Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I CANT OPEN ANY ANTISPYWARE PROGRAMS!


  • This topic is locked This topic is locked
13 replies to this topic

#1 c-good

c-good

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 20 March 2009 - 09:19 PM

I am infected with some sort of virus ( i downloaded something and it gave me a virus). I cant open any of my antispyware programs( Spybot,malewarebytes,superantispyware) and I cant download any. when i run a scan with my Mcafee antivirus it either pauses or the screen turns blue and my cpu restarts..... PLZ help..

Hijackthis logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:07 PM, on 3/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\Program Files\Nakido\nakido.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\iup.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{62DDFDBA-7A6B-4AD7-BECE-CDA6AC119052}: NameServer = 85.255.112.185,85.255.112.193
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.185,85.255.112.193
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.185,85.255.112.193
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: Nakido - Nakido - C:\Program Files\Nakido\nakido.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Server Network Colocation Service (WSNCS) - Unknown owner - C:\WINDOWS\system32\wsncs.exe (file missing)

--
End of file - 8301 bytes

BC AdBot (Login to Remove)

 


#2 jmw3

jmw3

    MRU Teacher


  • Malware Response Team
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 20 March 2009 - 11:38 PM

Hello & Welcome to Bleeping Computer

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Enable email notification of replies? is clicked on the Post Reply page.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Thanks

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
http://www.techsupportforum.com/sectools/sUBs/dds
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after a log will appear
  • Click Yes at the next prompt, another log named attach.txt will appear
  • A window will open instructing you to post both logs. Copy the contents of both logs & post in your next reply
Gmer
Download GMER Rootkit Scanner from here.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


To post in next reply:
DDS logs
Gmer log

Posted Image
Teacher, Malware Removal University - You too could train to help others
Member - UNITE, Alliance of Security Analysis Professionals


#3 c-good

c-good
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 21 March 2009 - 12:17 PM

Hey and thanks for reply. in my previous posts i didnt know that i had to suscribe. I never knew when i had a reply...thanks for telling me. :thumbup2:

DDS log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by c-good at 12:04:37.67 on Sat 03/21/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2482 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\Program Files\Nakido\nakido.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\c-good\Desktop\dds.com
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\iup.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\c-good\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\c-good\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: NameServer = 85.255.112.185,85.255.112.193
TCP: {62DDFDBA-7A6B-4AD7-BECE-CDA6AC119052} = 85.255.112.185,85.255.112.193
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-9-2 143360]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-9-2 207656]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-19 55152]
R2 Marvell RAID;Marvell RAID Event Agent;c:\program files\marvell\61xx\svc\mvraidsvc.exe [2007-9-5 57344]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-3 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-9-2 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-9-2 144704]
R2 MRUWebService;MRU Web Service;c:\program files\marvell\61xx\apache2\bin\Apache.exe [2007-6-18 20539]
R2 Nakido;Nakido;c:\program files\nakido\nakido.exe [2008-9-18 320000]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-9-2 36864]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-9-2 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-9-2 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-9-2 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-9-2 40488]
S2 WSNCS;Windows Server Network Colocation Service;c:\windows\system32\wsncs.exe --> c:\windows\system32\wsncs.exe [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-9-2 34152]

=============== Created Last 30 ================

2009-03-20 22:30 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-20 22:30 <DIR> --d----- c:\docume~1\c-good\applic~1\SUPERAntiSpyware.com
2009-03-20 22:29 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-20 21:11 <DIR> --d----- c:\program files\IntelliAdmin
2009-03-19 20:19 <DIR> --d----- c:\documents and settings\c-good\Tracing
2009-03-19 16:27 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-03-19 16:27 55,152 a------- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-03-19 16:27 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2009-03-19 16:26 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-03-19 16:25 <DIR> --d----- c:\program files\Microsoft
2009-03-19 16:25 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-19 16:20 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-14 12:52 62,261 a------- c:\windows\War3Unin.dat
2009-03-14 12:52 2,829 a------- c:\windows\War3Unin.pif
2009-03-14 12:52 139,264 a------- c:\windows\War3Unin.exe
2009-03-14 12:49 <DIR> --d----- C:\Warcraft III
2009-03-10 22:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Launcher
2009-03-10 22:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Graboid Inc
2009-03-10 22:46 <DIR> --d----- c:\docume~1\c-good\applic~1\MozillaControl
2009-03-10 22:45 <DIR> --d----- c:\program files\VideoLAN
2009-02-19 21:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Messenger Plus!

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 19:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2006-06-23 10:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 12:05:01.75 ===============

OTHER LOG:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 9/2/2008 3:02:16 PM
System Uptime: 3/21/2009 12:01:51 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5K SE/EPU
Processor: Intel® Pentium® Dual CPU E2180 @ 2.00GHz | LGA775 | 2000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 192.694 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E969-E325-11CE-BFC1-08002BE10318}
Description: Standard floppy disk controller
Device ID: ACPI\PNP0700\4&1400782C&0
Manufacturer: (Standard floppy disk controllers)
Name: Standard floppy disk controller
PNP Device ID: ACPI\PNP0700\4&1400782C&0
Service: fdc

==== System Restore Points ===================

RP99: 5/27/2009 9:03:44 PM - System Checkpoint
RP100: 5/29/2009 9:07:35 PM - System Checkpoint
RP101: 5/31/2009 3:16:00 PM - System Checkpoint
RP102: 6/3/2009 6:33:08 PM - System Checkpoint
RP103: 1/4/2009 5:17:53 PM - System Checkpoint
RP104: 1/7/2009 4:18:42 PM - System Checkpoint
RP105: 1/8/2009 5:11:21 PM - System Checkpoint
RP106: 3/11/2009 8:56:33 PM - System Checkpoint
RP107: 1/13/2009 5:55:21 PM - System Checkpoint
RP108: 1/13/2009 11:37:11 PM - Software Distribution Service 3.0
RP109: 1/15/2009 11:42:36 PM - System Checkpoint
RP110: 1/17/2009 10:15:38 AM - System Checkpoint
RP111: 1/18/2009 10:35:21 AM - System Checkpoint
RP112: 1/19/2009 8:01:13 PM - System Checkpoint
RP113: 1/20/2009 4:40:44 PM - Installed Adobe Photoshop
RP114: 1/23/2009 5:39:16 PM - System Checkpoint
RP115: 7/24/2009 1:24:42 PM - System Checkpoint
RP116: 1/25/2009 2:57:48 PM - System Checkpoint
RP117: 1/26/2009 5:23:16 PM - System Checkpoint
RP118: 3/26/2009 9:56:22 PM - System Checkpoint
RP119: 3/28/2009 4:31:34 PM - System Checkpoint
RP120: 3/28/2009 7:05:16 PM - Unsigned driver install
RP121: 3/28/2009 8:16:09 PM - Installed Adobe Flash Player 9 ActiveX.
RP122: 3/30/2009 8:51:29 PM - System Checkpoint
RP123: 4/1/2009 10:08:07 AM - System Checkpoint
RP124: 4/2/2009 8:55:34 PM - System Checkpoint
RP125: 4/5/2009 5:31:30 PM - System Checkpoint
RP126: 4/6/2009 8:45:51 PM - System Checkpoint
RP127: 4/7/2009 9:03:39 PM - System Checkpoint
RP128: 4/9/2009 5:14:18 PM - System Checkpoint
RP129: 4/10/2009 6:03:37 PM - System Checkpoint
RP130: 4/11/2009 6:13:39 PM - System Checkpoint
RP131: 2/11/2009 8:54:57 PM - System Checkpoint
RP132: 2/12/2009 3:53:41 PM - Unsigned driver install
RP133: 2/13/2009 6:59:34 PM - System Checkpoint
RP134: 2/14/2009 1:30:31 PM - Installed SUPERAntiSpyware Free Edition
RP135: 2/14/2009 11:11:19 PM - Removed SUPERAntiSpyware Free Edition
RP136: 2/16/2009 6:24:50 PM - System Checkpoint
RP137: 2/17/2009 6:29:43 PM - System Checkpoint
RP138: 2/20/2009 7:44:53 PM - System Checkpoint
RP139: 2/21/2009 6:01:21 PM - Removed Adobe Bridge 1.0
RP140: 2/21/2009 6:01:56 PM - Installed Adobe Bridge 1.0
RP141: 2/21/2009 6:02:52 PM - Installed AUM405Patch
RP142: 2/22/2009 8:32:10 PM - System Checkpoint
RP143: 2/24/2009 4:23:42 PM - Software Distribution Service 3.0
RP144: 2/26/2009 5:43:56 PM - System Checkpoint
RP145: 2/27/2009 6:40:31 PM - System Checkpoint
RP146: 3/2/2009 7:19:56 PM - System Checkpoint
RP147: 3/3/2009 7:29:22 PM - System Checkpoint
RP148: 3/5/2009 4:54:15 PM - System Checkpoint
RP149: 3/6/2009 5:32:07 PM - System Checkpoint
RP150: 3/7/2009 5:47:46 PM - System Checkpoint
RP151: 3/8/2009 7:02:16 PM - System Checkpoint
RP152: 3/10/2009 4:30:13 PM - System Checkpoint
RP153: 3/10/2009 9:51:00 PM - Software Distribution Service 3.0
RP154: 3/12/2009 5:38:38 PM - System Checkpoint
RP155: 3/13/2009 7:51:19 PM - System Checkpoint
RP156: 3/16/2009 5:15:34 PM - System Checkpoint
RP157: 3/16/2009 9:25:35 PM - Software Distribution Service 3.0
RP158: 3/17/2009 9:53:11 PM - System Checkpoint
RP159: 3/19/2009 4:26:41 PM - Installed Windows XP KB954708.
RP160: 3/19/2009 4:27:03 PM - Installed DirectX
RP161: 3/20/2009 4:35:24 PM - System Checkpoint

==== Installed Programs ======================

ÁTorrent
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
Atheros Communications Inc.® L1 Gigabit Ethernet Driver
Audacity 1.2.6
AviSynth 2.5
Basketball Playbook 009 j
Bell Mobility Music Backup Application 2.0.0.4
Bonjour
Choice Guard
Critical Update for Windows Media Player 11 (KB959772)
DivX Codec
DVD Flick
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
ImgBurn
IntelliAdmin Network Administrator - Remove
iTunes
Java™ 6 Update 7
Junk Mail filter update
LG USB Modem driver
LimeWire 5.1.2
Malwarebytes' Anti-Malware
Marvell MRU
McAfee SecurityCenter
Messenger Plus! Live
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office PowerPoint 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSVCRT
Nakido
Nero 6 Ultra Edition
NVIDIA Drivers
PokerStars
Power Sound Editor Free
PSP Video 9 4.04
QuickTime
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Segoe UI
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Update for Office 2007 (KB946691)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Warcraft III: All Products
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
YouTube Downloader App 1.01

==== Event Viewer Messages From Past Week ========

3/19/2009 4:24:13 PM, error: DCOM [10001] - Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} as /. The error: "%233" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe -Embedding
3/17/2009 11:21:31 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.100 with the system having network hardware address 00:1B:63:C1:73:DA. Network operations on this system may be disrupted as a result.
3/17/2009 11:18:36 AM, error: Dhcp [1002] - The IP address lease 192.168.0.103 for the Network Card with network address 002215737789 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
3/20/2009 8:05:46 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/20/2009 8:07:03 PM, error: NetBT [4308] - Initialization failed because the transport refused to open initial Connections.
3/20/2009 9:37:37 PM, error: System Error [1003] - Error code 1000007e, parameter1 c0000005, parameter2 805266aa, parameter3 bad02a3c, parameter4 bad02738.
3/20/2009 9:37:45 PM, error: System Error [1003] - Error code 1000007e, parameter1 c0000005, parameter2 805266aa, parameter3 bacf6a3c, parameter4 bacf6738.
3/20/2009 10:09:17 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
3/20/2009 10:36:37 PM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
3/20/2009 10:41:48 PM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 2 time(s).
3/20/2009 10:48:06 PM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 3 time(s).
3/20/2009 10:49:09 PM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 4 time(s).

==== End Of File ===========================

GMER LOG: i just noticed that i didnt unchek sections :) but here is the log, i uncheked everything else before the scan:

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-21 13:16:08
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB5CB69CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB5CB6A61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB5CB6978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB5CB698C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB5CB6A75]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB5CB6AA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB5CB6B14]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB5CB6AF9]
Code 895235B8 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB5CB6A0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB5CB6B3E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB5CB6A4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB5CB6950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB5CB6964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB5CB69DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB5CB6B7A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB5CB6AE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB5CB6ACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB5CB6A8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB5CB6B66]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB5CB6B52]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB5CB69B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB5CB69A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB5CB6AB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB5CB6A39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB5CB6B28]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB5CB6A20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB5CB69F4]
Code 8974B65E IofCallDriver
Code 8974A566 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 8974B663
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8974A56B
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B5CB69F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B5CB69CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B5CB6A0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B5CB6A24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 895235BC
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B5CB69E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B5CB6954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B5CB6968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B5CB69A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP B5CB6990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP B5CB697C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B5CB69BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B5CB6A3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP B5CB6AD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP B5CB6ABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP B5CB6B2C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP B5CB6AE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP B5CB6A8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP B5CB6A65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP B5CB6A79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP B5CB6AA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 5 Bytes JMP B5CB6B18 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP B5CB6AFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP B5CB6A51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP B5CB6B7E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP B5CB6B56 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP B5CB6B6A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP B5CB6B42 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B8007F
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B8006E
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80051
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80040
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FC3
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B800AB
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F63
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B800E1
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B800C6
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B800F2
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B80F9E
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B80090
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B80025
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\system32\svchost.exe[528] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B80F48
.text C:\WINDOWS\system32\svchost.exe[528] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B70025
.text C:\WINDOWS\system32\svchost.exe[528] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B70062
.text C:\WINDOWS\system32\svchost.exe[528] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\svchost.exe[528] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[528] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B70051
.text C:\WINDOWS\system32\svchost.exe[528] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[528] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B70FAF
.text C:\WINDOWS\system32\svchost.exe[528] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [D7, 88]
.text C:\WINDOWS\system32\svchost.exe[528] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B70036
.text C:\WINDOWS\system32\svchost.exe[528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60027
.text C:\WINDOWS\system32\svchost.exe[528] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60FA6
.text C:\WINDOWS\system32\svchost.exe[528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60FC1
.text C:\WINDOWS\system32\svchost.exe[528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60016
.text C:\WINDOWS\system32\svchost.exe[528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60FD2
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F77
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070089
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F41
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F0B
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F1C
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00070EF0
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070039
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070F52
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 0007009A
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0006005B
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[740] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050042
.text C:\WINDOWS\system32\services.exe[740] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050027
.text C:\WINDOWS\system32\services.exe[740] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FC8
.text C:\WINDOWS\system32\services.exe[740] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[740] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FAD
.text C:\WINDOWS\system32\services.exe[740] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F800B5
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F800A4
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80FC0
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F8007D
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F80047
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F800E1
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80FA5
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F800FC
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F80F63
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F80F52
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F80062
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F8001B
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F800D0
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F8002C
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F80F74
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F70FCD
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F7005E
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F7001E
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F70FDE
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F70F97
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F70FA8
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [17, 89]
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F70039
.text C:\WINDOWS\system32\lsass.exe[752] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F60FA6
.text C:\WINDOWS\system32\lsass.exe[752] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F60FB7
.text C:\WINDOWS\system32\lsass.exe[752] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F60027
.text C:\WINDOWS\system32\lsass.exe[752] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\lsass.exe[752] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F60FD2
.text C:\WINDOWS\system32\lsass.exe[752] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\lsass.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B50F8D
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B50082
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B50FA8
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B50065
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B50036
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B500AE
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B5009D
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B500DA
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B50F41
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B50F26
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B50FB9
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B50FD4
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B50F72
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B50025
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B50014
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B500BF
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B40FE5
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B40080
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B4002C
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B40011
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B4006F
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B40000
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B40FC3
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [D4, 88] {AAM 0x88}
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B40FD4
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B30FA8
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B3003D
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B30FD7
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B30022
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B30011
.text C:\WINDOWS\system32\svchost.exe[920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D00FE5
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D0009D
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D00082
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D00F9E
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D0005B
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D00FCA
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D00F77
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D000BF
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D000EE
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D00F55
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D000FF
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D00FB9
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D000AE
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D00036
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D00025
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D00F66
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CF0FB9
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CF0025
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CF0076
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00CF005B
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CF0040
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0FBE
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE0FD9
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE0038
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE000C
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE0053
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE001D
.text C:\WINDOWS\system32\svchost.exe[992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02C0000A
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02C00087
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02C00F92
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02C00FAF
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02C0006C
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02C00036
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02C00F5C
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02C000A2
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02C000EB
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02C000DA
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02C00F37
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02C00051
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02C00025
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02C00F81
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02C00FD4
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02C00FEF
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02C000BF
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02B50036
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02B50FA8
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02B5001B
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02B5000A
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02B50FB9
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02B50FEF
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02B50FD4
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [D5, 8A] {AAD 0x8a}
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02B5005B
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02B40055
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!system 77C293C7 5 Bytes JMP 02B40044
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02B40018
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02B40FEF
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02B40033
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02B40FDE
.text C:\WINDOWS\System32\svchost.exe[1088] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02850000
.text C:\WINDOWS\System32\svchost.exe[1088] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02BE0FEF
.text C:\WINDOWS\System32\svchost.exe[1088] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02BE0FDE
.text C:\WINDOWS\System32\svchost.exe[1088] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02BE000A
.text C:\WINDOWS\System32\svchost.exe[1088] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02BE0025
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800F7C
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800067
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800F8D
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0080004A
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800FAF
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008000A7
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0080008C
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008000C9
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00800F30
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00800F15
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00800F9E
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00800FE5
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00800F61
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00800025
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 008000B8
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007F0FD4
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007F007D
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007F001B
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007F0FE5
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007F006C
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007F000A
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 007F005B
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007F004A
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0FA5
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0FC0
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E0029
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E003A
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E000C
.text C:\WINDOWS\system32\svchost.exe[1196] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0FE5
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0076
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC005B
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0F8D
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0FCA
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0087
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0F4B
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC0F13
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC00AC
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00EC0F02
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00EC0FB9
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00EC0F5C
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00EC0036
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00EC0025
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00EC0F2E
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00EA0FB9
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00EA0F68
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00EA0FD4
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00EA000A
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00EA0F79
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00EA001B
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00EA0F9E
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E90FAB
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E9002C
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E90FC6
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E9001B
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90FD7
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00EB002C
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F4D
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0042
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F68
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0F94
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F15
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B005D
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00A4
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0093
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B00B5
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B0F83
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B0FDB
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B0F32
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[1392] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B0078
.text C:\WINDOWS\system32\wuauclt.exe[1392] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FA1
.text C:\WINDOWS\system32\wuauclt.exe[1392] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FB2
.text C:\WINDOWS\system32\wuauclt.exe[1392] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0011
.text C:\WINDOWS\system32\wuauclt.exe[1392] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FE3
.text C:\WINDOWS\system32\wuauclt.exe[1392] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0022
.text C:\WINDOWS\system32\wuauclt.exe[1392] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[1392] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[1392] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B0F94
.text C:\WINDOWS\system32\wuauclt.exe[1392] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[1392] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\wuauclt.exe[1392] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[1392] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\wuauclt.exe[1392] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002B0051
.text C:\WINDOWS\system32\wuauclt.exe[1392] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B0036
.text C:\WINDOWS\system32\wuauclt.exe[1392] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1932] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0095
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0084
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0073
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0062
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F65
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00B7
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00EA
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00D9
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0F36
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0051
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A00A6
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A002C
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A001B
.text C:\WINDOWS\Explorer.EXE[2988] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00C8
.text C:\WINDOWS\Explorer.EXE[2988] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290FA8
.text C:\WINDOWS\Explorer.EXE[2988] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290051
.text C:\WINDOWS\Explorer.EXE[2988] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FB9
.text C:\WINDOWS\Explorer.EXE[2988] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FD4
.text C:\WINDOWS\Explorer.EXE[2988] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290040
.text C:\WINDOWS\Explorer.EXE[2988] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FE5
.text C:\WINDOWS\Explorer.EXE[2988] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0029002F
.text C:\WINDOWS\Explorer.EXE[2988] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290014
.text C:\WINDOWS\Explorer.EXE[2988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A003B
.text C:\WINDOWS\Explorer.EXE[2988] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FB0
.text C:\WINDOWS\Explorer.EXE[2988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\Explorer.EXE[2988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[2988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FC1
.text C:\WINDOWS\Explorer.EXE[2988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A000C
.text C:\WINDOWS\Explorer.EXE[2988] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[2988] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[2988] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[2988] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 002C0025
.text C:\WINDOWS\Explorer.EXE[2988] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D80000
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A00A4
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0FAF
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A007D
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A006C
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FD4
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00EB
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00D0
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F6D
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F88
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0F5C
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A005B
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A000A
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A00B5
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0040
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0025
.text C:\Program Files\Messenger\msmsgs.exe[3532] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00FC
.text C:\Program Files\Messenger\msmsgs.exe[3532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290F94
.text C:\Program Files\Messenger\msmsgs.exe[3532] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FB9
.text C:\Program Files\Messenger\msmsgs.exe[3532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FD4
.text C:\Program Files\Messenger\msmsgs.exe[3532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\Program Files\Messenger\msmsgs.exe[3532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290029
.text C:\Program Files\Messenger\msmsgs.exe[3532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FEF
.text C:\Program Files\Messenger\msmsgs.exe[3532] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002A0FAF
.text C:\Program Files\Messenger\msmsgs.exe[3532] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002A002F
.text C:\Program Files\Messenger\msmsgs.exe[3532] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002A0FCA
.text C:\Program Files\Messenger\msmsgs.exe[3532] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002A000A
.text C:\Program Files\Messenger\msmsgs.exe[3532] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002A0F72
.text C:\Program Files\Messenger\msmsgs.exe[3532] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002A0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3532] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 002A0F83
.text C:\Program Files\Messenger\msmsgs.exe[3532] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [4A, 88]
.text C:\Program Files\Messenger\msmsgs.exe[3532] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002A0F9E
.text C:\Program Files\Messenger\msmsgs.exe[3532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 002B0000
.text C:\Program Files\Messenger\msmsgs.exe[3532] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002C0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3532] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002C0FD4
.text C:\Program Files\Messenger\msmsgs.exe[3532] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002C0FC3
.text C:\Program Files\Messenger\msmsgs.exe[3532] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 002C0FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260087
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260076
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0026005B
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260040
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260025
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002600C4
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002600B3
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260F3F
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260F50
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00260F2E
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00260F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00260FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 002600A2
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00260014
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00260FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00260F61
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00350FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00350F6F
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00350FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00350000
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0035002C
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00350FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0035001B
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00350F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360038
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360027
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0036000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360FB7
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360FD2
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A00FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DC000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A50000
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A50FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A5001B
.text C:\Program Files\Internet Explorer\iexplore.exe[3952] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00A50FC0
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0095
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0084
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0FA0
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0069
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A003D
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00C6
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F7E
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F52
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00EB
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00FC
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A004E
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0011
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F8F
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FD1
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0022
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F6D
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290011
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290051
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FD4
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290040
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290F94
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [49, 88]
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FAF
.text C:\WINDOWS\System32\svchost.exe[3956] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0F9F
.text C:\WINDOWS\System32\svchost.exe[3956] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FB0
.text C:\WINDOWS\System32\svchost.exe[3956] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FD2
.text C:\WINDOWS\System32\svchost.exe[3956] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[3956] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FC1
.text C:\WINDOWS\System32\svchost.exe[3956] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FE3
.text C:\WINDOWS\System32\svchost.exe[3956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\gaopdxjsapvefveodahoyrxeucpxjcoejtraqc.sys (*** hidden *** ) B5E96000-B5EAD000 (94208 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gaopdxjsapvefveodahoyrxeucpxjcoejtraqc.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxjsapvefveodahoyrxeucpxjcoejtraqc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxjsapvefveodahoyrxeucpxjcoejtraqc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxwoxgevjniomadvmrniynmiodcnlttxbx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxjsapvefveodahoyrxeucpxjcoejtraqc.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxjsapvefveodahoyrxeucpxjcoejtraqc.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxwoxgevjniomadvmrniynmiodcnlttxbx.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\gaopdxjsapvefveodahoyrxeucpxjcoejtraqc.sys 39936 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\gaopdxcounter 4 bytes
File C:\WINDOWS\system32\gaopdxwoxgevjniomadvmrniynmiodcnlttxbx.dll 19968 bytes executable

---- EOF - GMER 1.0.15 ----

thx....

#4 c-good

c-good
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 21 March 2009 - 10:31 PM

I just downloaded combofix and did a scan. I had a rootkit. I know its very dangerous and that I should change my passwords with another computer. I dont think i wanna reformat tho, unless u tell me I really have to. Now everything seems to be fine and I can run all of my antispyware programs fine.

COMBOFIX LOG :

ComboFix 09-03-19.02 - c-good 2009-03-21 23:16:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2670 [GMT -4:00]
Running from: c:\documents and settings\c-good\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-2-9-16-100009768-100026766-100027582-6470.com
c:\windows\system32\drivers\gaopdxjsapvefveodahoyrxeucpxjcoejtraqc.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxwoxgevjniomadvmrniynmiodcnlttxbx.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

2009-04-11 17:50 . 2009-04-11 17:50 <DIR> d-------- c:\program files\Trend Micro
2009-04-11 17:18 . 2009-02-12 23:34 385 --a------ c:\windows\wininit.ini
2009-04-11 16:43 . 2009-04-11 16:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-04-10 19:17 . 2009-04-10 19:17 <DIR> d-------- c:\documents and settings\c-good\Application Data\McAfee
2009-04-10 16:26 . 2009-04-10 16:26 118 --a------ c:\windows\system32\MRT.INI
2009-04-09 17:18 . 2007-11-01 16:16 38 --a------ C:\nope.bat
2009-04-09 17:04 . 2009-04-09 17:04 208 --a------ C:\nf.exe
2009-04-09 16:17 . 2009-04-09 16:17 208 --a------ C:\new.exe
2009-04-05 00:02 . 2009-04-05 00:24 <DIR> d-------- c:\documents and settings\Owner\Application Data\Power Sound Editor Free
2009-04-05 00:01 . 2009-04-05 00:02 <DIR> d-------- c:\program files\Power Sound Editor Free
2009-04-05 00:01 . 2005-05-17 12:37 1,986,560 --a------ c:\windows\system32\NCTAudioFile2.dll
2009-04-05 00:01 . 2005-05-18 11:52 1,212,416 --a------ c:\windows\system32\NCTAudioInformation2.dll
2009-04-05 00:01 . 2005-04-15 12:08 880,640 --a------ c:\windows\system32\NCTAudioEditor2.dll
2009-04-05 00:01 . 2004-11-04 13:31 835,584 --a------ c:\windows\system32\NCTAudioCDGrabber2.dll
2009-04-05 00:01 . 2005-04-04 17:21 602,112 --a------ c:\windows\system32\NCTAudioTransform2.dll
2009-04-05 00:01 . 2005-03-28 15:54 479,232 --a------ c:\windows\system32\NCTAudioVisualization2.dll
2009-04-05 00:01 . 2005-04-25 13:01 458,752 --a------ c:\windows\system32\NCTAudioRecord2.dll
2009-04-05 00:01 . 2005-04-25 13:01 458,752 --a------ c:\windows\system32\NCTAudioPlayer2.dll
2009-04-05 00:01 . 2005-03-28 15:52 417,792 --a------ c:\windows\system32\NCTTextToAudio2.dll
2009-04-05 00:01 . 2005-02-24 11:51 348,160 --a------ c:\windows\system32\NCTWMAFile2.dll
2009-04-05 00:01 . 2002-01-05 16:37 344,064 --a------ c:\windows\system32\msvcr70.dll
2009-04-05 00:01 . 2006-03-23 12:56 113,486 --a------ c:\windows\system32\NCTWMAProfiles.prx
2009-03-27 21:00 . 2009-03-27 21:00 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-20 22:30 . 2009-03-20 22:30 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-20 22:30 . 2009-03-20 22:30 <DIR> d-------- c:\documents and settings\c-good\Application Data\SUPERAntiSpyware.com
2009-03-20 22:29 . 2009-03-20 22:29 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-20 21:11 . 2009-03-20 21:11 <DIR> d-------- c:\program files\IntelliAdmin
2009-03-19 20:19 . 2009-03-21 23:00 <DIR> d-------- c:\documents and settings\c-good\Tracing
2009-03-19 18:26 . 2009-03-19 18:28 <DIR> d-------- c:\documents and settings\Owner\Tracing
2009-03-19 16:28 . 2009-03-21 12:02 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-03-19 16:27 . 2009-03-19 16:27 <DIR> d-------- c:\program files\Microsoft Office Outlook Connector
2009-03-19 16:27 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2009-03-19 16:27 . 2009-02-06 18:08 55,152 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
2009-03-19 16:26 . 2009-03-19 16:26 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-03-19 16:25 . 2009-03-19 16:25 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-19 16:25 . 2009-03-19 16:28 <DIR> d-------- c:\program files\Microsoft
2009-03-19 16:20 . 2009-03-19 16:20 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-17 11:19 . 2009-03-17 11:19 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-14 12:52 . 2009-03-14 12:58 139,264 --a------ c:\windows\War3Unin.exe
2009-03-14 12:52 . 2009-03-20 18:40 62,261 --a------ c:\windows\War3Unin.dat
2009-03-14 12:52 . 2009-03-14 12:58 2,829 --a------ c:\windows\War3Unin.pif
2009-03-14 12:49 . 2009-03-21 18:53 <DIR> d-------- C:\Warcraft III
2009-03-10 22:46 . 2009-03-10 22:46 <DIR> d-------- c:\documents and settings\c-good\Application Data\MozillaControl
2009-03-10 22:46 . 2009-03-10 22:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Launcher
2009-03-10 22:46 . 2009-03-10 22:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Graboid Inc
2009-03-10 22:45 . 2009-03-10 23:04 <DIR> d-------- c:\program files\VideoLAN
2009-03-02 22:13 . 2009-03-02 22:13 <DIR> d-------- c:\documents and settings\Owner\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 21:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-10 23:18 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-22 03:16 --------- d-----w c:\program files\Nakido
2009-03-22 03:13 --------- d-----w c:\documents and settings\c-good\Application Data\LimeWire
2009-03-21 00:09 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-21 00:06 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-21 00:02 --------- d-----w c:\documents and settings\c-good\Application Data\uTorrent
2009-03-20 23:16 --------- d-----w c:\documents and settings\c-good\Application Data\DVD Flick
2009-03-20 00:16 --------- d-----w c:\program files\MSN Messenger
2009-03-19 20:27 --------- d-----w c:\program files\Windows Live
2009-03-17 15:18 --------- d-----w c:\program files\McAfee
2009-03-14 19:47 --------- d-----w c:\program files\LimeWire
2009-03-13 22:36 --------- d-----w c:\program files\PokerStars
2009-02-20 01:41 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-02-18 23:53 --------- d-----w c:\program files\Warcraft III
2009-02-17 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2009-02-14 18:30 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-13 05:28 --------- d-----w c:\documents and settings\c-good\Application Data\ImgBurn
2009-02-13 05:22 --------- d-----w c:\program files\ImgBurn
2009-02-13 05:02 --------- d-----w c:\program files\DVD Flick
2009-02-13 04:42 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-02-13 03:41 --------- d-----w c:\program files\uTorrent
2009-02-12 02:58 --------- d-----w c:\program files\SafeSoft
2009-02-11 14:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 14:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 23:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 22:52 49,504 ----a-w c:\windows\system32\sirenacm.dll
2006-06-23 14:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-16 8491008]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
MarvellTrayStartup.lnk - c:\program files\Marvell\61xx\tray\RaidTray.bat [2008-09-02 143]

c:\documents and settings\c-good\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-03-10 139776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-01-11 39792]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-11 738968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-16 13:07 8491008 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-16 13:07 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-01-26 15:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 06:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-16 13:07 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2008-05-16 02:39 16862720 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Marvell\\61xx\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Nakido\\nakido.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\c-good\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-09-02 143360]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-03-19 55152]
R2 Marvell RAID;Marvell RAID Event Agent;c:\program files\Marvell\61xx\svc\mvraidsvc.exe [2007-09-05 57344]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-03 210216]
R2 MRUWebService;MRU Web Service;c:\program files\Marvell\61xx\Apache2\bin\Apache.exe [2007-06-18 20539]
R2 Nakido;Nakido;c:\program files\Nakido\nakido.exe [2008-09-18 320000]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-09-02 36864]
S2 WSNCS;Windows Server Network Colocation Service;c:\windows\system32\wsncs.exe --> c:\windows\system32\wsncs.exe [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2008-09-02 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-kdtlt - c:\windows\system32\kdtlt.exe
MSConfigStartUp-WSCNS - c:\iup.exe
MSConfigStartUp-Secure System Restore - sysrestore.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 23:20:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_NDISPROT\0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-03-21 23:21:23
ComboFix-quarantined-files.txt 2009-03-22 03:21:20

Pre-Run: 206,852,296,704 bytes free
Post-Run: 207,263,395,840 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

234 --- E O F --- 2009-03-21 15:59:59

#5 jmw3

jmw3

    MRU Teacher


  • Malware Response Team
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 22 March 2009 - 08:19 AM

Hi
Please don't run Combofix unless I ask you to. :thumbup2: It is an extremely powerful program that can leave your computer a useless heap of metal & plastic if used incorrectly.

P2P Warning!
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

ÁTorrent | LimeWire 5.1.2

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur.
P2P file sharing used to be fairly safe. That is no longer true. I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

Remove Programs
Click Start > Control Panel > Add/Remove Programs
Remove these programs by clicking Remove

Messenger Plus! Live

If some programs listed are not present, please do not panic

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

http://www.bleepingcomputer.com/forums/index.php?showtopic=212662&hl=

Suspect::
C:\nope.bat
C:\nf.exe

File::
C:\new.exe
c:\windows\system32\wsncs.exe

Driver::
WSNCS

Registry::
[-HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys]
[-HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_NDISPROT\0000\LogConf]

DDS::
Trusted Zone: internet
Trusted Zone: mcafee.com
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Malwarebytes' Anti-Malware
  • Open Malwarebytes' AntiMalware then click the Update tab. Ensure the program is updated to the latest version & definitions - Version 1.34 & Definitions 1883
  • Once the program has loaded, select Perform full scan, then click Scan
  • When the scan is complete, click OK, then Show Results to view the results
  • Be sure that everything is checked, and click Remove Selected
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.
If you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.


Run Gmer again following the instructions posted previously.

To post in next reply:
Combofix log
Malwarebytes log
New Gmer log
New HijackThis log

Posted Image
Teacher, Malware Removal University - You too could train to help others
Member - UNITE, Alliance of Security Analysis Professionals


#6 c-good

c-good
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 22 March 2009 - 10:44 AM

ok i am currently running the scans

#7 c-good

c-good
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 22 March 2009 - 11:48 AM

Ok here are the logs:

COMBO FIX LOG:

ComboFix 09-03-19.02 - c-good 2009-03-22 11:20:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2454 [GMT -4:00]
Running from: c:\documents and settings\c-good\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\c-good\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
C:\new.exe
c:\windows\system32\wsncs.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\new.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WSNCS
-------\Service_WSNCS


((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

2009-04-11 17:50 . 2009-04-11 17:50 <DIR> d-------- c:\program files\Trend Micro
2009-04-11 17:18 . 2009-02-12 23:34 385 --a------ c:\windows\wininit.ini
2009-04-11 16:43 . 2009-04-11 16:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-04-10 19:17 . 2009-04-10 19:17 <DIR> d-------- c:\documents and settings\c-good\Application Data\McAfee
2009-04-10 16:26 . 2009-04-10 16:26 118 --a------ c:\windows\system32\MRT.INI
2009-04-09 17:18 . 2007-11-01 16:16 38 --a------ C:\nope.bat
2009-04-09 17:04 . 2009-04-09 17:04 208 --a------ C:\nf.exe
2009-04-05 00:02 . 2009-04-05 00:24 <DIR> d-------- c:\documents and settings\Owner\Application Data\Power Sound Editor Free
2009-04-05 00:01 . 2009-04-05 00:02 <DIR> d-------- c:\program files\Power Sound Editor Free
2009-04-05 00:01 . 2005-05-17 12:37 1,986,560 --a------ c:\windows\system32\NCTAudioFile2.dll
2009-04-05 00:01 . 2005-05-18 11:52 1,212,416 --a------ c:\windows\system32\NCTAudioInformation2.dll
2009-04-05 00:01 . 2005-04-15 12:08 880,640 --a------ c:\windows\system32\NCTAudioEditor2.dll
2009-04-05 00:01 . 2004-11-04 13:31 835,584 --a------ c:\windows\system32\NCTAudioCDGrabber2.dll
2009-04-05 00:01 . 2005-04-04 17:21 602,112 --a------ c:\windows\system32\NCTAudioTransform2.dll
2009-04-05 00:01 . 2005-03-28 15:54 479,232 --a------ c:\windows\system32\NCTAudioVisualization2.dll
2009-04-05 00:01 . 2005-04-25 13:01 458,752 --a------ c:\windows\system32\NCTAudioRecord2.dll
2009-04-05 00:01 . 2005-04-25 13:01 458,752 --a------ c:\windows\system32\NCTAudioPlayer2.dll
2009-04-05 00:01 . 2005-03-28 15:52 417,792 --a------ c:\windows\system32\NCTTextToAudio2.dll
2009-04-05 00:01 . 2005-02-24 11:51 348,160 --a------ c:\windows\system32\NCTWMAFile2.dll
2009-04-05 00:01 . 2002-01-05 16:37 344,064 --a------ c:\windows\system32\msvcr70.dll
2009-04-05 00:01 . 2006-03-23 12:56 113,486 --a------ c:\windows\system32\NCTWMAProfiles.prx
2009-03-27 21:00 . 2009-03-27 21:00 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-20 22:30 . 2009-03-20 22:30 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-20 22:30 . 2009-03-20 22:30 <DIR> d-------- c:\documents and settings\c-good\Application Data\SUPERAntiSpyware.com
2009-03-20 22:29 . 2009-03-20 22:29 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-20 21:11 . 2009-03-21 23:37 <DIR> d-------- c:\program files\IntelliAdmin
2009-03-19 20:19 . 2009-03-22 11:24 <DIR> d-------- c:\documents and settings\c-good\Tracing
2009-03-19 18:26 . 2009-03-19 18:28 <DIR> d-------- c:\documents and settings\Owner\Tracing
2009-03-19 16:28 . 2009-03-21 12:02 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-03-19 16:27 . 2009-03-19 16:27 <DIR> d-------- c:\program files\Microsoft Office Outlook Connector
2009-03-19 16:27 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2009-03-19 16:27 . 2009-02-06 18:08 55,152 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
2009-03-19 16:26 . 2009-03-19 16:26 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-03-19 16:25 . 2009-03-19 16:25 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-19 16:25 . 2009-03-19 16:28 <DIR> d-------- c:\program files\Microsoft
2009-03-19 16:20 . 2009-03-19 16:20 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-17 11:19 . 2009-03-17 11:19 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-14 12:52 . 2009-03-14 12:58 139,264 --a------ c:\windows\War3Unin.exe
2009-03-14 12:52 . 2009-03-20 18:40 62,261 --a------ c:\windows\War3Unin.dat
2009-03-14 12:52 . 2009-03-14 12:58 2,829 --a------ c:\windows\War3Unin.pif
2009-03-14 12:49 . 2009-03-22 01:01 <DIR> d-------- C:\Warcraft III
2009-03-10 22:46 . 2009-03-10 22:46 <DIR> d-------- c:\documents and settings\c-good\Application Data\MozillaControl
2009-03-10 22:46 . 2009-03-10 22:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Launcher
2009-03-10 22:46 . 2009-03-10 22:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Graboid Inc
2009-03-10 22:45 . 2009-03-10 23:04 <DIR> d-------- c:\program files\VideoLAN
2009-03-02 22:13 . 2009-03-02 22:13 <DIR> d-------- c:\documents and settings\Owner\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 21:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-10 23:18 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-22 15:24 --------- d-----w c:\program files\Nakido
2009-03-22 15:24 --------- d-----w c:\documents and settings\c-good\Application Data\LimeWire
2009-03-22 15:10 --------- d-----w c:\program files\MSN Messenger
2009-03-22 03:52 --------- d-----w c:\documents and settings\c-good\Application Data\uTorrent
2009-03-21 00:09 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-21 00:06 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-20 23:16 --------- d-----w c:\documents and settings\c-good\Application Data\DVD Flick
2009-03-19 20:27 --------- d-----w c:\program files\Windows Live
2009-03-17 15:18 --------- d-----w c:\program files\McAfee
2009-03-14 19:47 --------- d-----w c:\program files\LimeWire
2009-03-13 22:36 --------- d-----w c:\program files\PokerStars
2009-02-18 23:53 --------- d-----w c:\program files\Warcraft III
2009-02-17 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2009-02-14 18:30 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-13 05:28 --------- d-----w c:\documents and settings\c-good\Application Data\ImgBurn
2009-02-13 05:22 --------- d-----w c:\program files\ImgBurn
2009-02-13 05:02 --------- d-----w c:\program files\DVD Flick
2009-02-13 04:42 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-02-13 03:41 --------- d-----w c:\program files\uTorrent
2009-02-12 02:58 --------- d-----w c:\program files\SafeSoft
2009-02-11 14:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 14:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-06 23:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2006-06-23 14:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-03-21_23.20.45.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-03-22 01:21:02 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-22 15:08:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-22 01:21:02 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-22 15:08:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-22 01:21:02 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-22 15:08:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-16 8491008]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
MarvellTrayStartup.lnk - c:\program files\Marvell\61xx\tray\RaidTray.bat [2008-09-02 143]

c:\documents and settings\c-good\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-03-10 139776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-01-11 39792]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-11 738968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-16 13:07 8491008 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-16 13:07 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-01-26 15:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-16 13:07 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2008-05-16 02:39 16862720 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Marvell\\61xx\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Nakido\\nakido.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\c-good\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-09-02 143360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-03-19 55152]
R2 Marvell RAID;Marvell RAID Event Agent;c:\program files\Marvell\61xx\svc\mvraidsvc.exe [2007-09-05 57344]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-03 210216]
R2 MRUWebService;MRU Web Service;c:\program files\Marvell\61xx\Apache2\bin\Apache.exe [2007-06-18 20539]
R2 Nakido;Nakido;c:\program files\Nakido\nakido.exe [2008-09-18 320000]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-09-02 36864]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2008-09-02 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 11:24:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\c-good\Application Data\LimeWire\promotion\promodb.log 42 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2009-03-22 11:27:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-22 15:27:17
ComboFix2.txt 2009-03-22 03:21:24

Pre-Run: 207,212,978,176 bytes free
Post-Run: 207,137,497,088 bytes free

237 --- E O F --- 2009-03-21 15:59:59



MALEWAREBYTES LOG:

Malwarebytes' Anti-Malware 1.34
Database version: 1883
Windows 5.1.2600 Service Pack 3

3/22/2009 11:57:52 AM
mbam-log-2009-03-22 (11-57-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 127884
Time elapsed: 23 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\c-good\Start Menu\Programs\HDExtrem (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:49 PM, on 3/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\Program Files\Nakido\nakido.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: Nakido - Nakido - C:\Program Files\Nakido\nakido.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8021 bytes


GMER LOG

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-22 12:43:27
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB59EAF20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB59059CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB5905978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB590598C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB5905A0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB5905950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB5905964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB59059DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB59059B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB59059A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB5905A39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB5905A20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB59059F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Files - GMER 1.0.15 ----

File C:\RECYCLER 0 bytes
File C:\RECYCLER\S-1-5-21-507921405-1965331169-1417001333-1005 0 bytes
File C:\RECYCLER\S-1-5-21-507921405-1965331169-1417001333-1005\Dc1.log 82009 bytes
File C:\RECYCLER\S-1-5-21-507921405-1965331169-1417001333-1005\desktop.ini 65 bytes
File C:\RECYCLER\S-1-5-21-507921405-1965331169-1417001333-1005\INFO2 820 bytes

---- EOF - GMER 1.0.15 ----


thanks

#8 jmw3

jmw3

    MRU Teacher


  • Malware Response Team
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 22 March 2009 - 12:29 PM

Fix HiJackThis Entries
  • Open HiJackThis
  • Click on Do a system scan only
  • Place a checkmark next to these lines(if still present):
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -

  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.
Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 12.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 12. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the Download button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel
ATF Cleaner
Download ATF Cleaner here by Atribune. Double-click ATF-Cleaner.exe to run the program
Under Main choose: Select All
Click the Empty Selected button
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button
NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button
NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
To post in next reply:
Kaspersky Scan log
New HijackThis log
Let me know how the computer is running

Posted Image
Teacher, Malware Removal University - You too could train to help others
Member - UNITE, Alliance of Security Analysis Professionals


#9 c-good

c-good
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 22 March 2009 - 01:01 PM

ok the online scan is running right now..

#10 c-good

c-good
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 22 March 2009 - 01:27 PM

ok, well it says updating database and its really long, i was at 78% and it dropped back to 1% and the update size doubled.... neways, i have to go now and i'm gonna be back in like 2-3 hours. I will post the results then.

thanks

#11 c-good

c-good
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 22 March 2009 - 06:21 PM

hi, my computer is running well, and I dont have any problems that affect the speed of it or anything like that.

Kaspersky scan

Sunday, March 22, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 22, 2009 19:05:52
Records in database: 1951592


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 49299
Threat name 1
Infected objects 2
Suspicious objects 0
Duration of the scan 01:36:26

File name Threat name Threats count
C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\be our guest karaoke - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\Documents and Settings\Owner\My Documents\LimeWire\Saved\two half men theme - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1

The selected area was scanned.

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:49 PM, on 3/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\Program Files\Nakido\nakido.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: Nakido - Nakido - C:\Program Files\Nakido\nakido.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7948 bytes

#12 jmw3

jmw3

    MRU Teacher


  • Malware Response Team
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 22 March 2009 - 10:38 PM

Hi

hi, my computer is running well, and I dont have any problems that affect the speed of it or anything like that.

Good to hear :thumbup2:

Delete the two wma files Kaspersky flagged - they're infected.


Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove Combofix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /u
OTCleanIt
Download OTCleanIt here & save it to your desktop.
Double click on OTCleanIt.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

Open Malwarebytes' Anti-Malware, click Quarantine then Delete All. Close the program.

All Clean
Congratulations, good work. Once those wma files are deleted your system will be clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can find a tutorial here.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):
  • A short distance down the page in the centre, click on the Download button
  • Agree to the license
  • On the next page, to the right side of where it says Download Estimates, right click on the underlined word Hosts Manager choose Save Target As and download the installer Hosts20setup.exe to your desktop
  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Posted Image
Teacher, Malware Removal University - You too could train to help others
Member - UNITE, Alliance of Security Analysis Professionals


#13 c-good

c-good
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 23 March 2009 - 03:39 PM

Hi jmw3 THANK YOU alot for everything :thumbup2: you have been great help. i downloaded everything you asked me too.Hopefully i wont have to post again.

thanks again

chris

#14 jmw3

jmw3

    MRU Teacher


  • Malware Response Team
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 23 March 2009 - 09:09 PM

Glad I could help :thumbup2:

Good luck & safe surfing.

-------------------------

As this issue appears to be resolved, this Topic is closed.
Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.
This applies only to the original poster. Everyone else please begin a New Topic.

Posted Image
Teacher, Malware Removal University - You too could train to help others
Member - UNITE, Alliance of Security Analysis Professionals





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users