Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo, Virtumonde, Smitfraud


  • This topic is locked This topic is locked
5 replies to this topic

#1 MelKUSC

MelKUSC

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 01 February 2009 - 03:44 PM

I'm on Windows XP with Mcafee (expired). I had up-to-date Symantec but removed it after it too became infected. Computer had been acting slow/strange, so...

1. ran Spybot and found a couple dozen instances of Virtumonde and Smitfraud, which it removed.
2. ran Combofix under advice/guidance of a friend (soon after visited this forum and learned this was probably not the best thing to do...)
3. MBAM, ATF, then SAS as documented here: http://www.bleepingcomputer.com/forums/t/199213/had-vundovirtumonde-now-red-xs-in-aim/

Mcafee gives me a popup:
"About this Potentially Unwanted Program
Name: Generic!Artemis
Location: C:\WINDOWS\NIRCMD.exe"
Which I'm told is probably related to combofix...?

I'm not sure everything has been wiped out; AOL instant messenger still displays a strange white box with a red X (like it's failing to load an image) in the upper lefthand corner of the chat display.

Anyway, here's the DDS log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Mel at 12:30:05.96 on Sun 02/01/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.260 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Mel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.usc.edu/
mStart Page = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\launchpd.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\VirtuaWin.lnk.disabled
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\meliss~1\applic~1\mozilla\firefox\profiles\p89f505e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.usc.edu/
FF - plugin: c:\documents and settings\mel\application data\mozilla\firefox\profiles\p89f505e.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-30 28544]
R1 atitray;atitray;c:\program files\radeon omega drivers\v3.8.231\ati tray tools\atitray.sys [2005-11-13 11008]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-12-11 207656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-12-11 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-12-11 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-12-11 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-12-11 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-12-11 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-12-11 40488]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S2 ThreadMaster;Thread Master;c:\windows\system32\threadmaster\threadmast.exe --> c:\windows\system32\threadmaster\ThreadMast.exe [?]
S3 atinysxx;ATI USB 2.0 TV Audio Crossbar;c:\windows\system32\drivers\atinysxx.sys [2005-9-9 79360]
S3 atinyvxx;ATI TV WONDER USB2.0 Video & Audio;c:\windows\system32\drivers\atinyvxx.sys [2005-9-9 174592]
S3 ATITUNEP2;ATI TV WONDER USB2.0 TV Tuner;c:\windows\system32\drivers\atinyuxx.sys [2005-9-9 64512]
S3 ATIUTD;ATI TV WONDER USB2.0 Device Driver;c:\windows\system32\drivers\ATIUTD.sys [2005-9-9 38912]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\meliss~1\locals~1\temp\cdrmkaun.sys --> c:\docume~1\meliss~1\locals~1\temp\cdrmkaun.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-12-11 34152]
S3 TTDec;ATI TV WONDER USB2.0 Teletext Decoder;c:\windows\system32\drivers\atinyttx.sys [2005-9-9 13824]

=============== Created Last 30 ================

2009-01-31 13:11 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-31 13:10 --d----- c:\program files\SUPERAntiSpyware
2009-01-31 13:10 --d----- c:\docume~1\meliss~1\applic~1\SUPERAntiSpyware.com
2009-01-31 13:09 --d----- c:\program files\common files\Wise Installation Wizard
2009-01-30 21:11 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-30 21:11 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-30 16:13 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-01-30 16:12 --d----- c:\program files\Panda Security
2009-01-29 23:15 --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-01-29 23:14 --d----- c:\program files\AIM6
2009-01-29 18:36 --d----- C:\cmdcons
2009-01-29 18:30 161,792 a------- c:\windows\SWREG.exe
2009-01-29 18:30 98,816 a------- c:\windows\sed.exe
2009-01-29 17:17 --d----- c:\docume~1\meliss~1\applic~1\Malwarebytes
2009-01-29 17:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-29 17:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 17:16 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-29 17:16 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-29 16:55 --d----- c:\program files\Trend Micro
2009-01-23 18:20 --d----- c:\program files\common files\Macrovision Shared
2009-01-17 23:58 --d----- c:\program files\iPod
2009-01-17 23:58 --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-17 23:58 --d----- c:\program files\iTunes

==================== Find3M ====================

2009-01-29 16:21 28,656 a---h--- c:\windows\system32\mlfcache.dat
2008-12-29 17:11 100,584 a------- c:\windows\hpgins14.dat
2008-12-12 09:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 02:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-11 09:09 61,224 a------- c:\documents and settings\melissa niiya\GoToAssistDownloadHelper.exe
2005-10-11 20:17 1,508 ac------ c:\program files\uninstal.log
2002-05-21 09:00 1,362 ac---r-- c:\program files\ReadMe.txt

============= FINISH: 12:31:28.53 ===============

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:49 AM

Posted 08 February 2009 - 03:11 PM

Hello, MelKUSC
:thumbup2: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.

Mcafee gives me a popup:
"About this Potentially Unwanted Program
Name: Generic!Artemis
Location: C:\WINDOWS\NIRCMD.exe"
Which I'm told is probably related to combofix...?

Did you run CF??

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :services
    cdrmkaun
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • OTMoveIt3's Log
  • GMER's Log
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 MelKUSC

MelKUSC
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 09 February 2009 - 02:14 AM

Hi! Thanks for the welcome and for all your help.
Here are the logs requested, I hope I did this right:

----------------------
OTMoveIt3 Log:

========== SERVICES/DRIVERS ==========
Service cdrmkaun stopped successfully.
Service cdrmkaun deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02082009_192558
----------------------

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-08 19:50:54
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE2D7F20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEE12C9CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEE12C978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEE12C98C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEE12CA0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEE12C950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEE12C964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEE12C9DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEE12C9B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEE12C9A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEE12CA39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEE12CA20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEE12C9F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP EE12C9F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP EE12C9CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A7500 7 Bytes JMP EE12CA0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8316 5 Bytes JMP EE12CA24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA94 7 Bytes JMP EE12C9E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1322 5 Bytes JMP EE12C954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15AE 5 Bytes JMP EE12C968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE0 5 Bytes JMP EE12C9A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F6 7 Bytes JMP EE12C990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AC 5 Bytes JMP EE12C97C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B6 1 Byte [ E9 ]
PAGE ntkrnlpa.exe!ZwSetContextThread + 2 805C79B8 3 Bytes [ 4F, B6, 6D ]
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB6 5 Bytes JMP EE12CA3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[264] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[264] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660FE5
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660F4B
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660F66
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660F77
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660F9E
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660036
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00660082
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00660F3A
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00660F04
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00660093
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00660EE9
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00660FAF
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00660065
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00660025
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00660FD4
.text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00660F1F
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00650025
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00650073
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00650FD4
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00650062
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00650051
.text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00650036
.text C:\WINDOWS\system32\svchost.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006F0FCA
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006F00BF
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006F00AE
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006F0091
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006F006C
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006F0106
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006F00EB
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006F0121
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006F0F92
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 006F0F6D
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 006F0FE5
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 006F001B
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 006F00DA
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 006F0047
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 006F0036
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 006F0FA3
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0007002C
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 27, 88 ]
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[1064] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E50053
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E50038
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E50F5E
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E50F6F
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E50FAF
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E5007F
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E50F43
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E5009A
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E50F01
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E500B5
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E50F94
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E5000A
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E5006E
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E50FCA
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E5001B
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E50F1C
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E40FA8
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E40040
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E40FB9
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E40025
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E40014
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E40F97
.text C:\WINDOWS\system32\lsass.exe[1076] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FE5
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C000A4
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00FCA
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C0007D
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00051
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C000E6
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F94
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00112
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00101
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C00F68
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C0006C
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C000BF
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C00040
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C00025
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C00F79
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BF0FAF
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BF003D
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BF0FC0
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BF002C
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BF0F94
.text C:\WINDOWS\system32\svchost.exe[1264] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A60F69
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A60054
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A60043
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A60F86
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A60FB2
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A60F3D
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A60083
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A600C5
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A60F2C
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A60F07
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A60F97
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A60FDE
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A60F58
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A60FC3
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A600A0
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A50040
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A50F9E
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A50025
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A50FC3
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ C5, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A50051
.text C:\WINDOWS\system32\svchost.exe[1388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90091
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B9006C
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90F92
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B9005B
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B9002F
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B900DA
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B900C9
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B90F55
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B90F66
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B90109
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B90040
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B900A2
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B90FC3
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B90F77
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B8002F
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B80F9E
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B80065
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B80FC3
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ D8, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B8004A
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03620000
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03620093
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0362006E
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03620F94
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03620051
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03620FCA
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03620F5E
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 036200A4
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 036200F7
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 036200DC
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 03620F39
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 03620FAF
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0362001B
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 03620F83
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 03620036
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 03620FE5
.text C:\WINDOWS\System32\svchost.exe[1532] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 036200C1
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02D20FA8
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02D20051
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02D20FB9
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02D20FD4
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02D20040
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02D20FE5
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 02D2002F
.text C:\WINDOWS\System32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02D20014
.text C:\WINDOWS\System32\svchost.exe[1532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02CE0FEF
.text C:\WINDOWS\System32\svchost.exe[1532] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 02CF001B
.text C:\WINDOWS\System32\svchost.exe[1532] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 02CF0000
.text C:\WINDOWS\System32\svchost.exe[1532] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 02CF0FE5
.text C:\WINDOWS\System32\svchost.exe[1532] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 02CF0038
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0078000A
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780069
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780058
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780047
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780F94
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780025
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780F46
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0078008E
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00780F1A
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007800BD
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 007800CE
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00780036
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00780F63
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00780FB9
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00780FD4
.text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00780F35
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0077003D
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00770FA5
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0077002C
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00770011
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00770FB6
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00770062
.text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00770FDB
.text C:\WINDOWS\system32\svchost.exe[1828] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0F7E
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0073
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0062
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB0051
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0FB9
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB00A9
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB0098
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB0F2B
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB0F3C
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CB0F10
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CB0040
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CB0F6D
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CB0025
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\system32\svchost.exe[2032] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CB00BA
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CA0FC3
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CA004A
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CA0F8D
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CA000A
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00CA002F
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CA0FA8
.text C:\WINDOWS\system32\svchost.exe[2032] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[2032] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00C80014
.text C:\WINDOWS\system32\svchost.exe[2032] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[2032] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00C80FDE
.text C:\WINDOWS\system32\svchost.exe[2032] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00C80FC3
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F99
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0FAA
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A008E
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FD1
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0062
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00D5
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00C4
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F68
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00F7
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0F57
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A007D
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A001B
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A00A9
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0051
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0036
.text C:\WINDOWS\Explorer.EXE[2564] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00E6
.text C:\WINDOWS\Explorer.EXE[2564] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290040
.text C:\WINDOWS\Explorer.EXE[2564] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290F97
.text C:\WINDOWS\Explorer.EXE[2564] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290025
.text C:\WINDOWS\Explorer.EXE[2564] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0029000A
.text C:\WINDOWS\Explorer.EXE[2564] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290FA8
.text C:\WINDOWS\Explorer.EXE[2564] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\Explorer.EXE[2564] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FC3
.text C:\WINDOWS\Explorer.EXE[2564] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 88 ]
.text C:\WINDOWS\Explorer.EXE[2564] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FD4
.text C:\WINDOWS\Explorer.EXE[2564] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[2564] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[2564] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 002C0027
.text C:\WINDOWS\Explorer.EXE[2564] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[2564] WS2_32.dll!socket 71AB4211 5 Bytes JMP 014A000A

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0011954fb7bd
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0011954fb7bd

---- Files - GMER 1.0.14 ----

File C:\Documents and Settings\Mel\Local Settings\Application Data\Mozilla\Firefox\Profiles\p89f505e.default\Cache\B25FB1B1d01 163231 bytes

---- EOF - GMER 1.0.14 ----


And the ESET log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3837 (20090208)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=5422230aadc58d43b1178bf92b7c4408
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-09 06:54:25
# local_time=2009-02-08 10:54:25 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=475587
# found=2
# scan_time=10233
C:\Documents and Settings\Mel\Application Data\Sun\Java\Deployment\cache\6.0\23\1c3a7917-6ae9209d Java/TrojanDownloader.OpenStream.W trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Mel\Application Data\Sun\Java\Deployment\cache\6.0\23\1c3a7917-6ae9209d »ZIP »javainstaller/InstallerApplet.class Java/TrojanDownloader.OpenStream.W trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:49 AM

Posted 10 February 2009 - 06:30 PM

Hello, MelKUSC
Congratulations! You now appear clean! :thumbup2:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 MelKUSC

MelKUSC
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 11 February 2009 - 01:53 AM

Thank you so much for all of your help! :thumbup2:
I still have the weird red-X-in-a-box in AIM but I guess that's a result of the cure. Thanks again!

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:49 AM

Posted 11 February 2009 - 05:49 PM

Hello, MelKUSC
Reinstalling it may fix the issue if it really is a big issue :thumbup2:

Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users