Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS Antispyware 2009


  • This topic is locked This topic is locked
29 replies to this topic

#1 grafton02

grafton02

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 28 February 2009 - 11:44 AM

Help!

Last week my computer started having problems, the most significant being:

constant browser hijacks when I would click on links both in search pages and internal links on websites
Task manager was disabled
System Restore did not work - I could select the restore date I wanted but when I hit next, nothing would happen
MS Antispyware 2009 was popping up constantly and often videos or podcasts would play in invisible windows where I could only hear them
I could not access some websites like this one

So being a computer novice at best, I updated my McAfee Security programs and ran a scan and removed everything that the program found. That did not seem like it did much (I still had all of the same problems) so I downloaded PC Tools Registry Mechanic and Spyware Doctor. I ran both of those and made the suggested changes. I also disables some of the activeX and java plug-ins to IE. I also uninstalled IE7 and went back down to IE6. Lastly I installed Firefox thinking I might have fewer problems in the future. This helped a lot by restoring my access to task manager eliminating some redirects and popups and giving me broader access to websites.

Unfortunately I am still having problems.
MS Spyware still pops up at times, I still get redirected on occasion (mostly in IESystem), restore still does not work, and Pictures do not show up in IE unless I go into advance settings and recheck the show pictures box. I am concerned that my computer may have a host of problems. In fact the DSS log was too long to fit in the post so I have attached it in its entirety.

Your help is appreciated!


DDS (Ver_09-02-01.01) - NTFSx86
Run by Neumeyer at 8:39:17.50 on Sat 02/28/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.566 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = https://activate.verizon.net/launch/res1/save_your_settings
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: SFCDisable=4 (0x4)
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
{c5bf49a2-94f3-42bd-f434-3604812c8955}
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google

toolbar\component\fastsearch_219B3E1547538286.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SFP] c:\program files\common files\verizon online\sfp\vzSFPWin.EXE /s
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [um9rlwgu7tigejundfdlfdhvc0ax4w977apd9] c:\docume~1\neumeyer\locals~1\temp\b1n73k6bl.exe
uRun: [ifvukf4tg89mhrff6pjnntxqv11ghofjk2] c:\docume~1\neumeyer\locals~1\temp\qinogt4i.exe
uRun: [o3l1gr8mmir4ex6w3zyt1lrvf7b33dprce] c:\docume~1\neumeyer\locals~1\temp\jgmoju.exe
uRun: [v3fvli4bp5zsq8zac97k7vljw] c:\docume~1\neumeyer\locals~1\temp\yeifztcy3r4av.exe
uRun: [yxzs2amf21dohbx0u] c:\docume~1\neumeyer\locals~1\temp\pam56ftp4r.exe
uRun: [u47wmacrmwjx1lc2mk70subkz2v1yny8q6jxjhuu3b5h] c:\docume~1\neumeyer\locals~1\temp\slef0qkf.exe
uRun: [xy7t3ait5ipcdxhat4ayttac] c:\docume~1\neumeyer\locals~1\temp\qmoh40t52ny6.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [fl25777ch5vzvvvexpnfafhfg] c:\docume~1\neumeyer\locals~1\temp\jfm66uri15ya.exe
uRun: [jxftno8ykqsx4cqkf64q8rify7zq1omidxmjbgoxq6ly] c:\docume~1\neumeyer\locals~1\temp\jc7kxvop.exe
uRun: [d9qhyg6af4oqov50] c:\docume~1\neumeyer\locals~1\temp\qpe2q9d.exe
uRun: [iquc36lnpwfogm7k89dny01ajgpz4p93pwp1g44gggvhq] c:\docume~1\neumeyer\locals~1\temp\y9lcpre6r.exe
uRun: [dblqqho7mzxy] c:\docume~1\neumeyer\locals~1\temp\qwu0nuy.exe
uRun: [dxjph05ukiq8pdb7tdtpapzyynov] c:\docume~1\neumeyer\locals~1\temp\a0dlm54n2t.exe
uRun: [v924f6zn4qxiw1fg0d7i7qcmgyb] c:\docume~1\neumeyer\locals~1\temp\baijdmof3ni.exe
uRun: [ybxfd0z0j2gozkatf3uszxwtuwe] c:\docume~1\neumeyer\locals~1\temp\p8f6ftv.exe
uRun: [vfvq7ftsw8zdo1skenhxa14rtgg2i3rbksrw6eihlhoysnxanc] c:\docume~1\neumeyer\locals~1\temp\xr69s1v.exe
uRun: [u6cz8mdjcpzqmyqs1vam7d] c:\docume~1\neumeyer\locals~1\temp\ikrfe5.exe
uRun: [ih1foe16zof9ep31znd2o4gbd7wracf] c:\docume~1\neumeyer\locals~1\temp\a4xkm1t.exe
uRun: [m4okihf0h0zxc0cgjf] c:\docume~1\neumeyer\locals~1\temp\aegi9tm29yup.exe
uRun: [v4dcb6pp55c6rex12m2] c:\docume~1\neumeyer\locals~1\temp\esy8hfby7h.exe
uRun: [ejuoahov14o5oog74x17tefzyrmw08hh7r12ywx] c:\docume~1\neumeyer\locals~1\temp\wjashlqmxoa3a.exe
uRun: [kjjg0js95pfb9lnfy0qvvurgkvdru] c:\docume~1\neumeyer\locals~1\temp\lr5t0r5a.exe
uRun: [e6bvbu7bu25gmw55j] c:\docume~1\neumeyer\locals~1\temp\z4g3hvy.exe
uRun: [zzjhabyonfaybczvmxmjp96mt16hdopgd] c:\docume~1\neumeyer\locals~1\temp\snx9arm791.exe
uRun: [p3e9fdeq3y0w9quul7gmgt6nomhs01kb0g82] c:\docume~1\neumeyer\locals~1\temp\o8gb7i4k0q3b.exe
uRun: [q9sni8avl9uxvqdxdczi4xd0hl1lq8sw8k1] c:\docume~1\neumeyer\locals~1\temp\fzjk3f.exe
uRun: [yminyau03nmmhhmpzwtsh2ncyr6xrfp7iqgstyc06wgo3g] c:\docume~1\neumeyer\locals~1\temp\gqoiufw.exe
uRun: [rxdfhv6a2csxzoyu7texjl21] c:\docume~1\neumeyer\locals~1\temp\kg07qkf3.exe
uRun: [jtyotrujbjjpt1zc2ifyru4vg5hamkojkwwlpjznwqs6v2] c:\docume~1\neumeyer\locals~1\temp\ru4woaeat.exe
uRun: [pteupuzdlbyhryo0jdpt6y4xyo6] c:\docume~1\neumeyer\locals~1\temp\n0gevfpcdb.exe
uRun: [bhvautxdl9t62rh6u7kr2q4exho1wdf50izjc2q06] c:\docume~1\neumeyer\locals~1\temp\jhdk3df.exe
uRun: [mhqk0y48x0wrzzmthsgvt9dcgm1rxs4wr2wfgo97p] c:\docume~1\neumeyer\locals~1\temp\mvyi0e4q0k0.exe
uRun: [jmd0piftmoecu3s6leipsachesc4tv9kedxgplmqb7rdah] c:\docume~1\neumeyer\locals~1\temp\svvysknjmomsx.exe
uRun: [fpdqpync8y26vrczp13qn7thbn5o] c:\docume~1\neumeyer\locals~1\temp\djx5eplbxmlaw.exe
uRun: [rbos4w612qo6f7xi1n413wm0l] c:\docume~1\neumeyer\locals~1\temp\olxkul.exe
uRun: [p4bukowe04q] c:\docume~1\neumeyer\locals~1\temp\ji1bf4xj.exe
uRun: [m4fvm1u5twd42j0ij] c:\docume~1\neumeyer\locals~1\temp\n7wts0aetd.exe
uRun: [enatn03kuv6h83esrbr303e60ihis4vxwj4lu7p0ixx7] c:\docume~1\neumeyer\locals~1\temp\a0olvo2o77i0.exe
uRun: [u2vxff1fma2u37lfec851neu] c:\docume~1\neumeyer\locals~1\temp\hvzd3wu.exe
uRun: [wsehifeh9kr] c:\docume~1\neumeyer\locals~1\temp\yr33aiux72m9.exe
uRun: [x8bih6p4gsug1r9vijte5tr9t8n2fto540319rme06] c:\docume~1\neumeyer\locals~1\temp\xi2whed.exe
uRun: [dmnbtg0ee0d9ethu6aq5] c:\docume~1\neumeyer\locals~1\temp\dd3a6llwzf2hg.exe
uRun: [v1yoia9lzg6jw95y6s1l5gx8] c:\docume~1\neumeyer\locals~1\temp\lrutrr.exe
uRun: [lyuu9f5wau0ai9ujkcs5] c:\docume~1\neumeyer\locals~1\temp\hhwft9z.exe
uRun: [pclwcbs038rae0krkawl2v0] c:\docume~1\neumeyer\locals~1\temp\q8i07vmm05.exe
uRun: [o32htx8uap0q53zsi5aucy2y4577tfdiz] c:\docume~1\neumeyer\locals~1\temp\wvyre411rt.exe
uRun: [nd4kyrvuqm1732sywp8ylzwmbspzzcdjij2wywn8olcu] c:\docume~1\neumeyer\locals~1\temp\rj4mhlcc5c.exe
uRun: [n242iw6g1n3f4uf4zg1lba3zi08nxdnxg84ulrbp5yqz84cgp6] c:\docume~1\neumeyer\locals~1\temp\uuzdprits9acu.exe
uRun: [he7nqkcuthgi4itqi9qi4fvekhoo7f2vpf31w9g] c:\docume~1\neumeyer\locals~1\temp\imoal9x.exe
uRun: [z6yzctif290tq6iolue6] c:\docume~1\neumeyer\locals~1\temp\u6yvctroixkd.exe
uRun: [wvym6blih0] c:\docume~1\neumeyer\locals~1\temp\eplnj0v9afjn.exe
uRun: [fmunm5yi68k7zc3iinyfcpkk1n] c:\docume~1\neumeyer\locals~1\temp\xssxosy.exe
uRun: [ny6fd9eyhyjsqy76wi] c:\docume~1\neumeyer\locals~1\temp\g27y9wsn.exe
uRun: [sfr8o6unzdym06tre968xsal5zz2r3wk955ih2hchbb] c:\docume~1\neumeyer\locals~1\temp\u6ncmat4d0.exe
uRun: [znihf43dn5t3as4acuvow5txac8] c:\docume~1\neumeyer\locals~1\temp\iohpccrk.exe
uRun: [lp12bekdj8b1f92f6lt2ime2hn4xaunuirht8] c:\docume~1\neumeyer\locals~1\temp\v7eeqk.exe
uRun: [ufl8gyelykee5dhe54v2hjwbcof6bydafuxtq48os5gvu2ldj7] c:\docume~1\neumeyer\locals~1\temp\kksiz7mf.exe
uRun: [jxl5xp70mayz5qtbylpamhqso] c:\docume~1\neumeyer\locals~1\temp\lqek0g781.exe
uRun: [f9hxhaiq8vdcsl] c:\docume~1\neumeyer\locals~1\temp\dwn8yjr.exe
uRun: [b8gaim7p7] c:\docume~1\neumeyer\locals~1\temp\xf780hnogyvh4.exe
uRun: [lm48j2ov9kcp78c8hf7shvk2liqii] c:\docume~1\neumeyer\locals~1\temp\b92amu.exe
uRun: [hpv7ml4ll] c:\docume~1\neumeyer\locals~1\temp\obby7knwhy.exe
uRun: [sceifi74bm2c0r] c:\docume~1\neumeyer\locals~1\temp\knw4zjka6y.exe
uRun: [d4o92an80xl2exuoicrhub1d2aqirjgk8atz68ynwqpum2c] c:\docume~1\neumeyer\locals~1\temp\dlrx7cuj.exe
uRun: [a51vlcnqqzzef7cte604pj8] c:\docume~1\neumeyer\locals~1\temp\gvbhn9dz1r.exe
uRun: [ho7vzry2mg45fa0] c:\docume~1\neumeyer\locals~1\temp\lzehvhu6h.exe
uRun: [sivo2nmbjv606hlhwx3cc5yqwcmfak9mw] c:\docume~1\neumeyer\locals~1\temp\l9911xbna4ov9.exe
uRun: [nwte9g0naq6ss1m5fpl3ma3771esh21d8am079tqd6kd8vvby] c:\docume~1\neumeyer\locals~1\temp\ews311f0.exe
uRun: [aqv3e5oqgs609n1p5kpugnwtlcjsjk66er0h0p7kw87as] c:\docume~1\neumeyer\locals~1\temp\ivzokd.exe
uRun: [fzzyz5u72u7ycsunaok9uy1qyc5lzwysw7i4bncvk2cuqb7] c:\docume~1\neumeyer\locals~1\temp\f775i9.exe
uRun: [l9eimqst31] c:\docume~1\neumeyer\locals~1\temp\g3noj7bouirr4.exe
uRun: [bj925dyasn2e664hyj2rhpapbtcn6azebm7xy] c:\docume~1\neumeyer\locals~1\temp\m7tijyj.exe
uRun: [qx8556pukz0fbkfstz01719c] c:\docume~1\neumeyer\locals~1\temp\batj35mz81d5x.exe
uRun: [d2g5kanh3g1s18] c:\docume~1\neumeyer\locals~1\temp\duzv6ztxcj.exe
uRun: [ycrghi6493v3777y7595kmxbfiktv18lt6] c:\docume~1\neumeyer\locals~1\temp\hjbdje6szpha.exe
uRun: [bme939s8cq1s27fchtyf0l15q6n6qcq] c:\docume~1\neumeyer\locals~1\temp\ywf3qh600.exe
uRun: [llra89e9sl99wytsuo00l0k7uw4tg7bchf7n3c5v9pxx10pyd] c:\docume~1\neumeyer\locals~1\temp\sxmewoqaxn6.exe
uRun: [e2nbxxzoziu3rl8bjvkrdoxh65h9z7jn3] c:\docume~1\neumeyer\locals~1\temp\pe9ggj4.exe
uRun: [pdonvre8oqpoj87yw6sl27v1rla0s6la76b06p] c:\docume~1\neumeyer\locals~1\temp\kqrbggaufrvj.exe
uRun: [ul96qz2ct5ujom8u82h9] c:\docume~1\neumeyer\locals~1\temp\h2fb0hy.exe
uRun: [qar7qj9h1bqpp9wiwpm37ljk9dp] c:\docume~1\neumeyer\locals~1\temp\fnvjkz.exe
uRun: [usigwqul2ll3uinri9b3b6i8twyq5n9eb1f81qn2zdau] c:\docume~1\neumeyer\locals~1\temp\w5ithjgzba.exe
uRun: [g39x6jdmtv1jq5ihov0juwyhbmcc17epx5uzcauzn28nzz1u4] c:\docume~1\neumeyer\locals~1\temp\olmkl2yz6ax3.exe
uRun: [o5ru6x5zg] c:\docume~1\neumeyer\locals~1\temp\n2jqt07zo.exe
uRun: [a1dwtfyljpgne18s3k6zpzgut2iwz6epum] c:\docume~1\neumeyer\locals~1\temp\r1gv5udmu.exe
uRun: [b81cjpwrv03rl2hujenvkuyzj9yhu7kytl9qrydx] c:\docume~1\neumeyer\locals~1\temp\phu2gv2uz.exe
uRun: [vnkehnicn25gegt] c:\docume~1\neumeyer\locals~1\temp\hj0utv88ub.exe
uRun: [zqopr8un2ng] c:\docume~1\neumeyer\locals~1\temp\dlqzfe.exe
uRun: [zqn2kmtb4zdsixxev8vn1pfz8r2sout0y9caaxg4a7g] c:\docume~1\neumeyer\locals~1\temp\heyake3uubz.exe
uRun: [lv3i74mmitfuzs1oq5ytqc2] c:\docume~1\neumeyer\locals~1\temp\z2epupm37v.exe
uRun: [hp1wtkvcvo6th7bsxz78u7rdypmu1f0w0a6xrwj12] c:\docume~1\neumeyer\locals~1\temp\youys4.exe
uRun: [t851rcchny9od3v27k0iv91mmsikpdpouy] c:\docume~1\neumeyer\locals~1\temp\y667gw1reunsk.exe
uRun: [ywzorb9i4wphjhf0b8q8xnxi583ouqbsgd33i1qmjxhz3rct] c:\docume~1\neumeyer\locals~1\temp\tuc2juc2sd96d.exe
uRun: [l5ksykaunm6pe5is] c:\docume~1\neumeyer\locals~1\temp\rzixf8nm2vpl.exe
uRun: [pmifze86bjb3iruuard5vx0zssrpiyfae8cu6emca] c:\docume~1\neumeyer\locals~1\temp\cdpg5jdc.exe
uRun: [ls1azs0lfj7pmw92rdwg5f88l7zjbkf1kab5kc] c:\docume~1\neumeyer\locals~1\temp\m0814u2rlp5.exe
uRun: [fqiqhl6519] c:\docume~1\neumeyer\locals~1\temp\kiz384b.exe
uRun: [l2h44k84chafbi8zbct5aaka46xvsfxzpagwuu9pk95fbmvshl] c:\docume~1\neumeyer\locals~1\temp\n28q309.exe
uRun: [krbid7u6ohw82fpdmkt] c:\docume~1\neumeyer\locals~1\temp\co8rn7c0gk47d.exe
uRun: [gfefdhnfpi63] c:\docume~1\neumeyer\locals~1\temp\gtnlv8ymaksiq.exe
uRun: [pcjo669t0yu4x3incsv5fru] c:\docume~1\neumeyer\locals~1\temp\m7oz1fnt1rj.exe
uRun: [zkmpmbvs7iq6kp323] c:\docume~1\neumeyer\locals~1\temp\fu0yr1yvlfqy.exe
uRun: [met0aw765yswl3hh2iblrdz1h] c:\docume~1\neumeyer\locals~1\temp\qw0heb0oox9pk.exe
uRun: [sksem7xzfnnlviuhb7yci06d2z69c] c:\docume~1\neumeyer\locals~1\temp\x09m64ien9.exe
uRun: [psmrat96uaci7tbm667z58redtf6ofxlrqqxcshnzuv7gdzzeq] c:\docume~1\neumeyer\locals~1\temp\cb23vetf.exe
uRun: [cgelon5kxf8xfofjt9t7sv21aochxamb1llzmqu0xtxpvssplv] c:\docume~1\neumeyer\locals~1\temp\hopeaty.exe
uRun: [iueic4ramjreb9me43u2n60sjfik7xsmu4m] c:\docume~1\neumeyer\locals~1\temp\iubgu2je.exe
uRun: [y1pvttydjj1o1rnogi5a6moxowb49x2lsu2] c:\docume~1\neumeyer\locals~1\temp\mzqa23m0.exe
uRun: [vtp64sbqk] c:\docume~1\neumeyer\locals~1\temp\qjqsz0nsi45k8.exe
uRun: [hto8dtrxg1uy7hu0] c:\docume~1\neumeyer\locals~1\temp\suy81sni.exe
uRun: [xizmzhzm1rm0rrz] c:\docume~1\neumeyer\locals~1\temp\o53qod.exe
uRun: [azrhhkt2xmfsovwakds7rdtq] c:\docume~1\neumeyer\locals~1\temp\wjaqeo0dsb.exe
uRun: [khdjp4iwitzs7w3zm7iddb5svce9r8sqx7xa1wf3qasaj4vs] c:\docume~1\neumeyer\locals~1\temp\yyl21jvp3r.exe
uRun: [rtbe280gcixyth4d3ox2lfbsi5yg] c:\docume~1\neumeyer\locals~1\temp\n1xjb8.exe
uRun: [k059a8mfue6dy9ow3z4wk7bbmypb0] c:\docume~1\neumeyer\locals~1\temp\h80kmnpa60y.exe
uRun: [zg8b6rd76zhvc2ru7s92x03gt3ubc00c23z94qwc9] c:\docume~1\neumeyer\locals~1\temp\kn7n82iuscaj.exe
uRun: [fyyasqpbfgbrf04qfgqx8ojr9xtpx354fe6kg5otzyet] c:\docume~1\neumeyer\locals~1\temp\r0v51x7s8o3.exe
uRun: [hbs66vm84d3ewddif3henod84nfd2dr9w8kqr] c:\docume~1\neumeyer\locals~1\temp\rme8rec6ro.exe
uRun: [e8ryws122mspu8r510pim18jc2ny] c:\docume~1\neumeyer\locals~1\temp\zqqob9lf8y.exe
uRun: [m1fyqq545] c:\docume~1\neumeyer\locals~1\temp\v2vuh3e.exe
uRun: [xjbafcqiz4dshplv26n74sfdvnodghp8ubyhb2f3loozl] c:\docume~1\neumeyer\locals~1\temp\g5bksrq1l8.exe
uRun: [t13psqkr3wyntv0ks6wgkndee87ct5zgbqn59j32sq4] c:\docume~1\neumeyer\locals~1\temp\yn88acyhuwh.exe
uRun: [z09m8xtak0mkpqrhv9vrdvgfvb] c:\docume~1\neumeyer\locals~1\temp\hbxmc0buqwx.exe
uRun: [jukagabozb0ufe] c:\docume~1\neumeyer\locals~1\temp\drlop23d.exe
uRun: [fovc0jorbfekuoo8ieghd2azs0pcvfo12l] c:\docume~1\neumeyer\locals~1\temp\wjgq552t.exe
uRun: [yq6v0fh9z3osx5e1yb251eoj3dsyfc0qf] c:\docume~1\neumeyer\locals~1\temp\erv2a367bxzi2.exe
uRun: [ifudbdc6jp6nfz68t6m8uu9eidt6wwmd8t8cv1o6] c:\docume~1\neumeyer\locals~1\temp\mfh5kps163.exe
uRun: [tn9gzlnljuq1pdb] c:\docume~1\neumeyer\locals~1\temp\z3pd010a.exe
uRun: [hkuoqbh6nr4dxe29z8gpo0jed8rz7xip] c:\docume~1\neumeyer\locals~1\temp\iqlnty0jr9f.exe
uRun: [wfww3phmoz7lq49prt8gycla9a7vehwv1i50l5] c:\docume~1\neumeyer\locals~1\temp\vbfqvar09g.exe
uRun: [ryc70fytu9bru3xk2h34panjh9wgz069i6f51h] c:\docume~1\neumeyer\locals~1\temp\bi06nwvm.exe
uRun: [konhe1ntix3ygfqvd1q4k74l8nt4q89htof7lr2] c:\docume~1\neumeyer\locals~1\temp\jscdgy.exe
uRun: [c5tu3da3dujzgak49gu7tqbi6to9tk] c:\docume~1\neumeyer\locals~1\temp\qngle7x.exe
uRun: [tdspba5z7ll5n4w8fl7afuorn4] c:\docume~1\neumeyer\locals~1\temp\hd1kt3.exe
uRun: [bnzy6vor341ca0j8dvl80m0ouxdu5w9bmq4o7w] c:\docume~1\neumeyer\locals~1\temp\euzoay4.exe
uRun: [ot98ie6mbhyrs4dfq5whrr8z2xjzquk2im6iqg1p3] c:\docume~1\neumeyer\locals~1\temp\u70kpiut2.exe
uRun: [fu9f1vk1mne9hfr7o870j05ytot019r4lf210gjyfj8u3d3aj] c:\docume~1\neumeyer\locals~1\temp\gaj4spx.exe
uRun: [aaybom5d9] c:\docume~1\neumeyer\locals~1\temp\jpx87329b0.exe
uRun: [mvdgub41y92npyha4kg1aav8nh] c:\docume~1\neumeyer\locals~1\temp\jfv48o9hs0c9.exe
uRun: [l51a8m5zqbchn0i7qeocvkrqy3hycsh] c:\docume~1\neumeyer\locals~1\temp\g0o1m9gx6o0.exe
uRun: [fclz1gc08i0c9qr5ez3joxyx] c:\docume~1\neumeyer\locals~1\temp\epg4khz7.exe
uRun: [h505guzrgrj9q0l5] c:\docume~1\neumeyer\locals~1\temp\ubcwm80.exe
uRun: [syyrbnnayarf6881f6dhc66b3c3l2j75voonvd] c:\docume~1\neumeyer\locals~1\temp\xxpyyqqe0u.exe
uRun: [v3uyabk8v38nugchudurgkncre38tdqdhmf7ze2f5btf9bymx] c:\docume~1\neumeyer\locals~1\temp\l0mo9v2zf1t3r.exe
uRun: [c1ezzl64arqczf6] c:\docume~1\neumeyer\locals~1\temp\cdqexyjb6f.exe
uRun: [mp9a161arm8s] c:\docume~1\neumeyer\locals~1\temp\dmy5jkt95.exe
uRun: [cqlc6ycer3kw54u9y4d7lo4] c:\docume~1\neumeyer\locals~1\temp\wkcy8d3.exe
uRun: [g1xc04exlitc53axg49] c:\docume~1\neumeyer\locals~1\temp\a9ogl9gdz.exe
uRun: [g70ln3uegfuqgmo2e7v2ips88d] c:\docume~1\neumeyer\locals~1\temp\qr8f9auzil.exe
uRun: [tva9jpuzv8nda1btfd] c:\docume~1\neumeyer\locals~1\temp\hkujan.exe
uRun: [ghjwshjwa] c:\docume~1\neumeyer\locals~1\temp\njhtkgmht.exe
uRun: [sjkgnsmgb] c:\docume~1\neumeyer\locals~1\temp\ipje61dpos6h5.exe
uRun: [r325jlgl0j4lxwqf5qum8] c:\docume~1\neumeyer\locals~1\temp\wie0irwzkg.exe
uRun: [xb5gf69ktewfg9gnt9sgaiod05b5] c:\docume~1\neumeyer\locals~1\temp\e6nn7hfl3pdl.exe
uRun: [cos1k2moonwzzxh2x59g6k1yxfgforusqil] c:\docume~1\neumeyer\locals~1\temp\m1lq4md.exe
uRun: [g8dxr6luvxraosr42ywhk9a7s6erc6gjwrnc5] c:\docume~1\neumeyer\locals~1\temp\n7os5vyh.exe
uRun: [i83zcohfwd3zdgfdg2vkj0c0zv9opv60x7sdf] c:\docume~1\neumeyer\locals~1\temp\ubxxxox777u3e.exe
uRun: [bx4a298pxhmqufmt99anlpx] c:\docume~1\neumeyer\locals~1\temp\cfjtokd5h4o.exe
uRun: [t0f0e5wneucv11aljt8rb3zjm3e7w5] c:\docume~1\neumeyer\locals~1\temp\cplgnznxh.exe
uRun: [q1bto9qepc99bvog84fxdxwgejsd7d1spnxjyo1w0o] c:\docume~1\neumeyer\locals~1\temp\t6bjfo1ta3h.exe
uRun: [kwt9u1u153gtfktvqpj] c:\docume~1\neumeyer\locals~1\temp\fzg0tfnxtph7h.exe
uRun: [bjgosf67frnkhly8f8i] c:\docume~1\neumeyer\locals~1\temp\m3ilsqtc.exe
uRun: [vbxg2l59ax1tblbho2xbi5h8g74nhvxqt679oyp11dpqloc] c:\docume~1\neumeyer\locals~1\temp\wq16akzrbpl.exe
uRun: [bo7sdymatb4nhlhkht] c:\docume~1\neumeyer\locals~1\temp\abyvccashe.exe
uRun: [qsoi0zvf9c8m2qrkdsz] c:\docume~1\neumeyer\locals~1\temp\bqitx62t32vk6.exe
uRun: [z7ewtkz2ktt] c:\docume~1\neumeyer\locals~1\temp\n5pu1e.exe
uRun: [wan553k9c7mv2iclviugakq6h] c:\docume~1\neumeyer\locals~1\temp\y7pd7oe.exe
uRun: [arlwbjfo0izbazjv7t60pgnzu] c:\docume~1\neumeyer\locals~1\temp\emwgt377.exe
uRun: [wfvtueczi1coeutjlm2d2z1xezdr4ar77leuiauc1ex] c:\docume~1\neumeyer\locals~1\temp\q0hsey9zgmw.exe
uRun: [pwruue1ar0vdprk0d4pd8i94vnwijmm4] c:\docume~1\neumeyer\locals~1\temp\m6aa4kk10a3d.exe
uRun: [vpncfvlh1oujznk2sngeq4b5kh406ttd] c:\docume~1\neumeyer\locals~1\temp\t5tsuxl2.exe
uRun: [stknefirgd] c:\docume~1\neumeyer\locals~1\temp\mg5ua01i.exe
uRun: [qp4f5xhw7jovxi319e58mgpurq6ra8oo] c:\docume~1\neumeyer\locals~1\temp\a40dw9.exe
uRun: [hsm3soek8] c:\docume~1\neumeyer\locals~1\temp\tacc3eq.exe
uRun: [ciilxgawfr1ps6z92tjp46r7fbh10nqlvyqhn26b8b92c] c:\docume~1\neumeyer\locals~1\temp\f3hth5ckd.exe
uRun: [k440w6gj28qi0lodu1fqvfbs73u7wr5j7rgjc7jf3h5af37mw] c:\docume~1\neumeyer\locals~1\temp\wu2zfa7.exe
uRun: [ncevvb94ahrjzj431855uemodcyzpkslthocstny6kxsv42prr] c:\docume~1\neumeyer\locals~1\temp\ae20v78684pc.exe
uRun: [c9s9ggimgb0kd6y8suczzfwtfm6ysr7u7b4e8m454hy0pvdt] c:\docume~1\neumeyer\locals~1\temp\tfvftv.exe
uRun: [h0gq8ozqegvo6fmzm4dle85asrpwlmte4d3e7jyvvpttf] c:\docume~1\neumeyer\locals~1\temp\cjb6j4.exe
uRun: [k0ds56ypxkfkvpukj8kxka1ab69po76w3nof] c:\docume~1\neumeyer\locals~1\temp\vl1s5nq6we.exe
uRun: [p61kj0rllivtxg1e4t6g7xc1vpim7sw87sy936u] c:\docume~1\neumeyer\locals~1\temp\fiygaxd2y.exe
uRun: [fo0442qi9iodggqx22d1ua] c:\docume~1\neumeyer\locals~1\temp\gemyrv2ri.exe
uRun: [vsygqxb7adykq3lpqk9g88ei737khpnweo2zizay] c:\docume~1\neumeyer\locals~1\temp\l3lraopitqo.exe
uRun: [jo5ur8vlgw] c:\docume~1\neumeyer\locals~1\temp\kp10r3z.exe
uRun: [ulp7nh2fx3caigbj5rxrq2xps1l] c:\docume~1\neumeyer\locals~1\temp\d1wqqf.exe
uRun: [gfmgi4vxjv7azk4ahojsb] c:\docume~1\neumeyer\locals~1\temp\gzebmfickrv3.exe
uRun: [qxosansa18t6zsn4bp] c:\docume~1\neumeyer\locals~1\temp\ys67t8do.exe
uRun: [flveyv7aw310t2gy4kijt08lnml7hx2gt0bcxzrk9nrp4] c:\docume~1\neumeyer\locals~1\temp\kp12yko8n7.exe
uRun: [l6asu76s1eobocfs969vf5c2754mj3nbnzaad] c:\docume~1\neumeyer\locals~1\temp\frdsck.exe
uRun: [cnggk6p4qaqe6p6tvq45ku5i38d9dedrkurb7pe5pxn1v] c:\docume~1\neumeyer\locals~1\temp\neprwf.exe
uRun: [jcxpgik9p7q5kpbar4frzw024dojvx80ju0taibct] c:\docume~1\neumeyer\locals~1\temp\t8ayx8e72y.exe
uRun: [wygl2iqvqr3jiuqui7uz] c:\docume~1\neumeyer\locals~1\temp\mjyxkc1c.exe
uRun: [cbxzwf1yvpa5offb1j68f8ssmbz] c:\docume~1\neumeyer\locals~1\temp\l026ls3.exe
uRun: [vvb9fyxpn2zrxpme] c:\docume~1\neumeyer\locals~1\temp\k5bv9po7f.exe
uRun: [a247fui80xpmi22sxbqq5fiqe5hlwa2hmyn5] c:\docume~1\neumeyer\locals~1\temp\t3whjyfc05p.exe
uRun: [ca9czyiksufkufphwatjkbwuu34if60j3n1ye8j69kts3] c:\docume~1\neumeyer\locals~1\temp\zshlut8w.exe
uRun: [znqb6thqkrwhpr0a7e97z20y5ebocvq3jt1] c:\docume~1\neumeyer\locals~1\temp\v9luv9a.exe
uRun: [oun8c248d8lcc1030a580cba559scgvnwfqeg1d5bytt] c:\docume~1\neumeyer\locals~1\temp\eioe6q.exe
uRun: [jn2sa6yfe1ldl43ha4esfs] c:\docume~1\neumeyer\locals~1\temp\pb5ux7620c4et.exe
uRun: [uc83juln8p5103m53lfnte3bfek7s] c:\docume~1\neumeyer\locals~1\temp\hmqis927.exe
uRun: [g7nsmkequeabfsupk7ubixwd3] c:\docume~1\neumeyer\locals~1\temp\jsfv41e0zddi.exe
uRun: [r6y7j4vwfgw0o1ddqi7s] c:\docume~1\neumeyer\locals~1\temp\gepz1vavyv.exe
uRun: [lok6jw1i2wphkk4wm8az29ba8gl] c:\docume~1\neumeyer\locals~1\temp\h5uxscb6z84.exe
uRun: [kkoi7da7cot] c:\docume~1\neumeyer\locals~1\temp\fvmo9t0.exe
uRun: [nihsqrlufhltl] c:\docume~1\neumeyer\locals~1\temp\fvt82bcn6.exe
uRun: [umppaugoeauslcfi14sdfvznww] c:\docume~1\neumeyer\locals~1\temp\xnewxdpsieev.exe
uRun: [a4upqpxdeuuc] c:\docume~1\neumeyer\locals~1\temp\zx65urfqt92lu.exe
uRun: [ztlj03q5cf5mowmhtmr] c:\docume~1\neumeyer\locals~1\temp\xj23j4.exe
uRun: [eykelw8k0otwhxrffwifi8qwka7i7n] c:\docume~1\neumeyer\locals~1\temp\xyg7f1oz5.exe
uRun: [t8mymv1dq2mk8jra05h7n5wg3x] c:\docume~1\neumeyer\locals~1\temp\es488fdx.exe
uRun: [yvjdkg43fyqckvyt3nadhd785] c:\docume~1\neumeyer\locals~1\temp\hckfdan6xs.exe
uRun: [q4gbmurznng193a7w5vnquwigqp5228t] c:\docume~1\neumeyer\locals~1\temp\wfdw6z.exe
uRun: [cgtnzzuwe7id25l8nbffqtyv0qi313sb51pm7nlf24] c:\docume~1\neumeyer\locals~1\temp\rh070z3.exe
uRun: [kln2gotsf61khlgpbgtnun34srlmqycbb7pw6c0025a7zaiioc] c:\docume~1\neumeyer\locals~1\temp\xa47i2cwc4t7.exe
uRun: [k9vfqgl30ffltfw1pkwhc22x8r50exnbp] c:\docume~1\neumeyer\locals~1\temp\wm0ed2bt.exe
uRun: [i9yeh6t1b9cr8li3npfv667lg9qltswr16x51xes7gs5] c:\docume~1\neumeyer\locals~1\temp\gq2zcd08jus.exe
uRun: [tizghnt2sh35fej9jk0] c:\docume~1\neumeyer\locals~1\temp\rmjrqg.exe
uRun: [qs7guxs7omuq0ujxjbdkz] c:\docume~1\neumeyer\locals~1\temp\o3tbxagphhp4q.exe
uRun: [enwt0i1zdav0zfigpj3romq3f] c:\docume~1\neumeyer\locals~1\temp\ss5tapt.exe
uRun: [v3pein9x8w7bh99qsfd5wv8ebufd88mxq3y7lisl9lvp4xc] c:\docume~1\neumeyer\locals~1\temp\m4kd1kpft.exe
uRun: [z89v9ywwvnc60w1112j2esp1] c:\docume~1\neumeyer\locals~1\temp\i6aznm5v6vm2a.exe
uRun: [vsoymqclb075yylhoo9v6] c:\docume~1\neumeyer\locals~1\temp\l4hj91.exe
uRun: [v5gob3ieuvt2tffkdorcz9u0y6i9u4frmuolonmdpv39au] c:\docume~1\neumeyer\locals~1\temp\idqxksgsdz6re.exe
uRun: [fcne4nfwtywav5ofhhuvg244a4oomtrk884lzluhxgl9640u] c:\docume~1\neumeyer\locals~1\temp\h84j2ob0lk9.exe
uRun: [i4ahgz06q4qyr] c:\docume~1\neumeyer\locals~1\temp\oxz1fkovrqz8p.exe
uRun: [t92xarkwo3vd] c:\docume~1\neumeyer\locals~1\temp\xej2h43sj4.exe

LOG TRUNCATED TO FIT IN THE POST _ PLEASE SEE COMPLETE LOG IN ATTACHMENT

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:10:01 PM

Posted 14 March 2009 - 01:46 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 grafton02

grafton02
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 15 March 2009 - 11:08 PM

No worries about the delay, I just appreciate the help. I am at my wits end - let me know what you suggest. I ran registry mechanic a few days ago and it repaired over 5000 items.

My DDS log was too long to post or attach in one post (800kb compressed) - The first half is attached to this post, the second half will follow in the next post. Thanks for the help.

#4 grafton02

grafton02
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 15 March 2009 - 11:14 PM

I can not upload the second half of the DDS log as I am near my 512k upload limit. Let me know if you have any suggestion on how to upload the second file or if what I posted was sufficient.

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 18 March 2009 - 09:26 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

That looks nasty.

Please post the logs directly into your reply.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#6 grafton02

grafton02
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 19 March 2009 - 07:08 AM

Hi Panda,

I tried to follow your instructions but neither combofix or GMER would run. When I clicked on either, the run dialog box would open and I would click run. After that an hour glass would show up briefly then disappear. On one attempt, GMER pulled up a page that asked me which account I want to run the program against. My account name was selected already (though it had an Alpha name before it I had never seen) so I clicked ok. Again the hour glass came up and then nothing happened.


What else do you suggest?

I have not made any changes that I know of to my computer - I have been keeping it off the internet and not using it.

I also want to let you know that my McAfee scan has been errorring out too and that I have over 200 processes running at any point in time - most have seemingly nonsensical names. On start-up this morning, around 30 .exe errored out - their names included:

d9Kuh6.exe
J5yb6ubw6r.exe
gsjmvx57e.exe
Tb7u4na.exe
ds27mgxlquba.exe

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 19 March 2009 - 07:45 AM

Hello.

Please delete your copy of ComboFix.

Download ComboFix again. In the Save As box, save it as ComboFix123.exe. Then try running it again.

With Regards,
The Panda

#8 grafton02

grafton02
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 21 March 2009 - 07:04 AM

Hi Panda,

Your suggestion worked - last night I got combofix to run and finish - (it only crashed once and took a little over 3 hours?) I am currently running GMER. I am about to walk out the door to catch a flight. I will be back next Sunday and will post the logs. Thanks for all the help so far!

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 21 March 2009 - 09:15 AM

Okay that's no problem.

The Panda

***Note to keep topic open longer.


#10 grafton02

grafton02
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 28 March 2009 - 08:17 PM

Here they are!

Also, my McAfee ran and quarantined a number of trojans - I have left them quarantined but have not removed them.

ComboFix

ComboFix 09-03-19.02 - Neumeyer 2009-03-21 1:33:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.893 [GMT -4:00]
Running from: C:\Documents and Settings\Neumeyer\Desktop\ComboFix1234.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd
C:\Documents and Settings\Neumeyer\err.log
C:\Program Files\outlook
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\WINDOWS\cookies.ini
C:\WINDOWS\Lmelifetahefozu.dll
C:\WINDOWS\sstem~1
C:\WINDOWS\system32\alredeld.ini
C:\WINDOWS\system32\bgcrhanw.ini
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\cxqckkdf.ini
C:\WINDOWS\system32\dhalihnc.ini
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\UACrvwsagio.sys
C:\WINDOWS\system32\efpqfhpg.ini
C:\WINDOWS\system32\elvrcrch.ini
C:\WINDOWS\system32\fajhojfm.ini
C:\WINDOWS\system32\gdpfsitg.ini
C:\WINDOWS\SYSTEM32\ghhkj.bak1
C:\WINDOWS\SYSTEM32\ghhkj.bak2
C:\WINDOWS\system32\gjsudmaa.ini
C:\WINDOWS\system32\glkout.dll
C:\WINDOWS\system32\grtwuekl.ini
C:\WINDOWS\system32\gubxcupk.ini
C:\WINDOWS\system32\gwvnxrjy.ini
C:\WINDOWS\system32\hfnrwrpk.ini
C:\WINDOWS\system32\hiplcvjj.ini
C:\WINDOWS\system32\ifbwuyqv.ini
C:\WINDOWS\system32\imxlpwbq.ini
C:\WINDOWS\system32\kechckrl.ini
C:\WINDOWS\system32\kglxmxfw.ini
C:\WINDOWS\system32\kpjipkuy.ini
C:\WINDOWS\system32\lbfurgle.ini
C:\WINDOWS\system32\ligwkupp.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mpufjydk.ini
C:\WINDOWS\system32\nfemmcsx.dll
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\orqeitqp.ini
C:\WINDOWS\system32\osiakmch.ini
C:\WINDOWS\system32\oyodnuby.ini
C:\WINDOWS\system32\pagaxuly.ini
C:\WINDOWS\system32\test.ttt
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UACkrlnsbgj.dll
C:\WINDOWS\system32\UACkxmltarm.log
C:\WINDOWS\system32\UACoaivmvnm.dll
C:\WINDOWS\system32\UACpfqhhbrw.log
C:\WINDOWS\system32\UACroyuypbp.dll
C:\WINDOWS\system32\UACudlbdain.log
C:\WINDOWS\system32\UACwbwrujfi.dll
C:\WINDOWS\system32\UACyfjoewso.dll
C:\WINDOWS\system32\UACyqbylgkv.dat
C:\WINDOWS\system32\ualrubuq.ini
C:\WINDOWS\system32\ustmltxi.ini
C:\WINDOWS\SYSTEM32\UxELknmp.ini
C:\WINDOWS\SYSTEM32\UxELknmp.ini2
C:\WINDOWS\system32\vexhutrp.ini
C:\WINDOWS\system32\vlqrcmnl.ini
C:\WINDOWS\system32\warning.gif
C:\WINDOWS\system32\win32hlp.cnf
C:\WINDOWS\system32\xctgidiu.ini
C:\WINDOWS\system32\ysoiwi.dll
C:\WINDOWS\Tasks\uachblcm.job
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.

2009-03-21 02:15 . 2009-03-21 02:15 3,513,490 --a------ C:\temp00.dat
2009-03-11 17:12 . 2009-03-11 17:12 45,368 --ah----- C:\WINDOWS\SYSTEM32\mlfcache.dat
2009-02-22 16:34 . 2009-03-04 21:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2009-02-22 12:11 . 2009-03-21 02:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-22 12:06 . 2009-03-13 04:28 <DIR> d-------- C:\Program Files\Spyware Doctor
2009-02-22 12:06 . 2009-02-22 12:06 <DIR> d-------- C:\Documents and Settings\Neumeyer\Application Data\PC Tools
2009-02-22 12:06 . 2008-08-25 13:36 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2009-02-22 12:06 . 2008-08-25 13:36 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2009-02-22 12:06 . 2008-08-25 13:36 40,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2009-02-22 12:06 . 2008-06-02 17:19 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2009-02-21 20:54 . 2009-02-21 20:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2009-02-21 11:55 . 2009-02-21 11:55 133,632 --a------ C:\WINDOWS\uyebicog.dll
2009-02-21 11:44 . 2009-02-21 18:03 0 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\65a21513.sys
2009-02-21 11:43 . 2009-02-21 11:43 42,496 --a------ C:\cxfagn.exe
2009-02-21 11:43 . 2009-02-21 11:43 2 --a------ C:\-130603909

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 03:03 --------- d-----w C:\Program Files\Google
2009-02-22 04:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-02-22 01:23 --------- d-----w C:\Program Files\Lavasoft
2009-02-21 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2009-02-21 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2009-02-21 21:13 --------- d-----w C:\Program Files\McAfee
2009-02-21 20:18 --------- d-----w C:\Documents and Settings\Neumeyer\Application Data\Apple Computer
2009-01-24 17:53 --------- d-----w C:\Program Files\Java
2009-01-24 15:33 --------- d-----w C:\Program Files\iTunes
2009-01-24 15:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-24 15:32 --------- d-----w C:\Program Files\iPod
2009-01-24 15:32 --------- d-----w C:\Program Files\Common Files\Apple
2009-01-24 15:30 --------- d-----w C:\Program Files\QuickTime
2009-01-24 15:12 --------- d-----w C:\Program Files\Bonjour
2009-01-24 15:10 --------- d-----w C:\Program Files\Safari
2008-06-13 15:48 53,272 ----a-w C:\Documents and Settings\Neumeyer\Application Data\GDIPFONTCACHEV1.DAT
2008-02-06 01:07 389,120 ----a-w C:\Documents and Settings\Neumeyer\GoToAssist_phone__268_en.exe
2008-11-08 14:57 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008110820081109\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4












GMER LOG

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-28 20:53:42
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB23C644A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB23C63F8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB23C640C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB23C648A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB23C63D0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB23C63E4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB23C645E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB23C6436]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB23C6422]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB23C64B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB23C64A0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB23C6474]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP B23C6478 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP B23C644E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP B23C6426 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP B23C63D4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP B23C6462 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP B23C64A4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP B23C648E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP B23C6410 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP B23C64BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP B23C63E8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP B23C63FC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DCF7 5 Bytes JMP B23C643A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? Combo-Fix.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[340] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[340] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070087
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F92
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070FA3
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F66
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700A2
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700EE
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700DD
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700FF
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070F81
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[576] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070F55
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060F86
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060014
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060043
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00060FA1
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060FB2
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050F7C
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FBC
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FA1
.text C:\WINDOWS\system32\services.exe[576] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[576] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0F81
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0080
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0065
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0FB2
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0FDE
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC00AC
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0F66
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC00E2
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC00C7
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00EC00F3
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00EC0FC3
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00EC001B
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00EC0091
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00EC0036
.text C:\WINDOWS\system32\lsass.exe[588] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00EC0F49
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00EB004A
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00EB0F83
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00EB0FA8
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00EB0FC3
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [0B, 89]
.text C:\WINDOWS\system32\lsass.exe[588] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA0056
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0FC1
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA0027
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0FD2
.text C:\WINDOWS\system32\lsass.exe[588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0FE3
.text C:\WINDOWS\system32\lsass.exe[588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CC0F66
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CC0065
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CC004A
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CC0039
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CC0FB2
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CC0F27
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CC0F38
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CC00AF
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CC0094
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CC00C0
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CC0F8D
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CC0FD4
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CC0F55
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CC001E
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CC0FC3
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CC0F0C
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CB0014
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CB0F86
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CB0FC3
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CB0FA1
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00CB0039
.text C:\WINDOWS\system32\svchost.exe[736] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CB0FB2
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CA004C
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CA0FB7
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CA0FD2
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CA0027
.text C:\WINDOWS\system32\svchost.exe[736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CA0FE3
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D50F46
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D50F61
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D50045
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50F86
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50FB2
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D50067
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D50056
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D50082
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D50EE9
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D50093
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D50F97
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D50FDE
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D50F35
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D50FCD
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D50014
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D50F04
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D40051
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D40FCA
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D40040
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D4001B
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D40087
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D4000A
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D4006C
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D40FE5
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30FA1
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30FB2
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30022
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D30000
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FC3
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D30011
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D20000
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F9A
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80FAB
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80085
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B8005E
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FBC
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B800D1
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B800B6
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B8010E
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B800F3
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B8011F
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B8004D
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B80FDE
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B80F89
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B8001E
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B80FCD
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B800E2
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B70028
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B70065
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B70FCD
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B70FDE
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B70F9E
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B7004A
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B70039
.text C:\WINDOWS\System32\svchost.exe[1228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60FD4
.text C:\WINDOWS\System32\svchost.exe[1228] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B6005F
.text C:\WINDOWS\System32\svchost.exe[1228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\System32\svchost.exe[1228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60044
.text C:\WINDOWS\System32\svchost.exe[1228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B6001D
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02830FEF
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02830F4B
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02830F66
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02830F77
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02830040
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0283002F
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02830F09
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0283005B
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02830080
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02830EE7
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02830ECC
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02830FA8
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0283000A
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02830F3A
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02830FB9
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02830FD4
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02830EF8
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02820FB9
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02820F83
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0282000A
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02820FD4
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02820040
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02820FE5
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0282002F
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02820FA8
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02810042
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!system 77C293C7 5 Bytes JMP 02810FB7
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0281001D
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02810FEF
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02810FC8
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0281000C
.text C:\WINDOWS\System32\svchost.exe[1264] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01EC000A
.text C:\WINDOWS\System32\svchost.exe[1264] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 01ED0000
.text C:\WINDOWS\System32\svchost.exe[1264] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 01ED0FEF
.text C:\WINDOWS\System32\svchost.exe[1264] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 01ED001B
.text C:\WINDOWS\System32\svchost.exe[1264] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 01ED0FCA
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660FEF
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660F72
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660067
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660056
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660F97
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660039
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0066009F
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00660F4D
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00660F06
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00660F17
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 006600BA
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00660FA8
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00660FDE
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00660078
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0066001E
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00660FCD
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00660F32
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00650FA8
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00650F61
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00650FB9
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00650FCA
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00650F72
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00650FEF
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00650F83
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [85, 88]
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00650014
.text C:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640044
.text C:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!system 77C293C7 5 Bytes JMP 00640033
.text C:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640FDE
.text C:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640FEF
.text C:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640FC3
.text C:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640018
.text C:\WINDOWS\System32\svchost.exe[1360] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C30FB2
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C300A7
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C30080
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C30FC3
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C30040
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C30F7A
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C30F97
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C30F4E
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C300DD
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C30102
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C3005B
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C300C2
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C30FDE
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C30F5F
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 009C0FC0
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 009C0F8A
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 009C0FDB
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 009C0011
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 009C0051
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 009C0FAF
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [BC, 88]
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 009C0036
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009B0F90
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!system 77C293C7 5 Bytes JMP 009B0FAB
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009B0000
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009B001B
.text C:\WINDOWS\system32\svchost.exe[1516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009B0FD2
.text C:\WINDOWS\system32\svchost.exe[1516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\svchost.exe[1516] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1516] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 009A0FE5
.text C:\WINDOWS\system32\svchost.exe[1516] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 009A0FCA
.text C:\WINDOWS\system32\svchost.exe[1516] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 009A001B
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01710000
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01710053
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01710F5E
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01710F6F
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0171002C
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01710FAF
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01710F26
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01710F37
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 017100A4
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01710089
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 017100BF
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01710F8A
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01710FDB
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01710064
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01710FC0
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0171001B
.text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01710F0B
.text C:\WINDOWS\Explorer.EXE[1732] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 016B002F
.text C:\WINDOWS\Explorer.EXE[1732] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 016B0F9E
.text C:\WINDOWS\Explorer.EXE[1732] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 016B0FDE
.text C:\WINDOWS\Explorer.EXE[1732] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 016B0014
.text C:\WINDOWS\Explorer.EXE[1732] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 016B0FB9
.text C:\WINDOWS\Explorer.EXE[1732] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 016B0FEF
.text C:\WINDOWS\Explorer.EXE[1732] ADVAPI32.dll!RegCreateKeyW 77DFBA25 3 Bytes JMP 016B005B
.text C:\WINDOWS\Explorer.EXE[1732] ADVAPI32.dll!RegCreateKeyW + 4 77DFBA29 1 Byte [89]
.text C:\WINDOWS\Explorer.EXE[1732] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 3 Bytes JMP 016B004A
.text C:\WINDOWS\Explorer.EXE[1732] ADVAPI32.dll!RegCreateKeyA + 4 77DFBCC7 1 Byte [89]
.text C:\WINDOWS\Explorer.EXE[1732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 016A0FBB
.text C:\WINDOWS\Explorer.EXE[1732] msvcrt.dll!system 77C293C7 5 Bytes JMP 016A0050
.text C:\WINDOWS\Explorer.EXE[1732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 016A002E
.text C:\WINDOWS\Explorer.EXE[1732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 016A0000
.text C:\WINDOWS\Explorer.EXE[1732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 016A003F
.text C:\WINDOWS\Explorer.EXE[1732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 016A001D
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 01690000
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 01690011
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 01690FDB
.text C:\WINDOWS\Explorer.EXE[1732] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 01690FCA
.text C:\WINDOWS\Explorer.EXE[1732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011A0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B0F28D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs ysoiwi.dll

---- EOF - GMER 1.0.15 ----

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 29 March 2009 - 09:33 AM

Hello.

That is a nastry infection.

The ComboFix log in incomplete. Please post the full contents of C:\ComboFix.txt

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

With Regards,
The Panda

#12 grafton02

grafton02
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 04 April 2009 - 07:50 AM

Hi Panda,

I am leaning towards reformatting but I have a question. I have a lot of data, pictures and music on this computer. When I started to have problems, I backed it up on an external hard drive. Was that a mistake? By backing this data up did I risk infecting my external hard drive?

What is the best way to make sure I can preserve all of my data without (or at least minimizing) the risk of infecting a reformatted computer? Should we try and clean this one the best we can and then wipe the external hard drive, after which I can reback up everything?

Let me know your thoughts - Combo Fix below - If I need to run combofix again let me know. Thanks for your continued help!

ComboFix 09-03-19.02 - Neumeyer 2009-03-21 1:33:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.893 [GMT -4:00]
Running from: C:\Documents and Settings\Neumeyer\Desktop\ComboFix1234.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd
C:\Documents and Settings\Neumeyer\err.log
C:\Program Files\outlook
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\WINDOWS\cookies.ini
C:\WINDOWS\Lmelifetahefozu.dll
C:\WINDOWS\sstem~1
C:\WINDOWS\system32\alredeld.ini
C:\WINDOWS\system32\bgcrhanw.ini
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\cxqckkdf.ini
C:\WINDOWS\system32\dhalihnc.ini
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\UACrvwsagio.sys
C:\WINDOWS\system32\efpqfhpg.ini
C:\WINDOWS\system32\elvrcrch.ini
C:\WINDOWS\system32\fajhojfm.ini
C:\WINDOWS\system32\gdpfsitg.ini
C:\WINDOWS\SYSTEM32\ghhkj.bak1
C:\WINDOWS\SYSTEM32\ghhkj.bak2
C:\WINDOWS\system32\gjsudmaa.ini
C:\WINDOWS\system32\glkout.dll
C:\WINDOWS\system32\grtwuekl.ini
C:\WINDOWS\system32\gubxcupk.ini
C:\WINDOWS\system32\gwvnxrjy.ini
C:\WINDOWS\system32\hfnrwrpk.ini
C:\WINDOWS\system32\hiplcvjj.ini
C:\WINDOWS\system32\ifbwuyqv.ini
C:\WINDOWS\system32\imxlpwbq.ini
C:\WINDOWS\system32\kechckrl.ini
C:\WINDOWS\system32\kglxmxfw.ini
C:\WINDOWS\system32\kpjipkuy.ini
C:\WINDOWS\system32\lbfurgle.ini
C:\WINDOWS\system32\ligwkupp.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mpufjydk.ini
C:\WINDOWS\system32\nfemmcsx.dll
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\orqeitqp.ini
C:\WINDOWS\system32\osiakmch.ini
C:\WINDOWS\system32\oyodnuby.ini
C:\WINDOWS\system32\pagaxuly.ini
C:\WINDOWS\system32\test.ttt
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UACkrlnsbgj.dll
C:\WINDOWS\system32\UACkxmltarm.log
C:\WINDOWS\system32\UACoaivmvnm.dll
C:\WINDOWS\system32\UACpfqhhbrw.log
C:\WINDOWS\system32\UACroyuypbp.dll
C:\WINDOWS\system32\UACudlbdain.log
C:\WINDOWS\system32\UACwbwrujfi.dll
C:\WINDOWS\system32\UACyfjoewso.dll
C:\WINDOWS\system32\UACyqbylgkv.dat
C:\WINDOWS\system32\ualrubuq.ini
C:\WINDOWS\system32\ustmltxi.ini
C:\WINDOWS\SYSTEM32\UxELknmp.ini
C:\WINDOWS\SYSTEM32\UxELknmp.ini2
C:\WINDOWS\system32\vexhutrp.ini
C:\WINDOWS\system32\vlqrcmnl.ini
C:\WINDOWS\system32\warning.gif
C:\WINDOWS\system32\win32hlp.cnf
C:\WINDOWS\system32\xctgidiu.ini
C:\WINDOWS\system32\ysoiwi.dll
C:\WINDOWS\Tasks\uachblcm.job
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.

2009-03-21 02:15 . 2009-03-21 02:15 3,513,490 --a------ C:\temp00.dat
2009-03-11 17:12 . 2009-03-11 17:12 45,368 --ah----- C:\WINDOWS\SYSTEM32\mlfcache.dat
2009-02-22 16:34 . 2009-03-04 21:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2009-02-22 12:11 . 2009-03-21 02:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-22 12:06 . 2009-03-13 04:28 <DIR> d-------- C:\Program Files\Spyware Doctor
2009-02-22 12:06 . 2009-02-22 12:06 <DIR> d-------- C:\Documents and Settings\Neumeyer\Application Data\PC Tools
2009-02-22 12:06 . 2008-08-25 13:36 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2009-02-22 12:06 . 2008-08-25 13:36 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2009-02-22 12:06 . 2008-08-25 13:36 40,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2009-02-22 12:06 . 2008-06-02 17:19 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2009-02-21 20:54 . 2009-02-21 20:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2009-02-21 11:55 . 2009-02-21 11:55 133,632 --a------ C:\WINDOWS\uyebicog.dll
2009-02-21 11:44 . 2009-02-21 18:03 0 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\65a21513.sys
2009-02-21 11:43 . 2009-02-21 11:43 42,496 --a------ C:\cxfagn.exe
2009-02-21 11:43 . 2009-02-21 11:43 2 --a------ C:\-130603909

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 03:03 --------- d-----w C:\Program Files\Google
2009-02-22 04:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-02-22 01:23 --------- d-----w C:\Program Files\Lavasoft
2009-02-21 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2009-02-21 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2009-02-21 21:13 --------- d-----w C:\Program Files\McAfee
2009-02-21 20:18 --------- d-----w C:\Documents and Settings\Neumeyer\Application Data\Apple Computer
2009-01-24 17:53 --------- d-----w C:\Program Files\Java
2009-01-24 15:33 --------- d-----w C:\Program Files\iTunes
2009-01-24 15:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-24 15:32 --------- d-----w C:\Program Files\iPod
2009-01-24 15:32 --------- d-----w C:\Program Files\Common Files\Apple
2009-01-24 15:30 --------- d-----w C:\Program Files\QuickTime
2009-01-24 15:12 --------- d-----w C:\Program Files\Bonjour
2009-01-24 15:10 --------- d-----w C:\Program Files\Safari
2008-06-13 15:48 53,272 ----a-w C:\Documents and Settings\Neumeyer\Application Data\GDIPFONTCACHEV1.DAT
2008-02-06 01:07 389,120 ----a-w C:\Documents and Settings\Neumeyer\GoToAssist_phone__268_en.exe
2008-11-08 14:57 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008110820081109\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 04 April 2009 - 09:34 AM

Hello.

Pictures, music, text files, video are all safe to backup. Do not, however, backup any program files.

If you would still like to disinfect, please click on ComboFix and run it again. The log file was not created properly for some reason.

With Regards,
The Panda

#14 grafton02

grafton02
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 05 April 2009 - 11:38 AM

Hi Panda,

My combofix log is too big to be posted (741kb or 245kb compressed) and I can not attach it because I have already used up my 512k of space.

Any recommendations?

#15 grafton02

grafton02
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 05 April 2009 - 11:41 AM

I knew as soon as I asked how to manage attachments, I would figure it out myself. Sorry about that.

Here is the log.

ComboFix 09-04-04.01 - Neumeyer 2009-04-05 9:59:37.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.678 [GMT -4:00]
Running from: c:\documents and settings\Neumeyer\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\Neumeyer\err.log
c:\program files\outlook
c:\temp\0b9
c:\temp\0b9\tmpTF.log
c:\temp\iee
c:\windows\cookies.ini
c:\windows\Lmelifetahefozu.dll
c:\windows\sstem~1
c:\windows\system32\alredeld.ini
c:\windows\system32\bgcrhanw.ini
c:\windows\system32\curity~1
c:\windows\system32\cxqckkdf.ini
c:\windows\system32\dhalihnc.ini
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\UACrvwsagio.sys
c:\windows\system32\efpqfhpg.ini
c:\windows\system32\elvrcrch.ini
c:\windows\system32\fajhojfm.ini
c:\windows\system32\gdpfsitg.ini
c:\windows\SYSTEM32\ghhkj.bak1
c:\windows\SYSTEM32\ghhkj.bak2
c:\windows\system32\gjsudmaa.ini
c:\windows\system32\glkout.dll
c:\windows\system32\grtwuekl.ini
c:\windows\system32\gubxcupk.ini
c:\windows\system32\gwvnxrjy.ini
c:\windows\system32\hfnrwrpk.ini
c:\windows\system32\hiplcvjj.ini
c:\windows\system32\ifbwuyqv.ini
c:\windows\system32\imxlpwbq.ini
c:\windows\system32\kechckrl.ini
c:\windows\system32\kglxmxfw.ini
c:\windows\system32\kpjipkuy.ini
c:\windows\system32\lbfurgle.ini
c:\windows\system32\ligwkupp.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mpufjydk.ini
c:\windows\system32\nfemmcsx.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\o02PrEz
c:\windows\system32\orqeitqp.ini
c:\windows\system32\osiakmch.ini
c:\windows\system32\oyodnuby.ini
c:\windows\system32\pagaxuly.ini
c:\windows\system32\test.ttt
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkrlnsbgj.dll
c:\windows\system32\UACkxmltarm.log
c:\windows\system32\UACoaivmvnm.dll
c:\windows\system32\UACpfqhhbrw.log
c:\windows\system32\UACroyuypbp.dll
c:\windows\system32\UACudlbdain.log
c:\windows\system32\UACwbwrujfi.dll
c:\windows\system32\UACyfjoewso.dll
c:\windows\system32\UACyqbylgkv.dat
c:\windows\system32\ualrubuq.ini
c:\windows\system32\ustmltxi.ini
c:\windows\SYSTEM32\UxELknmp.ini
c:\windows\SYSTEM32\UxELknmp.ini2
c:\windows\system32\vexhutrp.ini
c:\windows\system32\vlqrcmnl.ini
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\xctgidiu.ini
c:\windows\system32\ysoiwi.dll
c:\windows\Tasks\uachblcm.job
c:\windows\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-05 09:55 . 2006-03-03 00:42 73,728 --a------ C:\pv.exe
2009-04-05 09:39 . 2009-04-05 09:39 <DIR> d-------- c:\program files\Dynex Enhanced G Desktop Card Adapter
2009-03-11 17:12 . 2009-03-11 17:12 45,368 --ah----- c:\windows\SYSTEM32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 13:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-05 13:32 --------- d-----w c:\program files\Lavasoft
2009-03-29 13:34 --------- d-----w c:\program files\Java
2009-03-13 08:28 --------- d-----w c:\program files\Spyware Doctor
2009-03-09 09:19 410,984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-03-05 01:41 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-02-24 03:03 --------- d-----w c:\program files\Google
2009-02-22 16:06 --------- d-----w c:\documents and settings\Neumeyer\Application Data\PC Tools
2009-02-22 04:24 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-21 22:03 0 ----a-w c:\windows\system32\drivers\65a21513.sys
2009-02-21 21:45 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-02-21 21:45 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-21 21:13 --------- d-----w c:\program files\McAfee
2009-02-21 20:18 --------- d-----w c:\documents and settings\Neumeyer\Application Data\Apple Computer
2009-02-21 15:55 133,632 ----a-w c:\windows\uyebicog.dll
2009-02-21 15:43 42,496 ----a-w C:\cxfagn.exe
2008-06-13 15:48 53,272 ----a-w c:\documents and settings\Neumeyer\Application Data\GDIPFONTCACHEV1.DAT
2008-02-06 01:07 389,120 ----a-w c:\documents and settings\Neumeyer\GoToAssist_phone__268_en.exe
2008-11-08 14:57 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008110820081109\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-21_ 2.43.02.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-03-21 04:57:33 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2009-04-05 10:01:33 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2009-03-21 04:57:33 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-04-05 10:01:33 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-04-05 10:01:33 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-12 03:18:00 144,792 ----a-w c:\windows\SYSTEM32\java.exe
+ 2009-03-09 09:19:11 144,792 ----a-w c:\windows\SYSTEM32\java.exe
- 2009-03-12 03:18:00 144,792 ----a-w c:\windows\SYSTEM32\javaw.exe
+ 2009-03-09 09:19:13 144,792 ----a-w c:\windows\SYSTEM32\javaw.exe
- 2009-03-12 03:18:00 148,888 ----a-w c:\windows\SYSTEM32\javaws.exe
+ 2009-03-09 09:19:13 148,888 ----a-w c:\windows\SYSTEM32\javaws.exe
+ 2009-04-05 13:41:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_74c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SFP"="c:\program files\Common Files\Verizon Online\SFP\vzSFPWin.EXE" [2003-08-14 561152]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-09-17 151597]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2005-03-15 53248]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Idisaqekojot"="c:\windows\uyebicog.dll" [2009-02-21 133632]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Broadcom Wireless Manager"="c:\windows\system32\wltray.exe" [2007-03-02 1282048]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex Enhanced G Desktop Card Adapter\DynexWCUI.exe [2009-04-05 1462272]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-01 176128]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ysoiwi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 mcafee siteadvisor service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-21 210216]
S1 65a21513;65a21513;c:\windows\SYSTEM32\DRIVERS\65a21513.sys [2009-02-21 0]
S2 0197031237694249mcinstcleanup;McAfee Application Installer Cleanup (0197031237694249);c:\windows\TEMP\019703~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\019703~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-22 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{549adef8-48cf-11db-9c5d-000d5624e7ef}]
\Shell\AutoRun\command - F:\DTE_Privacy_launcher.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]
.

------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = https://activate.verizon.net/launch/res1/save_your_settings
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Neumeyer\Application Data\Mozilla\Firefox\Profiles\q9im1qx9.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 10:10:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3556)
c:\docume~1\Neumeyer\LOCALS~1\Temp\IadHide5.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-04-05 12:27:10
ComboFix-quarantined-files.txt 2009-04-05 16:21:29

Pre-Run: 14,465,507,328 bytes free
Post-Run: 14,428,831,744 bytes free

8345 --- E O F --- 2009-01-15 08:03:03

Attached Files


Edited by PropagandaPanda, 05 April 2009 - 11:53 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users