDOWS\System32\svchost.exe[3248] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[3248] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290F83
.text C:\WINDOWS\System32\svchost.exe[3248] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FE5
.text C:\WINDOWS\System32\svchost.exe[3248] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290011
.text C:\WINDOWS\System32\svchost.exe[3248] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290036
.text C:\WINDOWS\System32\svchost.exe[3248] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[3248] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290F9E
.text C:\WINDOWS\System32\svchost.exe[3248] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 88 ]
.text C:\WINDOWS\System32\svchost.exe[3248] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FAF
.text C:\WINDOWS\System32\svchost.exe[3248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F68
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B005D
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B004C
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B002F
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F46
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0082
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F24
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F35
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B0F13
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B0F57
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[4004] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B00B3
.text C:\WINDOWS\system32\wuauclt.exe[4004] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B002C
.text C:\WINDOWS\system32\wuauclt.exe[4004] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B0073
.text C:\WINDOWS\system32\wuauclt.exe[4004] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\wuauclt.exe[4004] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[4004] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B0FB6
.text C:\WINDOWS\system32\wuauclt.exe[4004] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\wuauclt.exe[4004] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002B0058
.text C:\WINDOWS\system32\wuauclt.exe[4004] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B003D
.text C:\WINDOWS\system32\wuauclt.exe[4004] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003D0000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----


Thanks again!

JPBT

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:07 PM

Posted 10 February 2009 - 06:20 PM

Hello, JPBT
What web browser do you typically use?

Are your results still being redirected?

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbup2:
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 JPBT

JPBT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 10 February 2009 - 09:25 PM

Hello Billy,

My parents and siblings typically use the proprietary SBC Yahoo browser, which I believe is sill a Trident/IE clone. IE and Firefox are also used occasionally.

After finding the problem with the search results, I effectively banned my parents and younger siblings from using the internet and locked down the firewall. After the computer restarted after running ComboFix, I ran searches on all of three browsers mentioned above from Google, Yahoo, and MSN, and found no problems with the links that came up.

Combo Fix log follows:

ComboFix 09-02-10.01 - Owner 2009-02-10 19:06:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.108 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\wdmaud.sys
D:\Autorun.inf

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\winlogon.exe


.
((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-10 19:03 . 2009-02-10 19:04 <DIR> d-------- C:\32788R22FWJFW
2009-02-09 18:23 . 2009-02-09 18:23 250 --a------ c:\windows\gmer.ini
2009-01-25 18:51 . 2009-01-25 18:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-25 18:51 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 18:51 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-25 18:50 . 2009-01-25 18:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 18:50 . 2009-01-25 18:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 17:08 . 2009-01-25 17:08 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 16:50 . 2009-01-25 16:50 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-25 13:22 . 2009-01-25 13:22 <DIR> d-------- c:\program files\Windows Defender
2009-01-24 20:50 . 2009-01-24 17:17 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-24 19:49 . 2009-01-24 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-24 19:49 . 2009-02-10 19:16 8,033 --a------ c:\windows\system32\Config.MPF
2009-01-24 19:43 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-24 19:43 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-24 19:43 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-24 19:43 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-24 19:43 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-24 19:43 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-24 19:42 . 2009-01-24 19:43 <DIR> d-------- c:\program files\McAfee.com
2009-01-24 19:41 . 2009-01-24 19:43 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-24 19:40 . 2009-01-28 21:55 <DIR> d-------- c:\program files\McAfee
2009-01-24 19:08 . 2009-01-24 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-24 17:18 . 2009-01-24 17:17 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-24 17:16 . 2009-01-24 17:16 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-24 17:15 . 2009-01-24 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-24 14:15 . 2009-01-24 14:15 0 --a------ c:\windows\MSDraw.ini
2009-01-20 12:33 . 2009-01-20 12:33 <DIR> d-------- c:\program files\DivX
2009-01-18 20:31 . 2009-01-18 20:31 <DIR> d-------- C:\spoolerlogs
2009-01-17 19:50 . 2009-01-17 19:50 <DIR> d-------- c:\documents and settings\Owner\Application Data\Amazon
2009-01-17 19:49 . 2009-01-17 19:49 <DIR> d-------- c:\program files\Amazon
2009-01-17 19:12 . 2009-01-19 20:18 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-17 19:12 . 2009-01-17 19:12 1,409 --a------ c:\windows\QTFont.for
2009-01-13 14:41 . 2009-01-13 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 08:26 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-07 01:04 --------- d-----w c:\program files\Lx_cats
2009-01-30 02:52 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-30 02:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-25 22:49 --------- d-----w c:\program files\Bonjour
2009-01-25 17:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-25 17:58 --------- d-----w c:\program files\SpywareBlaster
2009-01-25 01:23 --------- d-----w c:\program files\Yahoo!
2009-01-25 01:23 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-01-24 23:20 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-24 23:15 --------- d-----w c:\program files\Lavasoft
2009-01-24 23:07 --------- d-----w c:\program files\Coupons
2009-01-22 22:43 --------- d--h--w c:\documents and settings\Owner\Application Data\Move Networks
2008-12-30 23:07 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-30 23:07 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-30 23:06 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-30 21:31 --------- d-----w c:\program files\Zune
2008-12-30 21:26 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-30 21:23 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-26 23:09 --------- d-----w c:\program files\MixMeister EZ Vinyl Converter
2008-12-26 21:58 --------- d-----w c:\program files\iTunes
2008-12-26 21:58 --------- d-----w c:\program files\iPod
2008-12-26 21:56 --------- d-----w c:\program files\QuickTime
2008-12-26 21:54 --------- d-----w c:\program files\Apple Software Update
2008-12-26 21:53 --------- d-----w c:\program files\Common Files\Apple
2008-12-26 21:53 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-17 18:26 --------- d-----w c:\program files\Zoom
2008-12-17 18:26 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-17 18:26 --------- d-----w c:\program files\Susan G. Komen for the Cure® Toolbar
2008-12-17 18:26 --------- d-----w c:\program files\Freeze.com Toolbar
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-26 02:10 497 ----a-w c:\documents and settings\Owner\xrt_log.dat
2008-11-16 19:15 1,739 ----a-w c:\windows\Sysvxd.exe
2007-02-11 00:59 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-11-22 20:37 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-22 20:37 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-22 20:37 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-22 20:37 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-22 20:37 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-05 02:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100420081005\index.dat
.

------- Sigcheck -------

2004-08-03 23:56 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-10-21 23:30 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1023BB9-453C-463F-9288-56AE96C52807}]
2008-06-11 23:40 1228800 --a------ c:\program files\Susan G. Komen for the Cure® Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{BB0CBE93-CD99-45B9-BF11-291F1B260698}"= "c:\program files\Susan G. Komen for the Cure® Toolbar\Toolbar.dll" [2008-06-11 1228800]

[HKEY_CLASSES_ROOT\clsid\{bb0cbe93-cd99-45b9-bf11-291f1b260698}]
[HKEY_CLASSES_ROOT\FCTB000000112.FCTB000000112.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000000112.FCTB000000112]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BB0CBE93-CD99-45B9-BF11-291F1B260698}"= "c:\program files\Susan G. Komen for the Cure® Toolbar\Toolbar.dll" [2008-06-11 1228800]

[HKEY_CLASSES_ROOT\clsid\{bb0cbe93-cd99-45b9-bf11-291f1b260698}]
[HKEY_CLASSES_ROOT\FCTB000000112.FCTB000000112.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000000112.FCTB000000112]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"LXBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 69632]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-31 509784]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"NvMediaCenter"="NvMCTray.dll" [2005-08-02 c:\windows\system32\nvmctray.dll]
"VTTimer"="VTTimer.exe" [2004-10-22 c:\windows\system32\VTTimer.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2007-11-06 1765]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-10-07 08:23 90112 c:\program files\HP\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 08:07 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-03-12 05:23 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a------ 2003-05-23 03:55 483328 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 21:02 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 12:03 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-08-02 15:35 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-07-31 21:28 81920 c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-13 09:07 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
--a------ 2006-08-31 14:49 6033408 c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 12:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-08-02 15:35 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 11:53 53248 c:\windows\system32\VTTimer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"Walgreens PhotoShow Media Manager"=c:\progra~1\WALGRE~1\WALGRE~2\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"YBrowser"=c:\progra~1\Yahoo!\browser\ybrwicon.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe"
"YOP"=c:\progra~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\lxbxcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxbxPSWX.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-24 64160]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-24 203280]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-02 99376]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S2 mrtRate;mrtRate; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Viewpoint Manager Service
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - WinDefend
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfSvc
*Deregistered* - ZuneBusEnum
.
Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-31 11:17]

2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-01-30 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 []

2009-01-25 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-02-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-HPHUPD05 - c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\ypager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
TCP: {B58EE835-12D6-41E7-B68F-FB75B23E7AF9} = 10.0.0.2
DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9}
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 19:22:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-106021210-377303055-906393086-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(536)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\system32\ZuneBusEnum.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-02-10 19:45:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-11 01:43:28

Pre-Run: 45,967,417,344 bytes free
Post-Run: 46,039,949,312 bytes free

334 --- E O F --- 2009-01-28 07:07:37


Thanks!!!

JPBT

Attached Files



#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:07 PM

Posted 10 February 2009 - 11:17 PM

Hello, JPBT
You have THIS installed on your system. Would you like to remove it?

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    fcopy::
    c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\system32\termsrv.dll
    file::
    c:\windows\Sysvxd.exe
    registry::
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "135:TCP"=-
    "5000:TCP"=-
    "5001:TCP"=-
    "5002:TCP"=-
    "5003:TCP"=-
    "5004:TCP"=-
    "5005:TCP"=-
    "5006:TCP"=-
    "5007:TCP"=-
    "5008:TCP"=-
    "5009:TCP"=-
    "5010:TCP"=-
    "5011:TCP"=-
    "5012:TCP"=-
    "5013:TCP"=-
    "5014:TCP"=-
    "5015:TCP"=-
    "5016:TCP"=-
    "5017:TCP"=-
    "5018:TCP"=-
    "5019:TCP"=-
    "5020:TCP"=-
    driver::
    mrtRate
    DDS::
    DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9}
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII

Hello, JPBT
You have THIS installed on your system. Would you like to remove it?

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    fcopy::
    c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\system32\termsrv.dll
    file::
    c:\windows\Sysvxd.exe
    registry::
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "135:TCP"=-
    "5000:TCP"=-
    "5001:TCP"=-
    "5002:TCP"=-
    "5003:TCP"=-
    "5004:TCP"=-
    "5005:TCP"=-
    "5006:TCP"=-
    "5007:TCP"=-
    "5008:TCP"=-
    "5009:TCP"=-
    "5010:TCP"=-
    "5011:TCP"=-
    "5012:TCP"=-
    "5013:TCP"=-
    "5014:TCP"=-
    "5015:TCP"=-
    "5016:TCP"=-
    "5017:TCP"=-
    "5018:TCP"=-
    "5019:TCP"=-
    "5020:TCP"=-
    driver::
    mrtRate
    DDS::
    DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9}
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 JPBT

JPBT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 11 February 2009 - 10:00 PM

Hello Billy,

Do you think I can remove the Susan G. Komen toolbar referenced in your link above http://www.systemlookup.com/CLSID/34640-Toolbar_dll.html
using the Add/Remove programs component of Windows Control Panel (the program is listed there), or is there another way I should go about this?

ComboFix log follows; note that ComboFix found an update the first time I tried to run it with CFScript.txt this evening. I allowed ComboFix to update,
canceled the session by saying "No" to the disclaimer, and reran ComboFix with CFScript.txt. I hope this is what I was supposed to do, let me know if I made an error.

ComboFix 09-02-11.02 - Owner 2009-02-11 20:08:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.137 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\Sysvxd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Sysvxd.exe

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\termsrv.dll --> c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_mrtRate


((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-09 18:23 . 2009-02-09 18:23 250 --a------ c:\windows\gmer.ini
2009-01-25 18:51 . 2009-01-25 18:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-25 18:51 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 18:51 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-25 18:50 . 2009-01-25 18:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 18:50 . 2009-01-25 18:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 17:08 . 2009-01-25 17:08 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 16:50 . 2009-01-25 16:50 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-25 13:22 . 2009-01-25 13:22 <DIR> d-------- c:\program files\Windows Defender
2009-01-24 20:50 . 2009-01-24 17:17 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-24 19:49 . 2009-01-24 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-24 19:49 . 2009-02-11 20:19 8,161 --a------ c:\windows\system32\Config.MPF
2009-01-24 19:43 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-24 19:43 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-24 19:43 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-24 19:43 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-24 19:43 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-24 19:43 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-24 19:42 . 2009-01-24 19:43 <DIR> d-------- c:\program files\McAfee.com
2009-01-24 19:41 . 2009-01-24 19:43 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-24 19:40 . 2009-01-28 21:55 <DIR> d-------- c:\program files\McAfee
2009-01-24 19:08 . 2009-01-24 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-24 17:18 . 2009-01-24 17:17 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-24 17:16 . 2009-01-24 17:16 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-24 17:15 . 2009-01-24 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-24 14:15 . 2009-01-24 14:15 0 --a------ c:\windows\MSDraw.ini
2009-01-20 12:33 . 2009-01-20 12:33 <DIR> d-------- c:\program files\DivX
2009-01-18 20:31 . 2009-01-18 20:31 <DIR> d-------- C:\spoolerlogs
2009-01-17 19:50 . 2009-01-17 19:50 <DIR> d-------- c:\documents and settings\Owner\Application Data\Amazon
2009-01-17 19:49 . 2009-01-17 19:49 <DIR> d-------- c:\program files\Amazon
2009-01-17 19:12 . 2009-01-19 20:18 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-17 19:12 . 2009-01-17 19:12 1,409 --a------ c:\windows\QTFont.for
2009-01-13 14:41 . 2009-01-13 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 00:22 --------- d-----w c:\program files\Lx_cats
2009-02-11 09:29 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-30 02:52 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-30 02:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-25 22:49 --------- d-----w c:\program files\Bonjour
2009-01-25 17:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-25 17:58 --------- d-----w c:\program files\SpywareBlaster
2009-01-25 01:23 --------- d-----w c:\program files\Yahoo!
2009-01-25 01:23 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-01-24 23:20 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-24 23:15 --------- d-----w c:\program files\Lavasoft
2009-01-24 23:07 --------- d-----w c:\program files\Coupons
2009-01-22 22:43 --------- d--h--w c:\documents and settings\Owner\Application Data\Move Networks
2008-12-30 23:07 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-30 23:07 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-30 23:06 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-30 21:31 --------- d-----w c:\program files\Zune
2008-12-30 21:26 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-30 21:23 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-26 23:09 --------- d-----w c:\program files\MixMeister EZ Vinyl Converter
2008-12-26 21:58 --------- d-----w c:\program files\iTunes
2008-12-26 21:58 --------- d-----w c:\program files\iPod
2008-12-26 21:56 --------- d-----w c:\program files\QuickTime
2008-12-26 21:54 --------- d-----w c:\program files\Apple Software Update
2008-12-26 21:53 --------- d-----w c:\program files\Common Files\Apple
2008-12-26 21:53 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-17 18:26 --------- d-----w c:\program files\Zoom
2008-12-17 18:26 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-17 18:26 --------- d-----w c:\program files\Susan G. Komen for the Cure® Toolbar
2008-12-17 18:26 --------- d-----w c:\program files\Freeze.com Toolbar
2008-11-26 02:10 497 ----a-w c:\documents and settings\Owner\xrt_log.dat
2007-02-11 00:59 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-11-22 20:37 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-22 20:37 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-22 20:37 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-22 20:37 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-22 20:37 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-05 02:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100420081005\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-10_19.38.13.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-02-11 00:58:03 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-12 02:01:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-11 00:58:03 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-12 02:01:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 00:12:07 295,424 -c--a-w c:\windows\system32\dllcache\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1023BB9-453C-463F-9288-56AE96C52807}]
2008-06-11 23:40 1228800 --a------ c:\program files\Susan G. Komen for the Cure® Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{BB0CBE93-CD99-45B9-BF11-291F1B260698}"= "c:\program files\Susan G. Komen for the Cure® Toolbar\Toolbar.dll" [2008-06-11 1228800]

[HKEY_CLASSES_ROOT\clsid\{bb0cbe93-cd99-45b9-bf11-291f1b260698}]
[HKEY_CLASSES_ROOT\FCTB000000112.FCTB000000112.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000000112.FCTB000000112]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BB0CBE93-CD99-45B9-BF11-291F1B260698}"= "c:\program files\Susan G. Komen for the Cure® Toolbar\Toolbar.dll" [2008-06-11 1228800]

[HKEY_CLASSES_ROOT\clsid\{bb0cbe93-cd99-45b9-bf11-291f1b260698}]
[HKEY_CLASSES_ROOT\FCTB000000112.FCTB000000112.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000000112.FCTB000000112]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"LXBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 69632]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-31 509784]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"NvMediaCenter"="NvMCTray.dll" [2005-08-02 c:\windows\system32\nvmctray.dll]
"VTTimer"="VTTimer.exe" [2004-10-22 c:\windows\system32\VTTimer.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2007-11-06 1765]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-10-07 08:23 90112 c:\program files\HP\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 08:07 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-03-12 05:23 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a------ 2003-05-23 03:55 483328 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 21:02 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 12:03 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-08-02 15:35 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-07-31 21:28 81920 c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-13 09:07 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
--a------ 2006-08-31 14:49 6033408 c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 12:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-08-02 15:35 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 11:53 53248 c:\windows\system32\VTTimer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"Walgreens PhotoShow Media Manager"=c:\progra~1\WALGRE~1\WALGRE~2\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"YBrowser"=c:\progra~1\Yahoo!\browser\ybrwicon.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe"
"YOP"=c:\progra~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\lxbxcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxbxPSWX.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-24 64160]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-24 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-08-08 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-02 99376]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
.
Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-31 11:17]

2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-01-30 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 []

2009-01-25 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-02-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
TCP: {B58EE835-12D6-41E7-B68F-FB75B23E7AF9} = 10.0.0.2
DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kbzd4e7n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 20:23:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-106021210-377303055-906393086-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2428)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\ZuneBusEnum.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-02-11 20:42:14 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-02-12 02:40:42
ComboFix2.txt 2009-02-11 01:45:28

Pre-Run: 46,056,361,984 bytes free
Post-Run: 45,931,307,008 bytes free

306 --- E O F --- 2009-01-28 07:07:37

Thanks!
JPBT

Attached Files



#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:07 PM

Posted 11 February 2009 - 10:43 PM

Hello, JPBT

ComboFix log follows; note that ComboFix found an update the first time I tried to run it with CFScript.txt this evening. I allowed ComboFix to update,

CF would have correctly used the CFScript but what you did was fine.

The following instructions will remove the toolbar from your system :thumbup2:

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    folder::
    c:\program files\Susan G. Komen for the Cure® Toolbar
    registry::
    [-HKEY_CLASSES_ROOT\clsid\{bb0cbe93-cd99-45b9-bf11-291f1b260698}]
    [-HKEY_CLASSES_ROOT\FCTB000000112.FCTB000000112.3]
    [-HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
    [-HKEY_CLASSES_ROOT\FCTB000000112.FCTB000000112]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1023BB9-453C-463F-9288-56AE96C52807}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{BB0CBE93-CD99-45B9-BF11-291F1B260698}"=-
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 JPBT

JPBT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 12 February 2009 - 11:29 PM

Hello Billy,

Here is the ComboFix Log as requested:

ComboFix 09-02-12.03 - Owner 2009-02-12 21:59:45.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.115 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-09 18:23 . 2009-02-09 18:23 250 --a------ c:\windows\gmer.ini
2009-01-25 18:51 . 2009-01-25 18:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-25 18:51 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 18:51 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-25 18:50 . 2009-01-25 18:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 18:50 . 2009-01-25 18:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 17:08 . 2009-01-25 17:08 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 16:50 . 2009-01-25 16:50 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-25 13:22 . 2009-01-25 13:22 <DIR> d-------- c:\program files\Windows Defender
2009-01-24 20:50 . 2009-01-24 17:17 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-24 19:49 . 2009-01-24 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-24 19:49 . 2009-02-12 21:56 8,161 --a------ c:\windows\system32\Config.MPF
2009-01-24 19:43 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-24 19:43 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-24 19:43 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-24 19:43 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-24 19:43 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-24 19:43 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-24 19:42 . 2009-01-24 19:43 <DIR> d-------- c:\program files\McAfee.com
2009-01-24 19:41 . 2009-01-24 19:43 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-24 19:40 . 2009-01-28 21:55 <DIR> d-------- c:\program files\McAfee
2009-01-24 19:08 . 2009-01-24 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-24 17:18 . 2009-01-24 17:17 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-24 17:16 . 2009-01-24 17:16 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-24 17:15 . 2009-01-24 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-24 14:15 . 2009-01-24 14:15 0 --a------ c:\windows\MSDraw.ini
2009-01-20 12:33 . 2009-01-20 12:33 <DIR> d-------- c:\program files\DivX
2009-01-18 20:31 . 2009-01-18 20:31 <DIR> d-------- C:\spoolerlogs
2009-01-17 19:50 . 2009-01-17 19:50 <DIR> d-------- c:\documents and settings\Owner\Application Data\Amazon
2009-01-17 19:49 . 2009-01-17 19:49 <DIR> d-------- c:\program files\Amazon
2009-01-17 19:12 . 2009-01-19 20:18 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-17 19:12 . 2009-01-17 19:12 1,409 --a------ c:\windows\QTFont.for
2009-01-13 14:41 . 2009-01-13 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 10:33 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-12 00:22 --------- d-----w c:\program files\Lx_cats
2009-01-30 02:52 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-30 02:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-25 22:49 --------- d-----w c:\program files\Bonjour
2009-01-25 17:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-25 17:58 --------- d-----w c:\program files\SpywareBlaster
2009-01-25 01:23 --------- d-----w c:\program files\Yahoo!
2009-01-25 01:23 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-01-24 23:20 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-24 23:15 --------- d-----w c:\program files\Lavasoft
2009-01-24 23:07 --------- d-----w c:\program files\Coupons
2009-01-22 22:43 --------- d--h--w c:\documents and settings\Owner\Application Data\Move Networks
2008-12-30 23:07 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-30 23:07 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-30 23:06 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-30 21:31 --------- d-----w c:\program files\Zune
2008-12-30 21:26 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-30 21:23 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-26 23:09 --------- d-----w c:\program files\MixMeister EZ Vinyl Converter
2008-12-26 21:58 --------- d-----w c:\program files\iTunes
2008-12-26 21:58 --------- d-----w c:\program files\iPod
2008-12-26 21:56 --------- d-----w c:\program files\QuickTime
2008-12-26 21:54 --------- d-----w c:\program files\Apple Software Update
2008-12-26 21:53 --------- d-----w c:\program files\Common Files\Apple
2008-12-26 21:53 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-17 18:26 --------- d-----w c:\program files\Zoom
2008-12-17 18:26 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-17 18:26 --------- d-----w c:\program files\Susan G. Komen for the Cure® Toolbar
2008-12-17 18:26 --------- d-----w c:\program files\Freeze.com Toolbar
2008-11-26 02:10 497 ----a-w c:\documents and settings\Owner\xrt_log.dat
2007-02-11 00:59 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-11-22 20:37 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-22 20:37 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-22 20:37 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-22 20:37 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-22 20:37 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-05 02:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100420081005\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-10_19.38.13.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-02-11 00:58:03 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-13 00:42:03 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-11 00:58:03 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-13 00:42:03 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-13 00:42:03 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-14 00:12:07 295,424 -c--a-w c:\windows\system32\dllcache\termsrv.dll
- 2008-10-22 05:30:25 295,424 ----a-w c:\windows\system32\termsrv.dll
+ 2008-04-14 00:12:07 295,424 ----a-w c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"LXBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 69632]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-31 509784]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"NvMediaCenter"="NvMCTray.dll" [2005-08-02 c:\windows\system32\nvmctray.dll]
"VTTimer"="VTTimer.exe" [2004-10-22 c:\windows\system32\VTTimer.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2007-11-06 1765]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-10-07 08:23 90112 c:\program files\HP\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 08:07 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-03-12 05:23 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a------ 2003-05-23 03:55 483328 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 21:02 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 12:03 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-08-02 15:35 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-07-31 21:28 81920 c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-06-13 09:07 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
--a------ 2006-08-31 14:49 6033408 c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 12:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-08-02 15:35 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 11:53 53248 c:\windows\system32\VTTimer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"Walgreens PhotoShow Media Manager"=c:\progra~1\WALGRE~1\WALGRE~2\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"YBrowser"=c:\progra~1\Yahoo!\browser\ybrwicon.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe"
"YOP"=c:\progra~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\lxbxcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxbxPSWX.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-24 64160]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-24 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-08-08 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-02 99376]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
.
Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-31 11:17]

2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-01-30 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 []

2009-01-25 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-02-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{BB0CBE93-CD99-45B9-BF11-291F1B260698} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
TCP: {B58EE835-12D6-41E7-B68F-FB75B23E7AF9} = 10.0.0.2
DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kbzd4e7n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 22:07:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-106021210-377303055-906393086-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-02-12 22:20:41
ComboFix-quarantined-files.txt 2009-02-13 04:19:22
ComboFix2.txt 2009-02-12 02:42:27
ComboFix3.txt 2009-02-11 01:45:28

Pre-Run: 45,904,519,168 bytes free
Post-Run: 45,882,802,176 bytes free

262 --- E O F --- 2009-01-28 07:07:37

Thanks!

JPBT

Attached Files



#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:07 PM

Posted 14 February 2009 - 05:33 PM

Hello, JPBT
That looks much better. How are things running?

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 JPBT

JPBT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 15 February 2009 - 03:28 PM

Hello Billy,

Things seem to be fine, and I see no redirected links when using a search engine. I have continued to limit internet use on the computer to make sure my siblings do not make changes without my knowledge. Once things seem ok, I'll probably purge any non-neccessary program, defragment the hard drive, and lift some of the restrictions I have placed on internet use:

ESET OnlineScan's Log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3853 (20090214)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=244dbc6bf3bd31439d97bd7ac658220b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-15 07:02:27
# local_time=2009-02-15 01:02:27 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=759630
# found=1
# scan_time=14003
C:\Qoobox\Quarantine\C\WINDOWS\system32\wdmaud.sys.vir Win32/Delf.NWJ trojan (unable to clean - deleted) 00000000000000000000000000000000

Thanks!
JPBT

Attached Files

  • Attached File  log.txt   737bytes   18 downloads


#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:07 PM

Posted 16 February 2009 - 05:07 PM

Hello, JPBT
Congratulations! You now appear clean! :thumbup2:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:07 PM

Posted 22 February 2009 - 09:22 PM

Hello, JPBT
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users