Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chainsaw worm


  • This topic is locked This topic is locked
20 replies to this topic

#1 uhmino

uhmino

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 07 March 2009 - 05:35 PM

I've tried mcafee, malwarebytes, superantispyware but it still appears in add/remove program. Here is my DDS


DDS (Ver_09-02-01.01) - NTFSx86
Run by AGENT-ADAIR at 13:55:10.93 on 03/07/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.366 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\AGENT-ADAIR\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mattbesser.com/
uWindow Title = Microsoft Internet Explorer provided by Comcast
mDefault_Page_URL = hxxp://www.yahoo.com/?.home=ytie
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Page =
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: {4CFDDCCF-0F0C-4E08-97A3-FDF4237D652C} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: {97B7E07D-8463-45AD-83C9-01E51BE9FA07} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {7BED0340-176B-44BC-915E-C21C1DD6F617} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\comcast\comcas~1\data\xtras\mssysmgr.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McAfee Backup] c:\program files\mcafee\mbk\McAfeeDataBackup.exe
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\agent-~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Subscribe with RSSRadio - file://c:\program files\dorada software\rssradio\subscribe.htm
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: imageservr.com\locator.cdn
Trusted Zone: internet
Trusted Zone: launch.com
Trusted Zone: mcafee.com
Trusted Zone: yahoo.com
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: bvoxfp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: cinnamomum - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\agent-~1\applic~1\mozilla\firefox\profiles\23wk1657.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://eztv.it/index.php
FF - component: c:\documents and settings\agent-adair\application data\mozilla\firefox\profiles\23wk1657.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\agent-adair\application data\mozilla\firefox\profiles\23wk1657.default\extensions\{f592709f-ff4a-4862-b659-4afabda56312}\components\FFAlert.dll
FF - plugin: c:\documents and settings\agent-adair\application data\mozilla\firefox\profiles\23wk1657.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPnsv_vp3_mp3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-4 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-4 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-4 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-4 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-4 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-4 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-4 40488]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S0 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-10 38496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-4 33832]

=============== Created Last 30 ================

2009-03-06 16:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-06 16:17 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-06 16:17 <DIR> --d----- c:\docume~1\agent-~1\applic~1\SUPERAntiSpyware.com
2009-03-06 16:16 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-04 15:10 <DIR> --d----- c:\docume~1\agent-~1\applic~1\McAfee
2009-03-04 15:08 8,335 a------- c:\windows\system32\Config.MPF
2009-03-04 15:07 143,360 a------- c:\windows\system32\dunzip32.dll
2009-03-04 15:04 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-04 15:04 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-04 15:04 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-04 15:04 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-04 15:04 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-04 15:04 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-03-04 15:03 <DIR> --d----- c:\program files\McAfee.com
2009-03-04 15:03 <DIR> --d----- c:\program files\common files\McAfee
2009-03-04 15:03 <DIR> --d----- c:\program files\McAfee
2009-03-04 03:05 <DIR> --d----- c:\docume~1\agent-~1\applic~1\True Sword
2009-03-04 03:02 <DIR> --d----- c:\program files\True Sword 5
2009-03-02 21:47 78 a------- c:\windows\lsoon.ini
2009-03-02 20:54 2 a--shrot c:\windows\winstart.bat
2009-03-02 20:54 2 a--shrot c:\windows\system32\AUTOEXEC.NT
2009-03-02 20:49 <DIR> --d----- c:\docume~1\agent-~1\applic~1\Regrun
2009-03-02 20:49 <DIR> --d----- C:\backreg
2009-03-02 13:53 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-02 13:52 <DIR> --d----- c:\documents and settings\agent-adair\.housecall6.6
2009-03-02 13:38 57,556 a------- c:\windows\guard.bmp
2009-03-02 12:31 <DIR> --d----- c:\windows\Options

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-04 22:33 138,512 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-02-04 22:33 201,440 a------- c:\windows\system32\PnkBstrB.exe
2009-02-03 14:36 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 09:01 3,067,904 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 02:57 333,952 a------- c:\windows\system32\dllcache\srv.sys
2005-07-15 17:38 628 a------- c:\documents and settings\agent-adair\293322.bin
2005-07-14 15:38 96 a------- c:\documents and settings\agent-adair\31242705.dat

============= FINISH: 13:56:12.26 ===============

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:12:32 PM

Posted 19 March 2009 - 09:37 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 uhmino

uhmino
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 21 March 2009 - 12:24 AM

Thank you, here it is


DDS (Ver_09-02-01.01) - NTFSx86
Run by AGENT-ADAIR at 22:20:50.23 on 03/20/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.520 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Media Player\wmplayer.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\AGENT-ADAIR\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mattbesser.com/
uWindow Title = Microsoft Internet Explorer provided by Comcast
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: {4CFDDCCF-0F0C-4E08-97A3-FDF4237D652C} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: {97B7E07D-8463-45AD-83C9-01E51BE9FA07} - No File
TB: {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - No File
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\comcast\comcas~1\data\xtras\mssysmgr.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McAfee Backup] c:\program files\mcafee\mbk\McAfeeDataBackup.exe
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\agent-~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Subscribe with RSSRadio - file://c:\program files\dorada software\rssradio\subscribe.htm
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: imageservr.com\locator.cdn
Trusted Zone: internet
Trusted Zone: launch.com
Trusted Zone: mcafee.com
Trusted Zone: yahoo.com
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: bvoxfp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: cinnamomum - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\agent-~1\applic~1\mozilla\firefox\profiles\23wk1657.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://eztv.it/index.php
FF - component: c:\documents and settings\agent-adair\application data\mozilla\firefox\profiles\23wk1657.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\agent-adair\application data\mozilla\firefox\profiles\23wk1657.default\extensions\{f592709f-ff4a-4862-b659-4afabda56312}\components\FFAlert.dll
FF - plugin: c:\documents and settings\agent-adair\application data\mozilla\firefox\profiles\23wk1657.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPnsv_vp3_mp3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-4 201320]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-18 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-4 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2009-3-4 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-4 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-4 35240]
S0 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-4 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-4 40488]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-4 695624]

=============== Created Last 30 ================

2009-03-18 07:08 <DIR> --d----- c:\program files\Yahoo!
2009-03-17 21:59 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-03-17 21:51 <DIR> --d----- c:\program files\SecondLife
2009-03-10 14:47 11 a------- C:\AuResult.ini
2009-03-10 10:19 <DIR> --d----- c:\program files\a-squared Anti-Malware
2009-03-10 02:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-03-10 02:44 <DIR> --d----- c:\program files\common files\iS3
2009-03-07 17:58 <DIR> --dsh--- c:\documents and settings\agent-adair\PrivacIE
2009-03-07 17:58 <DIR> --dsh--- c:\documents and settings\agent-adair\IETldCache
2009-03-07 17:26 <DIR> --d----- c:\windows\ie8updates
2009-03-07 17:23 <DIR> -cd-h--- c:\windows\ie8
2009-03-07 17:21 79,360 -------- c:\windows\system32\dllcache\iecompat.dll
2009-03-06 17:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-06 17:17 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-06 17:17 <DIR> --d----- c:\docume~1\agent-~1\applic~1\SUPERAntiSpyware.com
2009-03-04 16:10 <DIR> --d----- c:\docume~1\agent-~1\applic~1\McAfee
2009-03-04 16:08 14,333 a------- c:\windows\system32\Config.MPF
2009-03-04 16:07 143,360 a------- c:\windows\system32\dunzip32.dll
2009-03-04 16:04 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-04 16:04 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-04 16:04 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-04 16:04 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-04 16:04 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-04 16:04 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-03-04 16:03 <DIR> --d----- c:\program files\McAfee.com
2009-03-04 16:03 <DIR> --d----- c:\program files\common files\McAfee
2009-03-04 16:03 <DIR> --d----- c:\program files\McAfee
2009-03-02 22:47 78 a------- c:\windows\lsoon.ini
2009-03-02 21:54 2 a--shrot c:\windows\winstart.bat
2009-03-02 21:54 2 a--shrot c:\windows\system32\AUTOEXEC.NT
2009-03-02 21:49 <DIR> --d----- C:\backreg
2009-03-02 14:53 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-02 14:52 <DIR> --d----- c:\documents and settings\agent-adair\.housecall6.6
2009-03-02 14:38 57,556 a------- c:\windows\guard.bmp
2009-03-02 13:31 <DIR> --d----- c:\windows\Options

==================== Find3M ====================

2009-03-10 00:35 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2009-02-04 23:33 138,512 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-02-04 23:33 201,440 a------- c:\windows\system32\PnkBstrB.exe
2009-01-15 03:17 636,264 -------- c:\windows\system32\dllcache\iexplore.exe
2009-01-15 03:17 392,040 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-01-15 03:13 5,888,512 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-15 03:06 1,182,720 a------- c:\windows\system32\dllcache\urlmon.dll
2009-01-15 03:06 236,544 -------- c:\windows\system32\dllcache\webcheck.dll
2009-01-15 03:06 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-01-15 03:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 03:05 911,872 a------- c:\windows\system32\dllcache\wininet.dll
2009-01-15 03:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 03:05 193,536 -------- c:\windows\system32\dllcache\msrating.dll
2009-01-15 03:05 109,056 -------- c:\windows\system32\dllcache\occache.dll
2009-01-15 03:05 43,008 -------- c:\windows\system32\dllcache\licmgr10.dll
2009-01-15 03:04 755,200 -------- c:\windows\system32\dllcache\VGX.dll
2009-01-15 03:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 03:04 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-01-15 03:04 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-01-15 03:02 611,840 -------- c:\windows\system32\dllcache\mstime.dll
2009-01-15 03:01 183,808 -------- c:\windows\system32\dllcache\iepeers.dll
2009-01-15 03:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 03:01 34,304 -------- c:\windows\system32\dllcache\imgutil.dll
2009-01-15 03:01 348,160 -------- c:\windows\system32\dllcache\dxtmsft.dll
2009-01-15 03:01 46,592 -------- c:\windows\system32\dllcache\pngfilt.dll
2009-01-15 03:01 216,064 -------- c:\windows\system32\dllcache\dxtrans.dll
2009-01-15 03:01 66,560 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-01-15 03:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 03:00 48,128 -------- c:\windows\system32\dllcache\mshtmler.dll
2009-01-15 03:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 03:00 45,568 -------- c:\windows\system32\dllcache\mshta.exe
2009-01-15 02:53 68,608 -------- c:\windows\system32\dllcache\hmmapi.dll
2009-01-15 02:50 156,160 a------- c:\windows\system32\msls31.dll
2009-01-15 02:50 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2005-07-15 18:38 628 a------- c:\documents and settings\agent-adair\293322.bin
2005-07-14 16:38 96 a------- c:\documents and settings\agent-adair\31242705.dat

============= FINISH: 22:21:44.23 ===============

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:32 PM

Posted 21 March 2009 - 12:18 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

There are definately signs of infection, though I'm not sure if any are active.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log
-a fresh DDS Attach.txt

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 uhmino

uhmino
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 21 March 2009 - 06:00 PM

gmer:

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-21 15:54:24
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF73DE0D0]
SSDT sptd.sys ZwEnumerateKey [0xF73E3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF73E4340]
SSDT sptd.sys ZwOpenKey [0xF73DE0B0]
SSDT sptd.sys ZwQueryKey [0xF73E4418]
SSDT sptd.sys ZwQueryValueKey [0xF73E4298]
SSDT sptd.sys ZwSetValueKey [0xF73E44AA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAAA069AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAAA06958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAAA0696C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAAA06A5B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAAA06A87]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAAA069EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAAA06B21]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAAA06930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAAA06944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAAA069BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAAA06AC9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAAA06A71]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAAA06B49]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAAA06B35]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAAA06996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAAA06982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAAA06A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAAA06B0B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAAA06A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAAA069D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP AAA069D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP AAA069AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP AAA069EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP AAA06A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP AAA069C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP AAA06934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP AAA06948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP AAA06986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP AAA06970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP AAA0695C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP AAA0699A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP AAA06A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP AAA06B0F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP AAA06ACD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP AAA06A75 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 1 Byte [E9]
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP AAA06A5F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP AAA06A8B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP AAA06B39 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP AAA06B4D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP AAA06B25 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F70CF8AC 5 Bytes JMP 86DCB770
? System32\Drivers\apiqz47w.SYS The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[512] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[512] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F75
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F86
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F97
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A009B
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F53
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F20
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F31
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00D4
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A004A
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A001B
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F64
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\explorer.exe[652] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F42
.text C:\WINDOWS\explorer.exe[652] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0029001B
.text C:\WINDOWS\explorer.exe[652] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290062
.text C:\WINDOWS\explorer.exe[652] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FCA
.text C:\WINDOWS\explorer.exe[652] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0029000A
.text C:\WINDOWS\explorer.exe[652] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290F9B
.text C:\WINDOWS\explorer.exe[652] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[652] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0029003D
.text C:\WINDOWS\explorer.exe[652] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0029002C
.text C:\WINDOWS\explorer.exe[652] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FBC
.text C:\WINDOWS\explorer.exe[652] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FCD
.text C:\WINDOWS\explorer.exe[652] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0022
.text C:\WINDOWS\explorer.exe[652] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\explorer.exe[652] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A003D
.text C:\WINDOWS\explorer.exe[652] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0011
.text C:\WINDOWS\explorer.exe[652] WININET.dll!InternetOpenA 63022BB0 5 Bytes JMP 002C0000
.text C:\WINDOWS\explorer.exe[652] WININET.dll!InternetOpenW 63023031 5 Bytes JMP 002C001B
.text C:\WINDOWS\explorer.exe[652] WININET.dll!InternetOpenUrlA 6302A7D0 5 Bytes JMP 002C0FDB
.text C:\WINDOWS\explorer.exe[652] WININET.dll!InternetOpenUrlW 63075ECF 5 Bytes JMP 002C002C
.text C:\WINDOWS\explorer.exe[652] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02540000
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01530FEF
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0153005D
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01530F72
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01530F83
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01530040
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01530014
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01530F37
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01530089
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015300BF
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0153009A
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01530F01
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0153002F
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01530FD4
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0153006E
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01530FA8
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01530FC3
.text C:\WINDOWS\system32\services.exe[784] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01530F26
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01520036
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01520FC0
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0152001B
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01520000
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01520087
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01520FEF
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0152006C
.text C:\WINDOWS\system32\services.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01520051
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E7005D
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E70042
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E70FE3
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E70FC8
.text C:\WINDOWS\system32\services.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E7001D
.text C:\WINDOWS\system32\services.exe[784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC00C2
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC00A7
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0FC3
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC0FD4
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC005B
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0F8B
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC0FA8
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC00F8
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC0F5F
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FC0113
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FC006C
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FC001B
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FC00D3
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FC002C
.text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FC0F7A
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FB002F
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FB0062
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FB0FD4
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FB000A
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FB0051
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FB0040
.text C:\WINDOWS\system32\lsass.exe[796] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FB0FB9
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FA0F9E
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FA0033
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FA0FDE
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FA0000
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FA0FC3
.text C:\WINDOWS\system32\lsass.exe[796] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\lsass.exe[796] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB0F83
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB0078
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB0051
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB0040
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB0FA8
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB00A9
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB0F61
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB00E6
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB00D5
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FB00F7
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FB002F
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FB0FD4
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FB0F72
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FB0FB9
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FB0014
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FB00C4
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FA0FB9
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FA0F83
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FA0FCA
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FA0FE5
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FA0036
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FA000A
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FA0025
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FA0FA8
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F90F97
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F90FB2
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F90FCD
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F90018
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F90FDE
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F66
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80F81
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B8005B
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80F9E
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80040
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F3A
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F4B
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F18
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B800B1
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B800CC
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B80FB9
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B80076
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B80FCA
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B80025
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B80F29
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B70022
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B70FA5
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B70011
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B70FB6
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B70058
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B7003D
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60047
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B6002C
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60011
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60FE3
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60FC6
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D20F6F
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20064
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D20053
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D20F8A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D20FB6
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D20F28
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D20F39
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D20095
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D20EFC
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D20EEB
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D20F9B
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D20F4A
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D2002C
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D20011
.text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D20F17
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D10FA8
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D10011
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D10FC3
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D10065
.text C:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D1004A
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00FC3
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00033
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00044
.text C:\WINDOWS\system32\svchost.exe[1024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05C10FEF
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05C1005D
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05C1004C
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05C10F72
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05C1002F
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05C10F97
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05C1008E
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05C10F46
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05C100C1
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05C100B0
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 05C10F0D
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 05C1001E
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 05C10FD4
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 05C10F57
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 05C10FA8
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 05C10FC3
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 05C1009F
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 03260FCD
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 03260F8D
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 03260014
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 03260FDE
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0326004A
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 03260FEF
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 03260039
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 03260FB2
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03250F9C
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!system 77C293C7 5 Bytes JMP 03250FAD
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03250FD2
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03250000
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03250027
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03250FE3
.text C:\WINDOWS\System32\svchost.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03240FEF
.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenA 63022BB0 5 Bytes JMP 0323000A
.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenW 63023031 5 Bytes JMP 0323001B
.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenUrlA 6302A7D0 5 Bytes JMP 03230FE5
.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenUrlW 63075ECF 5 Bytes JMP 03230036
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B4000A
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B40F7C
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40F97
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40071
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40054
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B40FB9
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B40F3F
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B40F50
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B40F1D
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B40F2E
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B40F0C
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B40FA8
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B40F6B
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B40FCA
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B4001B
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B400A2
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B30FDB
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B30098
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B3002C
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B3001B
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B30087
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B3006C
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B30051
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B20FC8
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B20049
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B2001D
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B2002E
.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B20FE3
.text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0093
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0FA8
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0FB9
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0FCA
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC005B
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0F63
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC00B5
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC0F37
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC00D0
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00EC00EB
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00EC006C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00EC0014
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00EC00A4
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00EC0040
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00EC002F
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00EC0F52
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00EB0065
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00EB0054
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00EB0FA8
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [0B, 89]
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00EB0FB9
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA0025
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0FA4
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA0FC6
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0FB5
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0FD7
.text C:\WINDOWS\system32\svchost.exe[1332] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\svchost.exe[1332] WININET.dll!InternetOpenA 63022BB0 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1332] WININET.dll!InternetOpenW 63023031 5 Bytes JMP 00E8000A
.text C:\WINDOWS\system32\svchost.exe[1332] WININET.dll!InternetOpenUrlA 6302A7D0 5 Bytes JMP 00E80FDE
.text C:\WINDOWS\system32\svchost.exe[1332] WININET.dll!InternetOpenUrlW 63075ECF 5 Bytes JMP 00E80FC3

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73DEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73DEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73DEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73DF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73DF61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73F429A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86DD11E8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \FatCdrom 8687C6E8

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 86C5A1E8
Device \Driver\usbuhci \Device\USBPDO-1 86C5A1E8
Device \Driver\PCI_NTPNP6278 \Device\00000052 sptd.sys
Device \Driver\PCI_NTPNP6278 \Device\00000052 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-2 86C5A1E8
Device \Driver\usbuhci \Device\USBPDO-3 86C5A1E8
Device \Driver\usbehci \Device\USBPDO-4 86C2D1E8

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86D611E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86D611E8
Device \Driver\Cdrom \Device\CdRom0 86C0C5E8
Device \Driver\Cdrom \Device\CdRom1 86C0C5E8
Device \Driver\Cdrom \Device\CdRom2 86C0C5E8
Device \Driver\Cdrom \Device\CdRom3 86C0C5E8
Device \Driver\Cdrom \Device\CdRom4 86C0C5E8
Device \Driver\Cdrom \Device\CdRom5 86C0C5E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86882640
Device \Driver\NetBT \Device\NetbiosSmb 86882640

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 86C5A1E8
Device \Driver\usbuhci \Device\USBFDO-1 86C5A1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 868721E8
Device \Driver\usbuhci \Device\USBFDO-2 86C5A1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 868721E8
Device \Driver\usbuhci \Device\USBFDO-3 86C5A1E8
Device \Driver\usbehci \Device\USBFDO-4 86C2D1E8
Device \Driver\Ftdisk \Device\FtControl 86D611E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{282D3F46-6966-4850-A543-50A127B2F74B} 86882640
Device \Driver\apiqz47w \Device\Scsi\apiqz47w1Port3Path0Target3Lun0 86BF02C8
Device \Driver\apiqz47w \Device\Scsi\apiqz47w1Port3Path0Target0Lun0 86BF02C8
Device \Driver\apiqz47w \Device\Scsi\apiqz47w1Port3Path0Target2Lun0 86BF02C8
Device \Driver\apiqz47w \Device\Scsi\apiqz47w1 86BF02C8
Device \Driver\apiqz47w \Device\Scsi\apiqz47w1Port3Path0Target1Lun0 86BF02C8
Device \FileSystem\Fastfat \Fat 8687C6E8

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 8685B1E8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -2135510023
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 146714786
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9D 0x40 0x72 0xC7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6F 0x7D 0x0F 0x99 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x81 0x20 0x33 0x21 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x15 0x80 0x54 0x8D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xAF 0xA5 0xE3 0xC3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xAF 0xA5 0xE3 0xC3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9D 0x40 0x72 0xC7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6F 0x7D 0x0F 0x99 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x81 0x20 0x33 0x21 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x15 0x80 0x54 0x8D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xAF 0xA5 0xE3 0xC3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xAF 0xA5 0xE3 0xC3 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9D 0x40 0x72 0xC7 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6F 0x7D 0x0F 0x99 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0A 0x1C 0x8A 0xF7 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xAF 0xA5 0xE3 0xC3 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xAF 0xA5 0xE3 0xC3 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xAF 0xA5 0xE3 0xC3 ...

---- EOF - GMER 1.0.15 ----

combofix:

ComboFix 09-03-19.02 - AGENT-ADAIR 2009-03-21 14:08:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.450 [GMT -7:00]
Running from: c:\documents and settings\AGENT-ADAIR\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\AGENT-ADAIR\My Documents\STEM32~1
c:\program files\Common Files\{B0900~1
c:\program files\Common Files\icroso~1.net
c:\program files\sembly~1
c:\windows\IA
c:\windows\mcroso~1.net
c:\windows\regedit.com
c:\windows\system32\components
c:\windows\system32\jphaxyap.byv
c:\windows\system32\open.ico
c:\windows\system32\sstem~1
c:\windows\system32\taskmgr.com
c:\windows\system32afdaqd3.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.

2009-03-20 22:28 . 2009-03-20 22:28 <DIR> d-------- c:\program files\Common Files\DivX Shared
2009-03-18 18:26 . 2009-03-18 18:26 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-18 18:26 . 2009-03-18 18:26 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-03-18 18:25 . 2009-03-18 18:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-03-18 07:09 . 2009-03-18 07:09 <DIR> d-------- c:\documents and settings\AGENT-ADAIR\Application Data\Yahoo!
2009-03-18 07:08 . 2009-03-20 14:21 <DIR> d-------- c:\program files\Yahoo!
2009-03-17 21:59 . 2009-03-17 21:59 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-03-17 21:59 . 2009-03-17 21:59 <DIR> d-------- c:\documents and settings\AGENT-ADAIR\Application Data\SystemRequirementsLab
2009-03-17 21:57 . 2009-03-17 22:08 <DIR> d-------- c:\documents and settings\AGENT-ADAIR\Application Data\SecondLife
2009-03-17 21:51 . 2009-03-17 21:53 <DIR> d-------- c:\program files\SecondLife
2009-03-11 18:21 . 2009-03-11 18:21 <DIR> d-------- c:\documents and settings\AGENT-ADAIR\Application Data\SampleView
2009-03-10 14:47 . 2009-03-10 14:47 11 --a------ C:\AuResult.ini
2009-03-10 10:19 . 2009-03-12 12:39 <DIR> d-------- c:\program files\a-squared Anti-Malware
2009-03-10 02:46 . 2009-03-10 02:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-03-10 02:44 . 2009-03-10 02:44 <DIR> d-------- c:\program files\Common Files\iS3
2009-03-07 17:58 . 2009-03-07 17:58 <DIR> d--hs---- c:\documents and settings\AGENT-ADAIR\PrivacIE
2009-03-07 17:58 . 2009-03-07 17:58 <DIR> d--hs---- c:\documents and settings\AGENT-ADAIR\IETldCache
2009-03-07 17:26 . 2009-03-07 17:26 <DIR> d-------- c:\windows\ie8updates
2009-03-07 17:23 . 2009-03-07 17:24 <DIR> d--h-c--- c:\windows\ie8
2009-03-07 17:21 . 2009-01-10 22:00 79,360 --------- c:\windows\system32\dllcache\iecompat.dll
2009-03-06 17:17 . 2009-03-12 12:41 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-06 17:17 . 2009-03-06 17:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-06 17:17 . 2009-03-06 17:17 <DIR> d-------- c:\documents and settings\AGENT-ADAIR\Application Data\SUPERAntiSpyware.com
2009-03-04 19:30 . 2009-03-04 19:30 <DIR> d-------- c:\documents and settings\LocalService\Application Data\McAfee
2009-03-04 16:10 . 2009-03-05 17:03 <DIR> d-------- c:\documents and settings\AGENT-ADAIR\Application Data\McAfee
2009-03-04 16:08 . 2009-03-21 13:50 14,859 --a------ c:\windows\system32\Config.MPF
2009-03-04 16:07 . 2006-03-03 09:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2009-03-04 16:04 . 2007-11-22 07:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-03-04 16:04 . 2007-07-13 07:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-03-04 16:04 . 2007-11-22 07:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-03-04 16:04 . 2007-12-02 13:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-03-04 16:04 . 2007-11-22 07:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-03-04 16:04 . 2007-11-22 07:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-03-04 16:03 . 2009-03-04 16:04 <DIR> d-------- c:\program files\McAfee.com
2009-03-04 16:03 . 2009-03-19 08:22 <DIR> d-------- c:\program files\McAfee
2009-03-04 16:03 . 2009-03-04 16:04 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-04 14:25 . 2009-03-18 18:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-03-02 22:47 . 2009-03-04 02:50 78 --a------ c:\windows\lsoon.ini
2009-03-02 21:54 . 2009-03-02 21:54 (2) -rahs-ot- c:\windows\winstart.bat
2009-03-02 21:54 . 2009-03-02 21:54 (2) -rahs-ot- c:\windows\system32\AUTOEXEC.NT
2009-03-02 21:49 . 2009-03-04 02:50 <DIR> d-------- C:\backreg
2009-03-02 14:53 . 2009-03-02 14:52 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-02 14:52 . 2009-03-10 14:47 <DIR> d-------- c:\documents and settings\AGENT-ADAIR\.housecall6.6
2009-03-02 14:38 . 2003-09-06 16:55 57,556 --a------ c:\windows\guard.bmp
2009-03-02 13:31 . 2009-03-02 13:31 <DIR> d-------- c:\windows\Options

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 19:46 --------- d-----w c:\documents and settings\AGENT-ADAIR\Application Data\uTorrent
2009-03-21 05:28 --------- d-----w c:\program files\DivX
2009-03-20 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-03-17 00:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-17 00:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-12 01:33 --------- d-----w c:\program files\LEDSET
2009-03-12 00:22 --------- d-----w c:\documents and settings\AGENT-ADAIR\Application Data\Apple Computer
2009-03-11 04:02 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-11 04:02 --------- d-----w c:\program files\LucasArts
2009-03-11 03:50 --------- d-----w c:\program files\Apple Software Update
2009-03-10 07:35 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-07 21:27 --------- d-----w c:\program files\Trend Micro
2009-03-07 00:18 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-05 21:42 --------- d-----w c:\documents and settings\AGENT-ADAIR\Application Data\Move Networks
2009-03-02 20:22 --------- d-----w c:\program files\VentSrv
2009-03-02 20:22 --------- d-----w c:\program files\uTorrent
2009-03-02 20:10 --------- d-----w c:\program files\IntelliMover Data Transfer Demo
2009-02-22 01:54 --------- d-----w c:\program files\Winamp
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\dllcache\win32k.sys
2009-02-05 09:29 --------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2009-02-05 06:33 201,440 ----a-w c:\windows\system32\PnkBstrB.exe
2009-02-05 06:33 138,512 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-03 22:36 --------- d-----w c:\program files\Java
2009-01-29 21:50 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-01-29 21:49 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-01-29 21:47 --------- d-----w c:\program files\NOS
2009-01-28 18:48 --------- d-----w c:\program files\KCeasy
2009-01-21 20:06 --------- d-----w c:\program files\QuickTime
2009-01-21 00:52 --------- d-----w c:\program files\CCleaner
2009-01-15 10:17 636,264 ------w c:\windows\system32\dllcache\iexplore.exe
2009-01-15 10:17 392,040 ------w c:\windows\system32\dllcache\iedkcs32.dll
2009-01-15 10:13 5,888,512 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-15 10:06 236,544 ------w c:\windows\system32\dllcache\webcheck.dll
2009-01-15 10:06 105,984 ------w c:\windows\system32\dllcache\url.dll
2009-01-15 10:06 1,182,720 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-01-15 10:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 10:05 911,872 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-01-15 10:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 10:05 43,008 ------w c:\windows\system32\dllcache\licmgr10.dll
2009-01-15 10:05 193,536 ------w c:\windows\system32\dllcache\msrating.dll
2009-01-15 10:05 109,056 ------w c:\windows\system32\dllcache\occache.dll
2009-01-15 10:04 755,200 ------w c:\windows\system32\dllcache\VGX.dll
2009-01-15 10:04 25,600 ------w c:\windows\system32\dllcache\jsproxy.dll
2009-01-15 10:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 10:04 18,944 ------w c:\windows\system32\dllcache\corpol.dll
2009-01-15 10:02 611,840 ------w c:\windows\system32\dllcache\mstime.dll
2009-01-15 10:01 66,560 ------w c:\windows\system32\dllcache\mshtmled.dll
2009-01-15 10:01 46,592 ------w c:\windows\system32\dllcache\pngfilt.dll
2009-01-15 10:01 348,160 ------w c:\windows\system32\dllcache\dxtmsft.dll
2009-01-15 10:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 10:01 34,304 ------w c:\windows\system32\dllcache\imgutil.dll
2009-01-15 10:01 216,064 ------w c:\windows\system32\dllcache\dxtrans.dll
2009-01-15 10:01 183,808 ------w c:\windows\system32\dllcache\iepeers.dll
2009-01-15 10:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 10:00 48,128 ------w c:\windows\system32\dllcache\mshtmler.dll
2009-01-15 10:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 10:00 45,568 ------w c:\windows\system32\dllcache\mshta.exe
2009-01-15 09:53 68,608 ------w c:\windows\system32\dllcache\hmmapi.dll
2009-01-15 09:50 156,160 ----a-w c:\windows\system32\msls31.dll
2009-01-15 09:50 156,160 ----a-w c:\windows\system32\dllcache\msls31.dll
2005-07-16 01:38 628 ----a-w c:\documents and settings\AGENT-ADAIR\293322.bin
2005-07-14 23:38 96 ----a-w c:\documents and settings\AGENT-ADAIR\31242705.dat
2009-01-27 01:34 1,044,480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 200,704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-06-18 20:59 56 --sha-r c:\windows\system32\D400DEEEC4.sys
2006-10-28 11:27 1,175,875 -csh--w c:\windows\Web\printers\crcbod.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe" [2004-12-07 196608]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 c:\windows\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\AGENT-ADAIR\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=bvoxfp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD9696]
del [X]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Documents and Settings\\AGENT-ADAIR\\Desktop\\utorrent.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Tor\\tor.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-18 210216]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-05 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-03-04 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-03-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-03-21 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{4CFDDCCF-0F0C-4E08-97A3-FDF4237D652C} - (no file)
Toolbar-{97B7E07D-8463-45AD-83C9-01E51BE9FA07} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
MSConfigStartUp-Regrun2 - c:\progra~1\Greatis\REGRUN~1\WatchDog.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mattbesser.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Subscribe with RSSRadio - file://c:\program files\Dorada Software\RSSRadio\subscribe.htm
Trusted Zone: imageservr.com\locator.cdn
Trusted Zone: internet
Trusted Zone: launch.com
Trusted Zone: mcafee.com
Trusted Zone: yahoo.com
FF - ProfilePath - c:\documents and settings\AGENT-ADAIR\Application Data\Mozilla\Firefox\Profiles\23wk1657.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://eztv.it/index.php
FF - component: c:\documents and settings\AGENT-ADAIR\Application Data\Mozilla\Firefox\Profiles\23wk1657.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\AGENT-ADAIR\Application Data\Mozilla\Firefox\Profiles\23wk1657.default\extensions\{f592709f-ff4a-4862-b659-4afabda56312}\components\FFAlert.dll
FF - plugin: c:\documents and settings\AGENT-ADAIR\Application Data\Mozilla\Firefox\Profiles\23wk1657.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\np_gp.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPnsv_vp3_mp3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 14:11:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-21 14:13:43
ComboFix-quarantined-files.txt 2009-03-21 21:13:39

Pre-Run: 111,507,210,240 bytes free
Post-Run: 111,496,798,208 bytes free

284 --- E O F --- 2009-03-20 11:37:04

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:32 PM

Posted 21 March 2009 - 08:42 PM

Hello.

I want to take a closer look at that uninstall key.

Create and Run Batch Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" /s >Report.txt
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall" /s >>report.txt
    start notepad.exe report
    del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input look.bat
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click look.bat. If you are using Windows Vista, right click the icon and select "Run as Administrator".

You will see a command prompt window open followed by a notepad containing Report.txt. Attach Report.txt to your next reply.

With Regards,
The Panda

#7 uhmino

uhmino
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 21 March 2009 - 09:01 PM

Here it is and I very much appreciate the time you took to help me

Attached Files



#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:32 PM

Posted 22 March 2009 - 09:38 AM

Hello.

The Add/Remove Program entries description: "Chainsaw is a bot meant to administrate an IRC channel or simply as a replacement to mirc." Do you use this program?

It could be used to remotely control your machine.

I don't see it actively running though.

We can remove the Add/Remove Program entry.

Apply Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    REGEDIT4
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{F86E04D5-8289-4145-BC55-17C028C608F4}]
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click fix.reg and answer Yes to the prompts. You should recieve the message that the entries have been successfully merged. If not, post back with the error message.

Delete fix.reg after use.

Reboot. Does it reappear after?

With Regards,
The Panda

#9 uhmino

uhmino
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 22 March 2009 - 01:37 PM

I def do not use the program, but i've had it a long time. It reappears but as like an installation icon instead of it's original one. Should I just delete it in add/remove? It's def not a legit program.

edit: I removed it but it still reappears as an instillation icon and it has no size. It said "The feature you are trying to use is on a network resource that is unavailable". "click ok to try again or enter an alternate path to a folder containing the instillation package 'chainsaw.msi' in the box below"

Edited by uhmino, 22 March 2009 - 01:44 PM.


#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:32 PM

Posted 22 March 2009 - 07:07 PM

Hello.

After using the registry script, does the entry still appear?

With Regards,
The Panda

#11 uhmino

uhmino
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 22 March 2009 - 08:52 PM

It appears like this in my add/remove programs. If you are talking about another entry I wouldn't know

Posted Image

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:32 PM

Posted 23 March 2009 - 06:48 PM

Hello.

I can't see anything that would cause this to reappear after the registry script removed that.

Let's see if an online scan can find anything.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

With Regards,
The Panda

#13 uhmino

uhmino
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 23 March 2009 - 11:59 PM

Here it is, found nothing

Attached Files



#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:32 PM

Posted 24 March 2009 - 03:33 PM

Hello.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=bvoxfp.dll
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD9696]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{F86E04D5-8289-4145-BC55-17C028C608F4}]
    
    :files
    c:\windows\Tasks\Symantec NetDetect.job
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

With Regards,
The Panda

#15 uhmino

uhmino
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 24 March 2009 - 06:04 PM

Here you go and chainsaw is still in add/remove btw

========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\"AppInit_DLLs"|bvoxfp.dll /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD9696\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\security center\\AntiVirusDisableNotify deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus\\DisableMonitoring deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall\\DisableMonitoring deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{F86E04D5-8289-4145-BC55-17C028C608F4}\\ not found.
========== FILES ==========
c:\windows\Tasks\Symantec NetDetect.job moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\AGENT-~1\LOCALS~1\Temp\fb_4076.lck scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\AGENT-~1\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\AGENT-~1\LOCALS~1\Temp\~DFF808.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\fb_208.lck scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_vkD7ElhHORdVEWQ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_7fv2qrfg6uSFzYY scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_wZ7g6ykqsahFNxh scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_Z1Vd0Qc349CGl8d scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7d8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_eu8EjA8Snb2oNoo scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_G6cozDkhPVv3ejf scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_trH4CrSS1U8teVt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\WFV36.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03242009_154535

Files moved on Reboot...
File C:\DOCUME~1\AGENT-~1\LOCALS~1\Temp\fb_4076.lck not found!
File C:\DOCUME~1\AGENT-~1\LOCALS~1\Temp\hpodvd09.log not found!
File C:\DOCUME~1\AGENT-~1\LOCALS~1\Temp\~DFF808.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\fb_208.lck not found!
File C:\WINDOWS\temp\mcafee_vkD7ElhHORdVEWQ not found!
File C:\WINDOWS\temp\mcmsc_7fv2qrfg6uSFzYY not found!
File C:\WINDOWS\temp\mcmsc_wZ7g6ykqsahFNxh not found!
File C:\WINDOWS\temp\mcmsc_Z1Vd0Qc349CGl8d not found!
File C:\WINDOWS\temp\Perflib_Perfdata_7d8.dat not found!
File C:\WINDOWS\temp\sqlite_eu8EjA8Snb2oNoo not found!
File C:\WINDOWS\temp\sqlite_G6cozDkhPVv3ejf not found!
File C:\WINDOWS\temp\sqlite_trH4CrSS1U8teVt not found!
File C:\WINDOWS\temp\WFV36.tmp not found!

Edited by uhmino, 24 March 2009 - 06:06 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users