Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection- Possible Trojan.Agent, PoisonIvy, and/or CoolWWWsearch


  • This topic is locked This topic is locked
18 replies to this topic

#1 nicolai_gm

nicolai_gm

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 04 February 2009 - 04:23 PM

Hello. I tried to post this topic earlier today, but I got a notification that my Hijackthis was out of date. Because of this my post did not appear to register, so I installed the latest version of Hijackthis and will try again. I apologize if this ends up being redundant, but I can't seem to find a record of my earlier post.

Basically, I have 3 different kinds of software finding some sort of trojan in my registry. Each calls it by a different name, so I'm not sure if it is actually the same thing or multiple infections. Each version of software that I use isolates it and appears to delete it, but never actually gets rid of it. If I scan seconds after deleting, the bug shows up again in the scan. If I scan in safe mode, it seems to actually get rid of it until I reboot again in normal mode.

I believe I picked this up from peer to peer sharing and have since refrained from that risky behavior. I am using my office computer to contact you and have unhooked the internet on the infected computer.

MalwareBytes found Trojan.Agent (HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run\svchost.exe)

XoftSpySE found BackdoorPoisonIvyJTrojan (same registry entry as above)

SpyBot SD found Coolwwwsearch.svchost32

I am including DLL logs and a Hijackthis log. Thank you for your help.

-Nick


DDS (Ver_09-02-01.01) - NTFSx86
Run by Nick and Nat at 12:17:11.62 on Wed 02/04/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.506 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Documents and Settings\Nick and Nat\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150167130215
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
AppInit_DLLs: karna.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nickan~1\applic~1\mozilla\firefox\profiles\px8xb0e6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-1-20 201320]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-31 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2007-1-20 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-1-20 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-1-20 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-1-20 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-1-20 40488]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\70.tmp --> c:\windows\system32\70.tmp [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-1-20 33832]

=============== Created Last 30 ================

2009-01-31 13:07 <DIR> --d----- c:\program files\Cobian Backup 8
2009-01-24 09:19 <DIR> --d----- c:\program files\XoftSpySE
2009-01-05 14:33 3,751,995 -------- c:\windows\system32\GPhotos.scr
2009-01-05 12:23 410,984 -------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-01-14 16:11 38,496 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 -------- c:\windows\system32\drivers\mbam.sys
2008-12-12 22:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\drivers\srv.sys
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2006-12-18 20:20 424,692 -------- c:\program files\dBpowerAMP-codec-ogg.exe
2007-03-11 20:41 88 ---shr-- c:\windows\system32\0734F9550B.sys
2007-10-23 16:12 56 ---shr-- c:\windows\system32\0B55F93407.sys
2007-10-23 16:12 4,184 ---sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-25 11:43 32,768 ---sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat

============= FINISH: 12:18:12.61 ===============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:48 PM, on 2/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
F:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150167130215
O20 - AppInit_DLLs: karna.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 9378 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:06:16 PM

Posted 17 February 2009 - 10:42 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 nicolai_gm

nicolai_gm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 19 February 2009 - 01:50 PM

Hello. Thanks for the resonse.

I did get a little antsy and started digging a little bit. It turns out the Tea Timer function on my Spybot S&D was not allowing me to delete anything. Once I disabled it, all scans with all programs have been clean. If you think it would be beneficial I can post another DDS log just in case.

Nick

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:06:16 PM

Posted 19 February 2009 - 01:57 PM

Please do post a DDS so one of the HJT can clear you.
We wouldn't want something hiding to come back.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 nicolai_gm

nicolai_gm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 19 February 2009 - 03:00 PM

OK. Will do. I am away from the infected computer for a bit, but should be able to post something later this evening. Thanks a lot for your help.

#6 nicolai_gm

nicolai_gm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 19 February 2009 - 09:35 PM

Ok. Here are the newest DDS log files and another Hijack This log. Again, I really appreciate the help. I will be away from my computer until Sunday evening, so I may not respond until then if I need to do anything else.

Thanks. -Nick

DDS (Ver_09-02-01.01) - NTFSx86
Run by Nick and Nat at 17:45:03.57 on Thu 02/19/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.546 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Nick and Nat\My Documents\Anti Virus Programs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150167130215
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
AppInit_DLLs: karna.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nickan~1\applic~1\mozilla\firefox\profiles\px8xb0e6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-1-20 201320]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-31 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2007-1-20 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-1-20 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-1-20 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-1-20 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-1-20 33832]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-1-20 40488]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\103b.tmp --> c:\windows\system32\103B.tmp [?]

=============== Created Last 30 ================

2009-02-08 09:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-01-31 13:07 <DIR> --d----- c:\program files\Cobian Backup 8
2009-01-24 09:19 <DIR> --d----- c:\program files\XoftSpySE

==================== Find3M ====================

2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-14 16:11 38,496 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 -------- c:\windows\system32\drivers\mbam.sys
2009-01-05 14:33 3,751,995 -------- c:\windows\system32\GPhotos.scr
2009-01-05 12:22 410,984 -------- c:\windows\system32\deploytk.dll
2008-12-19 01:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 01:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 21:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2006-12-18 20:20 424,692 -------- c:\program files\dBpowerAMP-codec-ogg.exe
2007-03-11 20:41 88 ---shr-- c:\windows\system32\0734F9550B.sys
2007-10-23 16:12 56 ---shr-- c:\windows\system32\0B55F93407.sys
2007-10-23 16:12 4,184 ---sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-25 11:43 32,768 ---sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat

============= FINISH: 17:45:45.77 ===============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:28 PM, on 2/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Nick and Nat\My Documents\Anti Virus Programs\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150167130215
O20 - AppInit_DLLs: karna.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 9323 bytes

Attached Files



#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 20 February 2009 - 04:13 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Combofix log
-GMER log
-New Hijackthis log
-Description of any problem you still have


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 22 February 2009 - 09:05 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 nicolai_gm

nicolai_gm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 23 February 2009 - 11:23 AM

Hi EB.

I apologize for the delay. I was out of town away from technology for a few days. I am at work today and will run combofix and GMER on my home computer this evening. Thanks, I appreciate the help.

-Nick

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 23 February 2009 - 03:45 PM

Your welcome :thumbup2:

Take your time and post the logs whenever you are ready.

with regards,
extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 nicolai_gm

nicolai_gm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 23 February 2009 - 03:48 PM

Hi EB.

I tried to download ComboFix from the supplied links and my McAfee blocked the files and identified them as a trojan called Generic!Artemis. I wanted to get your take on this before I disable McAfee, since you had mentioned disabling it after downloading ComboFix, rather than before. Thanks.

-Nick

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 23 February 2009 - 03:59 PM

Hello.

Please disable McAfee before downloading Combofix please. It's a false-positive.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 nicolai_gm

nicolai_gm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 24 February 2009 - 12:18 AM

Hi EB.

Here are the Combofix, GMER and Hijackthis logs as requested.

I have not noticed any obvious symptoms/problems while using the PC.

Thanks again for your help.

-Nick

ComboFix 09-02-21.01 - Nick and Nat 2009-02-23 19:28:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.516 [GMT -8:00]
Running from: c:\documents and settings\Nick and Nat\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\AutoRun.inf
c:\windows\system32\TDSSblat.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-08 09:29 . 2009-02-08 09:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-31 13:07 . 2009-02-09 18:40 <DIR> d-------- c:\program files\Cobian Backup 8
2009-01-24 09:42 . 2009-01-24 10:02 <DIR> d-------- c:\program files\RegCure
2009-01-24 09:19 . 2009-02-14 09:59 <DIR> d-------- c:\program files\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 01:51 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-18 05:38 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-24 16:26 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-15 00:11 38,496 ------w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 00:11 15,504 ------w c:\windows\system32\drivers\mbam.sys
2009-01-05 20:22 --------- d-----w c:\program files\Java
2009-01-04 18:14 --------- d-----w c:\program files\Google
2008-12-31 05:23 --------- d-----w c:\program files\Dream Aquarium
2008-12-24 03:35 --------- d-----w c:\documents and settings\All Users\Application Data\JollyBear
2008-12-24 03:34 --------- d-----w c:\program files\Mahjong Escape - Ancient Japan
2008-12-24 03:34 --------- d-----w c:\documents and settings\Nick and Nat\Application Data\SpinTop
2006-12-19 04:20 424,692 ------w c:\program files\dBpowerAMP-codec-ogg.exe
2007-03-12 04:41 88 --sh--r c:\windows\system32\0734F9550B.sys
2007-10-24 00:12 56 --sh--r c:\windows\system32\0B55F93407.sys
2007-10-24 00:12 4,184 --sh--w c:\windows\system32\KGyGaAvL.sys
2008-08-25 19:43 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082520080826\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nick and Nat^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Nick and Nat\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--------- 2005-09-08 10:06 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--------- 2005-09-08 02:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--------- 2005-06-10 07:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--------- 2005-06-10 07:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--------- 2006-05-26 08:37 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--------- 2005-03-22 20:20 339968 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\American McGee's Alice\\alice.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3529:UDP"= 3529:UDP:Windows Media Format SDK (firefox.exe)
"3528:UDP"= 3528:UDP:Windows Media Format SDK (firefox.exe)
"3541:UDP"= 3541:UDP:Windows Media Format SDK (firefox.exe)

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\103B.tmp --> c:\windows\system32\103B.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-02-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-02-24 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 10:55]

2009-02-05 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 10:55]

2009-02-24 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-21 07:00]

2009-02-18 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-21 07:00]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-TDSSrfdc.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Nick and Nat\Application Data\Mozilla\Firefox\Profiles\px8xb0e6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 19:32:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\103B.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\WudfHost.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Cobian Backup 8\cbService.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-02-23 19:36:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-24 03:36:22

Pre-Run: 43,653,525,504 bytes free
Post-Run: 43,610,234,880 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

195 --- E O F --- 2009-02-20 01:17:12

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-02-23 21:04:28
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.12 ----

SSDT Vax347b.sys ZwClose
SSDT Vax347b.sys ZwCreateKey
SSDT Vax347b.sys ZwCreatePagingFile
SSDT Vax347b.sys ZwEnumerateKey
SSDT Vax347b.sys ZwEnumerateValueKey
SSDT Vax347b.sys ZwOpenKey
SSDT Vax347b.sys ZwQueryKey
SSDT Vax347b.sys ZwQueryValueKey
SSDT Vax347b.sys ZwSetSystemPowerState

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcessEx
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwNotifyChangeKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwQueryMultipleValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwReplaceKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRestoreKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetContextThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetInformationProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnloadKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code 4D69722C IoReportHalResourceUsage
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys NtSetInformationProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP F3C869E0 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP F3C869B6 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP F3C869F6 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP F3C86A0C \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP F3C869CA \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP F3C86934 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP F3C86948 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP F3C8698E \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP F3C8697A \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP F3C86961 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP F3C869A2 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP F3C86A25 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP F3C86AA4 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP F3C86B0F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP F3C86AD0 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP F3C86A78 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP F3C86A62 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP F3C86A8E \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP F3C86B39 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP F3C86B4D \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP F3C86B25 \SystemRoot\system32\drivers\mfehidk.sys

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\explorer.exe[580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF000A
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F94
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0FA5
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0073
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0FB6
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F6D
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF00B5
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00E4
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F4B
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FF0F3A
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FF0062
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FF001B
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FF00A4
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FF0051
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FF0036
.text C:\WINDOWS\explorer.exe[580] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FF0F5C
.text C:\WINDOWS\explorer.exe[580] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D3002F
.text C:\WINDOWS\explorer.exe[580] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D30F8D
.text C:\WINDOWS\explorer.exe[580] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D30FDE
.text C:\WINDOWS\explorer.exe[580] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D3000A
.text C:\WINDOWS\explorer.exe[580] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D30040
.text C:\WINDOWS\explorer.exe[580] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\explorer.exe[580] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00D30F9E
.text C:\WINDOWS\explorer.exe[580] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ F3, 88 ]
.text C:\WINDOWS\explorer.exe[580] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D30FB9
.text C:\WINDOWS\explorer.exe[580] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00DC000A
.text C:\WINDOWS\explorer.exe[580] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\explorer.exe[580] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00DC0FDE
.text C:\WINDOWS\explorer.exe[580] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00DC0FC3
.text C:\WINDOWS\explorer.exe[580] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00930089
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00930F8A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00930F9B
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0093004E
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00930FC7
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009300C6
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009300AB
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00930F59
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009300E8
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 0093010D
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00930FAC
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0093009A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00930033
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00930022
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 009300D7
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00920FCD
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0092006F
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00920FDE
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00920014
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0092005E
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00920043
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00920FBC
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00900FEF
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[836] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB006E
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB0F79
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB0047
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB0036
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB0FAF
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB0F37
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB0F52
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB00AE
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB0F15
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FB00BF
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FB0F9E
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FB0011
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FB007F
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FB0FC0
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FB0FDB
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FB0F26
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FA002F
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FA007D
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FA0FD4
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FA006C
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FA0000
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FA0051
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FA0040
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60F6F
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C6005A
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60049
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C6002C
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60F8A
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60F52
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C6009A
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60F26
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60F37
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C600DA
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C60011
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C60089
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C60FA5
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C60FC0
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C600BF
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C50040
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C50FCA
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C50025
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C50091
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C50076
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C50051
.text C:\WINDOWS\system32\svchost.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 039D0000
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 039D0053
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 039D0F5E
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 039D0F79
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 039D0F8A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 039D0FAF
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 039D009C
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 039D007F
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 039D00ED
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 039D00DC
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 039D0F43
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 039D0036
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 039D0FE5
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 039D0064
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 039D0011
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 039D0FC0
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 039D00B7
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 033C0FD1
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 033C005B
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 033C002C
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 033C0011
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 033C0F94
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 033C0000
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 033C0FA5
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 5C, 8B ]
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 033C0FC0
.text C:\WINDOWS\system32\svchost.exe[1208] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03120FE5
.text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 039C0000
.text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 039C0FE5
.text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 039C0FCA
.text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 039C0FAF
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660F66
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660F77
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660F94
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660FA5
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660047
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00660091
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00660080
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00660F1D
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006600B6
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00660F02
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00660FC0
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0066001B
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00660F55
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00660036
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00660FDB
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00660F38
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00650FB9
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00650F97
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00650014
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00650054
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00650FA8
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 85, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0065002F
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B50FE5
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B50F52
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B50F6D
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B50047
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B50036
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B50FAF
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B50F1A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B50062
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B50098
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B50EFF
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B50EE4
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B50F94
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B50FD4
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B50F37
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B5001B
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B5007D
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B40036
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B40058
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B4001B
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B4000A
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B40F9B
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B40047
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B40FC0
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B007A
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0F85
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B005F
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0FAC
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0FD1
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B00B9
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B009C
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B00F6
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B00DB
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 007B011B
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 007B004E
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 007B0011
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 007B008B
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 007B0033
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 007B0022
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 007B00CA
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007A0FCA
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007A0051
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007A001B
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007A000A
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007A0F9E
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 007A0FB9
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 9A, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007A0036
.text C:\WINDOWS\system32\svchost.exe[1408] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70F64
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70F75
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70F86
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70039
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70FA8
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F700AA
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F7008F
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F700E7
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F700D6
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F7010C
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F70F97
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F70FDE
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F70074
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F70014
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F700BB
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F60036
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F60098
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F60011
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F60087
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00F6006C
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F60051
.text C:\WINDOWS\system32\svchost.exe[1464] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01160FEF
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01160F68
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01160F83
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0116005D
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01160F9E
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01160FCA
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01160F32
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01160F4D
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011600C1
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011600B0
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 011600DC
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01160FAF
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01160000
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01160078
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01160036
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0116001B
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01160095
.text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FF006C
.text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FF0014
.text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FF0051
.text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00FF0FAF
.text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 1F, 89 ]
.text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FF0040
.text C:\WINDOWS\system32\svchost.exe[1488] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\svchost.exe[1488] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01150FEF
.text C:\WINDOWS\system32\svchost.exe[1488] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01150FDE
.text C:\WINDOWS\system32\svchost.exe[1488] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01150FCD
.text C:\WINDOWS\system32\svchost.exe[1488] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 0115001E
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00700FEF
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00700087
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00700062
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00700F88
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00700FA5
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00700040
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007000B5
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00700098
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00700F26
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00700F37
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00700F15
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00700051
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00700FDE
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00700F77
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0070002F
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00700014
.text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00700F52
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 006F0014
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 006F005B
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 006F0FCD
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 006F0FDE
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 006F004A
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 006F0FA8
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 8F, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 006F002F
.text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00700FE5
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0070004E
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00700F59
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00700F80
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0070003D
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00700FA5
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00700097
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00700086
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00700F23
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00700F34
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00700F08
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0070002C
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00700000
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00700069
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00700FC0
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00700011
.text C:\WINDOWS\system32\svchost.exe[2080] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 007000B2
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 006F0025
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 006F0087
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 006F000A
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 006F006C
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 006F0051
.text C:\WINDOWS\system32\svchost.exe[2080] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 006F0040
.text C:\WINDOWS\system32\svchost.exe[2080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D0000
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D20F94
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20FA5
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D20FC0
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D20FD1
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D20058
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D200C1
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D20F79
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D200E3
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D20F4A
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D20F39
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D20069
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D200A4
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D20047
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D2002C
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D200D2
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D10040
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D10076
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D10025
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D1000A
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D10FAF
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D1005B
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D10FD4

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 86F68878
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 86C1DD40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 86C1DD40
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 86F760E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE_NAMED_PIPE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CLOSE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_READ 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_WRITE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_EA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_EA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_FLUSH_BUFFERS 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_VOLUME_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_VOLUME_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DIRECTORY_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_FILE_SYSTEM_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DEVICE_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SHUTDOWN 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_LOCK_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CLEANUP 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE_MAILSLOT 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_SECURITY 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_SECURITY 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_POWER 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SYSTEM_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DEVICE_CHANGE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_QUOTA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_QUOTA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_PNP 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_NAMED_PIPE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLOSE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_READ 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_WRITE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_EA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_EA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FLUSH_BUFFERS 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_VOLUME_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_VOLUME_INFORMATION 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DIRECTORY_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FILE_SYSTEM_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SHUTDOWN 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_LOCK_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLEANUP 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_MAILSLOT 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_SECURITY 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_SECURITY 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_POWER 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SYSTEM_CONTROL 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CHANGE 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_QUOTA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_QUOTA 86C1E3F0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_PNP 86C1E3F0
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 86AE1FB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 86FDE918
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 86FDE918
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 86D31570
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 86F64EB0
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE F038DD20
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE F038A7B4
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 85B3D220
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE F0386AED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION F03919F2
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION F03948C1
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA F039D428
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA F039CDE7
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS F0396C5F
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION F03973D1
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION F03A5631
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL F038DBCD
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL F03899C8
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL F0393507
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN F03A48C0
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL F03A3CF8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP F038A2E9
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP F03A4286
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible F039F297
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 86CCDF10
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 86CCDF10
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 86CCDF10
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 86CCDF10
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 86CCDF10
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 86D2DA48
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [F1AD9912] DLAIFS_M.SYS

---- Modules - GMER 1.0.12 ----

Module _________ F7314000

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\TEMP:05D195EC
ADS C:\Documents and Settings\All Users\Application Data\TEMP:211ED887
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DA18FD1D
ADS C:\Documents and Settings\Nick and Nat\Favorites\ZabaSearch - Free People Search Engine.url:favicon

---- EOF - GMER 1.0.12 ----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:11 PM, on 2/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Nick and Nat\My Documents\Anti Virus Programs\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150167130215
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 9235 bytes

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 24 February 2009 - 04:51 PM

Hello.

That's good to hear. The TDSSserv rootkit was removed :thumbup2:

Just one warning I need to give you as the TDSSserv infection was removed. Although it's a good thing it's removed, it's not a good thing that it was there in the first place.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you want to continue do the steps below:

Download and Run OTMoveIT3
  • Please download OTMoveIt3 by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    c:\windows\system32\0734F9550B.sys
    @C:\Documents and Settings\All Users\Application Data\TEMP:05D195EC 
    @C:\Documents and Settings\All Users\Application Data\TEMP:211ED887 
    @C:\Documents and Settings\All Users\Application Data\TEMP:DA18FD1D 
    @C:\Documents and Settings\Nick and Nat\Favorites\ZabaSearch - Free People Search Engine.url:favicon 
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Registry Cleaner(s) Warning
The following is referring to RegCure

Please be aware that Bleeping Computer staff do not recommend the usage of registry cleaners/tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System. This could include making your computer inoperatable.
  • These programs generally only delete "orphaned" or "dead" entries. This merely removes entries that point to files that no longer exist on your computer. Registry entries do not take up a significant amount of hardrive space. The program itself (and its own registry entries) likely occupy relatively more space.
  • The amount of improvement in performance you gain is minimal.
This is done, assuming that the major audience here at this board may be inexperienced users and thus a suggested safeguard from our side.
If you feel that your have sufficient knowledge to use such tools safely, then you are welcome to keep them.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-OTMoveIT log
-Kaspersky Scan log
-New DDS logs


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 nicolai_gm

nicolai_gm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 25 February 2009 - 01:37 AM

Hello EB.

Definitely not the news I wanted, but I am not entirely surprised. I am going to go ahead and post the requested log files for you to look at. I still am unsure whether to reformat or not. I assume that legally you can't give any more advice on this, can you? Is there any way to tell if I have been accessed and/or the severity of the hack?

I have already changed my banking passwords a couple times and will follow your advice of notifying my bank. I always buy online with a credit card, rather than paying with my debit-bank account, but do access my bank account online for paying bills.

I will also take your advice on the RegClean software. It was a freebie anyway that came bundled with XSoftSpy.

I really appreciate your help with this. If you have any more info or advice that you can share I would appreciate it immensely.

Thank you. -Nick

========== FILES ==========
c:\windows\system32\0734F9550B.sys moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:05D195EC deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:211ED887 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DA18FD1D deleted successfully.
ADS C:\Documents and Settings\Nick and Nat\Favorites\ZabaSearch - Free People Search Engine.url:favicon deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\NICKAN~1\LOCALS~1\Temp\etilqs_vzcRTEDA05DrBTrXZlq2 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcmsc_NPRFKMAZUX0zZGs scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1dc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Nick and Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\px8xb0e6.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nick and Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\px8xb0e6.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nick and Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\px8xb0e6.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nick and Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\px8xb0e6.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nick and Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\px8xb0e6.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nick and Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\px8xb0e6.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02242009_180321

Files moved on Reboot...
File C:\DOCUME~1\NICKAN~1\LOCALS~1\Temp\etilqs_vzcRTEDA05DrBTrXZlq2 not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\mcmsc_NPRFKMAZUX0zZGs not found!
File C:\WINDOWS\temp\Perflib_Perfdata_1dc.dat not found!
C:\Documents and Settings\Nick and Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\px8xb0e6.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Nick and Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\px8xb0e6.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Nick and Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\px8xb0e6.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Nick and Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\px8xb0e6.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Nick and Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\px8xb0e6.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Nick and Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\px8xb0e6.default\XUL.mfl moved successfully.


Tuesday, February 24, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, February 25, 2009 01:50:28
Records in database: 1841059
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
G:\
Scan statistics
Files scanned 227648
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 02:44:57

No malware has been detected. The scan area is clean.
The selected area was scanned.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Nick and Nat at 22:06:14.07 on Tue 02/24/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.645 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Nick and Nat\My Documents\Anti Virus Programs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150167130215
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nickan~1\applic~1\mozilla\firefox\profiles\px8xb0e6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-1-20 213640]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-31 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-1-20 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-1-20 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-1-20 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-1-20 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-1-20 40552]
S2 0300531235489859mcinstcleanup;McAfee Application Installer Cleanup (0300531235489859);c:\windows\temp\030053~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\030053~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\103b.tmp --> c:\windows\system32\103B.tmp [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-1-20 34216]

=============== Created Last 30 ================

2009-02-24 18:03 <DIR> --d----- C:\_OTMoveIt
2009-02-23 19:53 345 -------- c:\windows\gmer.ini
2009-02-23 19:26 <DIR> a-dshr-- C:\cmdcons
2009-02-23 19:24 161,792 -------- c:\windows\SWREG.exe
2009-02-23 19:24 98,816 -------- c:\windows\sed.exe
2009-02-08 09:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-01-31 13:07 <DIR> --d----- c:\program files\Cobian Backup 8

==================== Find3M ====================

2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-14 16:11 38,496 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 -------- c:\windows\system32\drivers\mbam.sys
2009-01-09 12:03 213,640 -------- c:\windows\system32\drivers\mfehidk.sys
2009-01-09 12:03 79,304 -------- c:\windows\system32\drivers\mfeavfk.sys
2009-01-09 12:03 40,552 -------- c:\windows\system32\drivers\mfesmfk.sys
2009-01-09 12:03 35,272 -------- c:\windows\system32\drivers\mfebopk.sys
2009-01-09 12:03 34,216 -------- c:\windows\system32\drivers\mferkdk.sys
2009-01-05 14:33 3,751,995 -------- c:\windows\system32\GPhotos.scr
2009-01-05 12:22 410,984 -------- c:\windows\system32\deploytk.dll
2008-12-19 01:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 01:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 21:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2006-12-18 20:20 424,692 -------- c:\program files\dBpowerAMP-codec-ogg.exe
2007-10-23 16:12 56 ---shr-- c:\windows\system32\0B55F93407.sys
2007-10-23 16:12 4,184 ---sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-25 11:43 32,768 ---sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat

============= FINISH: 22:07:28.70 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users