Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: TrickBot's Screenlocker Module Isn't Meant for Ransomware Ops

Featured Deal: Pay What You Want Complete Cyber Security Certification Bundle Deal

Malware Defender 2009 detected, removed, now MBAM wont work, searches being rerouted

Started by mkmom , Mar 28 2009 08:42 AM

This topic is locked

12 replies to this topic

#1 mkmom

Members
8 posts
OFFLINE

Local time:10:57 AM

Posted 28 March 2009 - 08:42 AM

Hi I have been having difficulties with my computer for the last several days. I found MBAM and ran it and it got rid of several trojans. Now MBAM wont work and some of my searches don't go to the intended search. Here are the DDS logs. Help me please.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Stacy at 9:32:24.28 on Sat 03/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.128 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Stacy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/home.html
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
IE: &Search
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\stacy\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: gyuwtl.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-27 201320]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-2 124832]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-3-27 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-3-27 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-3-27 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-27 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-27 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-27 33832]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-27 40488]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-21 24652]

=============== Created Last 30 ================

2009-03-28 08:00 26,327,040 a------- C:\Backup.bkf
2009-03-28 07:57 <DIR> --d----- c:\windows\system32\NtmsData
2009-03-27 22:34 <DIR> --d----- c:\documents and settings\stacy\DoctorWeb
2009-03-27 21:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-27 21:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 21:07 <DIR> --d----- c:\program files\Ma
2009-03-27 19:16 <DIR> --d----- c:\docume~1\stacy\applic~1\poydodkg
2009-03-27 17:35 10,752 a------- c:\windows\system32\iehelper.dll
2009-03-27 17:26 <DIR> --dsh--- c:\windows\system32\lowsec
2009-03-26 15:52 <DIR> --d----- c:\docume~1\stacy\applic~1\Malwarebytes
2009-03-26 15:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-26 15:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-22 19:02 <DIR> --d----- c:\docume~1\stacy\applic~1\McAfee
2009-03-22 17:35 <DIR> --d----- c:\windows\Google Toolbar
2009-03-11 22:18 <DIR> --d----- c:\program files\JRE
2009-03-11 22:18 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-03-01 11:07 <DIR> --d----- c:\program files\USAPhotoMaps

==================== Find3M ====================

2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2002-01-18 07:52 3,932 -------- c:\docume~1\stacy\applic~1\LMLayout.dat
2008-08-19 11:03 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 9:33:46.10 ===============

Thanks for any help you can give me!
Stacy

Attached Files

Attach.txt 10.98KB 18 downloads

Edited by mkmom, 28 March 2009 - 08:45 AM.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:09:57 AM

Posted 29 March 2009 - 03:51 PM

Hello!

My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

We need to create an OTListIt2 Report

Please download OTListIt2 from here
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Push the "Run Scan" button.
The scan should take just a few minutes.
Copy the log that opens up and paste it back here in your next reply.

=============

The next log will show us any hidden files that are present.

Download GMER from here:

Unzip it to the desktop.
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!

========================================================

#3 mkmom

Topic Starter

Members
8 posts
OFFLINE

Local time:10:57 AM

Posted 29 March 2009 - 04:17 PM

Hi Sam and thank you!!
There were two logs that were created by the first scan (OTLISTIt2):

OTListIt logfile created on: 3/29/2009 5:09:36 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.7.2 Folder = C:\Documents and Settings\Stacy\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 164.03 Mb Available Physical Memory | 32.16% Memory free
1.22 Gb Paging File | 0.77 Gb Available in Paging File | 63.35% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 55.75 Gb Free Space | 74.87% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOMEOFFICE
Current User Name: Stacy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/08/03 23:33:14 | 00,582,992 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [1997/08/19 00:00:00 | 00,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE
PRC - [2007/10/02 15:46:56 | 00,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2003/08/06 17:58:26 | 01,376,360 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\acsd.exe
PRC - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/01/09 16:50:22 | 00,767,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2008/01/25 01:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) -- c:\program files\common files\mcafee\mna\mcnasvc.exe
PRC - [2007/08/15 12:36:04 | 00,359,248 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2007/07/24 12:02:14 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2007/07/18 15:54:42 | 00,856,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe
PRC - [2004/08/26 19:40:20 | 00,282,624 | ---- | M] (Digital Networks North America, Inc.) -- C:\WINDOWS\system32\RioMSC.exe
PRC - [2003/01/10 18:13:04 | 00,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe
PRC - [2007/12/05 10:04:10 | 00,695,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2007/11/07 09:35:40 | 00,378,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe
PRC - [2007/11/07 09:35:40 | 00,361,800 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\VirusScan\mcvsshld.exe
PRC - [2008/06/14 10:41:54 | 00,781,288 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2008/12/19 01:25:25 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/12/19 01:25:25 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\Iexplore.exe
PRC - [2007/11/13 13:16:26 | 00,359,248 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdui.exe
PRC - [2009/03/29 17:09:11 | 00,498,688 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stacy\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/10/02 15:46:56 | 00,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0 [Auto | Running])
SRV - [2003/08/06 17:58:26 | 01,376,360 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\acsd.exe -- (AOL ACS [Auto | Running])
SRV - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/01/11 23:30:15 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/11/20 14:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2008/01/09 16:50:22 | 00,767,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
SRV - [2008/01/25 01:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc [Auto | Running])
SRV - [2007/11/07 09:35:40 | 00,378,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Running])
SRV - [2007/08/15 12:36:04 | 00,359,248 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
SRV - [2007/07/24 12:02:14 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Running])
SRV - [2007/12/05 10:04:10 | 00,695,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Running])
SRV - [2007/07/18 15:54:42 | 00,856,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2004/08/26 19:40:20 | 00,282,624 | ---- | M] (Digital Networks North America, Inc.) -- C:\WINDOWS\system32\RioMSC.exe -- (RioMSC [Auto | Running])
SRV - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Stopped])
SRV - [2003/01/10 18:13:04 | 00,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2007/03/27 22:11:57 | 00,008,552 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM [Auto | Running])
DRV - [2004/12/13 17:14:00 | 00,039,904 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\drivers\cercsr6.sys -- (cercsr6 [Boot | Stopped])
DRV - [2003/03/04 13:56:26 | 00,145,408 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2008/04/17 14:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2005/07/19 19:34:22 | 01,049,180 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2005/05/06 15:42:26 | 01,339,776 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\IntelC51.sys -- (IntelC51 [On_Demand | Stopped])
DRV - [2006/03/01 21:30:54 | 00,618,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\IntelC52.sys -- (IntelC52 [On_Demand | Stopped])
DRV - [2005/05/06 15:40:50 | 00,047,360 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\IntelC53.sys -- (IntelC53 [On_Demand | Stopped])
DRV - [2007/12/25 10:17:07 | 00,008,413 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\drivers\mcstrm.sys -- (MCSTRM [Auto | Running])
DRV - [2007/11/22 06:44:08 | 00,079,304 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
DRV - [2007/11/22 06:44:08 | 00,035,240 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
DRV - [2007/11/22 06:44:08 | 00,201,320 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk [System | Running])
DRV - [2007/11/22 06:44:04 | 00,033,832 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Running])
DRV - [2007/12/02 12:51:42 | 00,040,488 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Running])
DRV - [2005/05/06 15:40:20 | 00,036,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\mohfilt.sys -- (mohfilt [On_Demand | Stopped])
DRV - [2007/07/13 09:20:24 | 00,113,952 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\Drivers\Mpfp.sys -- (MPFP [System | Running])
DRV - [2001/08/22 09:42:58 | 00,013,632 | ---- | M] (Dell Computer Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI [System | Running])
DRV - [2004/08/04 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/01/11 23:21:31 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/02/16 16:51:26 | 00,016,128 | ---- | M] (Digital Networks North America, Inc.) -- C:\WINDOWS\System32\Drivers\RIOUNIV.sys -- (RIOUNIV [On_Demand | Stopped])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/09/17 10:02:54 | 00,732,928 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt [On_Demand | Running])
DRV - [2005/01/27 16:31:06 | 00,260,352 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2007/05/18 12:41:30 | 00,037,760 | ---- | M] (Service & Quality Technology.) -- C:\WINDOWS\System32\Drivers\Capt905c.sys -- (SQTECH905C [On_Demand | Stopped])
DRV - [2008/11/07 15:23:30 | 00,032,000 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2003/01/10 18:13:04 | 00,033,588 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\system32\DRIVERS\wanatw4.sys -- (wanatw [On_Demand | Running])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1960408961-796845957-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1960408961-796845957-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1960408961-796845957-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1960408961-796845957-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-1960408961-796845957-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
IE - HKU\S-1-5-21-1960408961-796845957-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1960408961-796845957-725345543-1004\S-1-5-21-1960408961-796845957-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1960408961-796845957-725345543-1004\S-1-5-21-1960408961-796845957-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - Reg Error: Key error. File not found
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey (McAfee, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u File not found
O4 - HKU\.DEFAULT..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe File not found
O4 - HKU\S-1-5-18..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe File not found
O4 - HKU\S-1-5-19..\Run: [jitegegave] Rundll32.exe "C:\WINDOWS\system32\pasogida.dll",s File not found
O4 - HKU\S-1-5-20..\Run: [jitegegave] Rundll32.exe "C:\WINDOWS\system32\pasogida.dll",s File not found
O4 - HKU\S-1-5-21-1960408961-796845957-725345543-1004..\Run: [Aim6] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2009/03/28 08:13:01 | 00,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe (Metacafe)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1960408961-796845957-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Search - Reg Error: Value error.
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1960408961-796845957-725345543-1004\..Trusted Sites: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-1960408961-796845957-725345543-1004\..Trusted Sites: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1960408961-796845957-725345543-1004\..Trusted Sites: mcafee.com ([]https in Trusted sites)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab (Pearson Installation Assistant 2)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} http://asp.mathxl.com/books/_Players/MathPlayer.cab (Pearson MathXL Player)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Filter: - AutorunsDisabled - Reg Error: Key error. File not found
O20 - AppInit_DLLs: (gyuwtl.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:AutorunsDisabled () -
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/03/27 17:50:10 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{120116c7-0e9f-11de-b4f6-00038a000015}\Shell\AutoRun\command - "" = G:\setupSNK.exe -- File not found
O33 - MountPoints2\{9cf87bc9-010b-11dd-b497-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{9cf87bc9-010b-11dd-b497-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9cf87bc9-010b-11dd-b497-00038a000015}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/03/29 17:09:10 | 00,498,688 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Stacy\Desktop\OTListIt2.exe
[2009/03/29 13:10:05 | 00,297,329 | ---- | C] () -- C:\Documents and Settings\Stacy\Desktop\family collage
[2009/03/29 13:08:53 | 00,562,419 | ---- | C] () -- C:\Documents and Settings\Stacy\Desktop\myspace_collage family.pdf
[2009/03/29 12:57:56 | 00,305,238 | ---- | C] () -- C:\Documents and Settings\Stacy\Desktop\friends collage
[2009/03/29 12:56:39 | 00,575,243 | ---- | C] () -- C:\Documents and Settings\Stacy\Desktop\myspace_collage friends.pdf
[2009/03/29 12:45:11 | 00,295,117 | ---- | C] () -- C:\Documents and Settings\Stacy\Desktop\collage
[2009/03/29 12:39:43 | 00,551,878 | ---- | C] () -- C:\Documents and Settings\Stacy\Desktop\myspace_collage.pdf
[2009/03/28 17:08:37 | 00,021,504 | ---- | C] () -- C:\Documents and Settings\Stacy\My Documents\viruses.doc
[2009/03/28 09:31:41 | 00,360,002 | ---- | C] () -- C:\Documents and Settings\Stacy\Desktop\dds.scr
[2009/03/28 08:13:01 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
[2009/03/28 08:00:46 | 26,327,040 | ---- | C] () -- C:\Backup.bkf
[2009/03/28 07:57:10 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/03/28 06:47:42 | 02,906,232 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Stacy\Desktop\mbam-setup.exe
[2009/03/28 06:34:58 | 00,001,254 | ---- | C] () -- C:\Documents and Settings\Stacy\Desktop\DrWebrept.csv
[2009/03/27 22:29:32 | 13,378,312 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\Stacy\Desktop\drweb-cureit.exe
[2009/03/27 22:06:51 | 02,028,760 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Stacy\Desktop\mbam-rules.exe
[2009/03/27 21:07:38 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/27 21:07:38 | 00,000,570 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/27 21:07:35 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/27 21:07:34 | 00,000,000 | ---D | C] -- C:\Program Files\Ma
[2009/03/27 21:06:44 | 02,906,232 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Stacy\Desktop\masetup.exe
[2009/03/27 20:59:22 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Stacy\My Documents\Modern Day Romeo and Juliet on a Talk Show.doc
[2009/03/27 19:16:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stacy\Local Settings\Application Data\poydodkg
[2009/03/27 19:16:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stacy\Application Data\poydodkg
[2009/03/27 17:26:06 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec
[2009/03/26 18:57:48 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Stacy\My Documents\These are all the tools used for this experiment.doc
[2009/03/26 18:57:21 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Stacy\My Documents\I repeated these steps 3 more times.doc
[2009/03/26 18:07:26 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Stacy\My Documents\Question.doc
[2009/03/26 15:52:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stacy\Application Data\Malwarebytes
[2009/03/26 15:51:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/26 15:51:52 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/25 20:41:51 | 00,002,153 | ---- | C] () -- C:\Documents and Settings\Stacy\Desktop\graph.pdf
[2009/03/25 15:29:29 | 00,000,022 | ---- | C] () -- C:\Documents and Settings\Stacy\Desktop\stinger10000482.opt
[2009/03/25 12:47:54 | 02,639,879 | ---- | C] (McAfee Inc.) -- C:\Documents and Settings\Stacy\Desktop\stinger10000482.exe
[2009/03/25 06:39:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/03/22 19:02:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stacy\Application Data\McAfee
[2009/03/22 17:36:09 | 00,000,000 | --SD | C] -- C:\Documents and Settings\Stacy\Desktop\%SystemDrive%
[2009/03/22 17:35:40 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Stacy\Desktop\%USERPROFILE%
[2009/03/22 17:35:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\Google Toolbar
[2009/03/11 22:21:23 | 00,000,905 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\OpenOffice.org 3.0.lnk
[2009/03/11 22:18:48 | 00,000,000 | ---D | C] -- C:\Program Files\JRE
[2009/03/11 22:18:34 | 00,000,000 | ---D | C] -- C:\Program Files\OpenOffice.org 3
[2009/03/01 23:04:27 | 00,021,504 | ---- | C] () -- C:\Documents and Settings\Stacy\My Documents\Romeo and Juliet questions.doc
[2009/03/01 16:25:21 | 00,022,016 | ---- | C] () -- C:\Documents and Settings\Stacy\My Documents\marco polo.doc
[2009/03/01 14:34:07 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Stacy\Desktop\a great explorer for many years.doc
[2009/03/01 11:07:56 | 00,000,000 | ---D | C] -- C:\Program Files\USAPhotoMaps

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/03/29 17:09:11 | 00,498,688 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stacy\Desktop\OTListIt2.exe
[2009/03/29 17:06:45 | 00,002,421 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/03/29 13:09:34 | 00,297,329 | ---- | M] () -- C:\Documents and Settings\Stacy\Desktop\family collage
[2009/03/29 13:08:54 | 00,562,419 | ---- | M] () -- C:\Documents and Settings\Stacy\Desktop\myspace_collage family.pdf
[2009/03/29 12:57:35 | 00,305,238 | ---- | M] () -- C:\Documents and Settings\Stacy\Desktop\friends collage
[2009/03/29 12:56:41 | 00,575,243 | ---- | M] () -- C:\Documents and Settings\Stacy\Desktop\myspace_collage friends.pdf
[2009/03/29 12:44:47 | 00,295,117 | ---- | M] () -- C:\Documents and Settings\Stacy\Desktop\collage
[2009/03/29 12:39:48 | 00,551,878 | ---- | M] () -- C:\Documents and Settings\Stacy\Desktop\myspace_collage.pdf
[2009/03/29 08:59:12 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/29 08:58:05 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/29 08:57:59 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/28 17:08:37 | 00,021,504 | ---- | M] () -- C:\Documents and Settings\Stacy\My Documents\viruses.doc
[2009/03/28 09:31:42 | 00,360,002 | ---- | M] () -- C:\Documents and Settings\Stacy\Desktop\dds.scr
[2009/03/28 09:17:42 | 04,301,654 | -H-- | M] () -- C:\Documents and Settings\Stacy\Local Settings\Application Data\IconCache.db
[2009/03/28 08:05:24 | 26,327,040 | ---- | M] () -- C:\Backup.bkf
[2009/03/28 06:47:47 | 02,906,232 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Stacy\Desktop\mbam-setup.exe
[2009/03/28 06:34:58 | 00,001,254 | ---- | M] () -- C:\Documents and Settings\Stacy\Desktop\DrWebrept.csv
[2009/03/27 22:29:32 | 13,378,312 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Stacy\Desktop\drweb-cureit.exe
[2009/03/27 22:06:58 | 02,028,760 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Stacy\Desktop\mbam-rules.exe
[2009/03/27 21:07:38 | 00,000,570 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/27 21:06:50 | 02,906,232 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Stacy\Desktop\masetup.exe
[2009/03/27 20:59:23 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Stacy\My Documents\Modern Day Romeo and Juliet on a Talk Show.doc
[2009/03/27 17:26:14 | 00,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/03/26 18:57:48 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Stacy\My Documents\These are all the tools used for this experiment.doc
[2009/03/26 18:57:21 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Stacy\My Documents\I repeated these steps 3 more times.doc
[2009/03/26 18:46:45 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Stacy\My Documents\Question.doc
[2009/03/26 16:49:56 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/26 16:49:50 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/26 16:28:25 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\viburita
[2009/03/26 07:39:49 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/03/26 07:06:20 | 00,000,022 | ---- | M] () -- C:\Documents and Settings\Stacy\Desktop\stinger10000482.opt
[2009/03/25 20:42:01 | 00,002,153 | ---- | M] () -- C:\Documents and Settings\Stacy\Desktop\graph.pdf
[2009/03/25 12:48:09 | 02,639,879 | ---- | M] (McAfee Inc.) -- C:\Documents and Settings\Stacy\Desktop\stinger10000482.exe
[2009/03/22 19:28:02 | 00,130,888 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/22 17:24:34 | 00,000,150 | ---- | M] () -- C:\WINDOWS\System32\LM_SUPPORT.INI
[2009/03/15 01:49:17 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/03/11 22:21:23 | 00,000,905 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\OpenOffice.org 3.0.lnk
[2009/03/11 03:09:44 | 00,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/11 03:09:44 | 00,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/11 03:09:43 | 00,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/11 03:01:08 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/03/01 23:04:28 | 00,021,504 | ---- | M] () -- C:\Documents and Settings\Stacy\My Documents\Romeo and Juliet questions.doc
[2009/03/01 16:49:16 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\Stacy\My Documents\marco polo.doc
[2009/03/01 14:35:03 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Stacy\Desktop\a great explorer for many years.doc
[2009/03/01 02:00:01 | 00,000,334 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
< End of report >

TListIt Extras logfile created on: 3/29/2009 5:09:36 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.7.2 Folder = C:\Documents and Settings\Stacy\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 164.03 Mb Available Physical Memory | 32.16% Memory free
1.22 Gb Paging File | 0.77 Gb Available in Paging File | 63.35% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 55.75 Gb Free Space | 74.87% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOMEOFFICE
Current User Name: Stacy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"80:TCP" = 80:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 20:12:25 | 00,245,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard
[2006/11/03 03:17:27 | 00,010,800 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
File not found -- C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk
[2004/08/26 19:40:04 | 08,163,328 | ---- | M] (Digital Networks North America, Inc.) -- C:\Program Files\Rio\Rio Music Manager\riomm.exe:*:Enabled:Rio Music Manager
File not found -- C:\WINDOWS\system32\spool\drivers\w32x86\3\LMpdpsrv.exe:*:Disabled:PDP RPC Server
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger
[2002/12/10 18:03:00 | 00,122,880 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE:*:Disabled:SAgent4
[2008/01/25 01:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
[2008/10/31 15:22:38 | 00,050,480 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM
[2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008/11/20 14:20:48 | 14,294,824 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
File not found -- C:\Program Files\Leisure Suit Larry™ - Magna Cum Laude Trailer\LSLMCMtrailer.exe:*:Enabled:LSLMCMtrailer
[2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe:*:Enabled:Explorer

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1800_series" = Canon iP1800 series
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{183135A3-2CE8-43B5-BA5A-757EBAECB413}" = Disney Pix Micro Downloader
"{282EF7E3-AE54-48AE-A11D-27F512F23AB3}" = Rio Music Manager
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{493F2531-C2E5-4B73-8B11-66E9CFDA9AFA}" = Rio Internet Update
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{582D2A53-F426-4C5E-A2E6-43C1AB36B907}" = Safari
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{83d96ed0-98aa-4515-8ddc-816f3efdd104}" = DB CIF Cam
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{924EB80F-C2BB-4B9F-8412-88BBA937393F}" = MobileMe Control Panel
"{9455959E-D588-EFAE-329C-F66CC797F32A}" = Adobe Media Player
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{C9618743-1A5C-461E-91C4-E013A3D70F3C}" = Adobe® Photoshop® Album Starter Edition 3.0.1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DC8235CC-3D5A-4D32-94BE-E2F0A1749920}" = Disney Pix 2.2
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0
"{F54AC413-D2C6-4A24-B324-370C223C6250}" = Adobe Photoshop Elements 6.0
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop Elements 6" = Adobe Photoshop Elements 6.0
"Adobe Shockwave Player" = Adobe Shockwave Player
"AIM_6" = AIM 6
"America Online us" = America Online (Choose which version to remove)
"AolCoach" = AOL Coach Version 1.0(Build:20030807.3)
"Best Buy Digital Music Store" = Best Buy Digital Music Store
"Canon iP1800 series User Registration" = Canon iP1800 series User Registration
"CanonMyPrinter" = Canon My Printer
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"Easy-LayoutPrint" = Canon Utilities Easy-LayoutPrint
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"getPlus®_ocx" = getPlus®_ocx
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"InterActual Player" = InterActual Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MSC" = McAfee SecurityCenter
"Musicnotes Player_is1" = Musicnotes Player V1.23.2 and Viewer
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel® PRO Network Adapters and Drivers
"RealPlayer 6.0" = RealPlayer Basic
"StreetPlugin" = Learn2 Player (Uninstall Only)
"USAPhotoMaps" = USAPhotoMaps (remove only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"Word8.0" = Microsoft Word 97
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/28/2009 7:31:50 AM | Computer Name = HOMEOFFICE | Source = Application Hang | ID = 1002
Description = Hanging application _iu14D2N.tmp, version 51.49.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/28/2009 7:51:29 AM | Computer Name = HOMEOFFICE | Source = Application Hang | ID = 1002
Description = Hanging application _iu14D2N.tmp, version 51.49.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/28/2009 8:05:19 AM | Computer Name = HOMEOFFICE | Source = NTBackup | ID = 8001
Description = End Backup of 'C:' 'Warnings or errors were encountered.' Verify:
Off Mode: Append Type: Normal Consult the backup report for more details.

Error - 3/28/2009 8:05:24 AM | Computer Name = HOMEOFFICE | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 3/28/2009 9:19:05 AM | Computer Name = HOMEOFFICE | Source = Application Error | ID = 1000
Description = Faulting application ViewpointService.exe, version 2.0.0.54, faulting
module ViewpointService.exe, version 2.0.0.54, fault address 0x00002250.

Error - 3/28/2009 9:20:12 AM | Computer Name = HOMEOFFICE | Source = Application Error | ID = 1004
Description = Faulting application ViewpointService.exe, version 2.0.0.54, faulting
module ViewpointService.exe, version 2.0.0.54, fault address 0x00002250.

Error - 3/28/2009 9:25:12 AM | Computer Name = HOMEOFFICE | Source = Application Hang | ID = 1002
Description = Hanging application _iu14D2N.tmp, version 51.49.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/28/2009 4:26:16 PM | Computer Name = HOMEOFFICE | Source = Application Error | ID = 1000
Description = Faulting application ViewpointService.exe, version 2.0.0.54, faulting
module ViewpointService.exe, version 2.0.0.54, fault address 0x00002250.

Error - 3/28/2009 4:28:43 PM | Computer Name = HOMEOFFICE | Source = Application Error | ID = 1004
Description = Faulting application ViewpointService.exe, version 2.0.0.54, faulting
module ViewpointService.exe, version 2.0.0.54, fault address 0x00002250.

Error - 3/29/2009 8:58:27 AM | Computer Name = HOMEOFFICE | Source = Application Error | ID = 1000
Description = Faulting application ViewpointService.exe, version 2.0.0.54, faulting
module ViewpointService.exe, version 2.0.0.54, fault address 0x00002250.

[ System Events ]
Error - 3/29/2009 5:08:29 PM | Computer Name = HOMEOFFICE | Source = Service Control Manager | ID = 7024
Description = The Remote Access Connection Manager service terminated with service-specific
error 3221356592 (0xC0020030).

Error - 3/29/2009 5:08:30 PM | Computer Name = HOMEOFFICE | Source = Service Control Manager | ID = 7024
Description = The Remote Access Connection Manager service terminated with service-specific
error 3221356592 (0xC0020030).

Error - 3/29/2009 5:08:42 PM | Computer Name = HOMEOFFICE | Source = Service Control Manager | ID = 7024
Description = The Remote Access Connection Manager service terminated with service-specific
error 3221356592 (0xC0020030).

Error - 3/29/2009 5:08:45 PM | Computer Name = HOMEOFFICE | Source = Service Control Manager | ID = 7024
Description = The Remote Access Connection Manager service terminated with service-specific
error 3221356592 (0xC0020030).

Error - 3/29/2009 5:08:57 PM | Computer Name = HOMEOFFICE | Source = Service Control Manager | ID = 7024
Description = The Remote Access Connection Manager service terminated with service-specific
error 3221356592 (0xC0020030).

Error - 3/29/2009 5:09:02 PM | Computer Name = HOMEOFFICE | Source = Service Control Manager | ID = 7024
Description = The Remote Access Connection Manager service terminated with service-specific
error 3221356592 (0xC0020030).

Error - 3/29/2009 5:09:34 PM | Computer Name = HOMEOFFICE | Source = Service Control Manager | ID = 7024
Description = The Remote Access Connection Manager service terminated with service-specific
error 3221356592 (0xC0020030).

Error - 3/29/2009 5:10:07 PM | Computer Name = HOMEOFFICE | Source = Service Control Manager | ID = 7024
Description = The Remote Access Connection Manager service terminated with service-specific
error 3221356592 (0xC0020030).

Error - 3/29/2009 5:10:09 PM | Computer Name = HOMEOFFICE | Source = Service Control Manager | ID = 7024
Description = The Remote Access Connection Manager service terminated with service-specific
error 3221356592 (0xC0020030).

Error - 3/29/2009 5:10:10 PM | Computer Name = HOMEOFFICE | Source = Service Control Manager | ID = 7024
Description = The Remote Access Connection Manager service terminated with service-specific
error 3221356592 (0xC0020030).

< End of report >

I will run the second one and post another reply with that one.
Thanks again,
Stacy

#4 mkmom

Topic Starter

Members
8 posts
OFFLINE

Local time:10:57 AM

Posted 29 March 2009 - 09:42 PM

Ok here is the GMER results. There was a pop up that said "Warning your registry has been changed" or something to that effect.
As far as how the computer has been acting, well my google searches are redirected, one time there was what sounded like a video or tv show playing in the background when the computer was NOT online, it was opening up multiple new windows in IE prior to the malwarebytes scan that was done 4 days ago, my mcafee has changed its firewall settings on its own a few times (i have been putting it on lockdown when im not sitting here online), today the computer showed a blue screen which said "shutting down for safety of your files" or something. restarted ok. i have been running mcafee scans every morning and once or twice throughout the day and it always finds 2-4 items and quarantines them. I think that is it that I can remember. Thanks for your help!

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-03-29 22:31:33
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEF0B99AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEF0B9A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEF0B9958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEF0B996C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEF0B9A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEF0B9A81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEF0B9AF4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEF0B9AD9]
Code 82BDDBF8 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEF0B99EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEF0B9B1E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEF0B9A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEF0B9930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEF0B9944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEF0B99BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEF0B9B5A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEF0B9AC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEF0B9AAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEF0B9A6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEF0B9B46]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEF0B9B32]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEF0B9996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEF0B9982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEF0B9A97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEF0B9A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEF0B9B08]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEF0B9A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEF0B99D4]
Code 82BE1ED6 IofCallDriver
Code 82C2A096 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 82BE1EDB
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 82C2A09B
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EF0B99D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP EF0B9A31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP EF0B9AB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP EF0B99AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP EF0B9986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP EF0B9A45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP EF0B9B5E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP EF0B9AF8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP EF0B9934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP EF0B99C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP EF0B9A9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP EF0B9A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP EF0B99EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 82BDDBFC
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP EF0B9970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP EF0B9A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP EF0B9948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP EF0B9B22 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP EF0B9ADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP EF0B9A85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP EF0B9A59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EF0B995C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DCF7 5 Bytes JMP EF0B999A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA12 7 Bytes JMP EF0B9B0C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E338 7 Bytes JMP EF0B9AC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E7B6 7 Bytes JMP EF0B9A6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ECA9 5 Bytes JMP EF0B9B36 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F112 5 Bytes JMP EF0B9B4A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\McAfee.com\Agent\mcagent.exe[216] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00D2000A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[216] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01010FEF
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01010F69
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01010054
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01010F7A
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01010F97
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0101002F
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0101007B
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01010F33
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010100A0
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01010F07
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01010EEC
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01010FA8
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01010FDE
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01010F44
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0101001E
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01010FCD
.text C:\WINDOWS\system32\svchost.exe[296] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01010F22
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FE002C
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FE0FAC
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FE0069
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FE004E
.text C:\WINDOWS\system32\svchost.exe[296] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FE003D
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0FAD
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0038
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD0FE3
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0FC8
.text C:\WINDOWS\system32\svchost.exe[296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\svchost.exe[296] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[296] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[296] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00FF0036
.text C:\WINDOWS\system32\svchost.exe[296] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00FF0047
.text C:\WINDOWS\system32\svchost.exe[296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FC0FE5
.text C:\Program Files\Microsoft Office\Office\OSA.EXE[480] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0094000A
.text C:\Program Files\Microsoft Office\Office\OSA.EXE[480] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0096000A
.text C:\WINDOWS\system32\winlogon.exe[644] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\winlogon.exe[644] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0065000A
.text C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe[668] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0073000A
.text C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe[668] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0074000A
.text C:\WINDOWS\system32\services.exe[692] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\services.exe[692] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01580FEF
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0158009A
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01580FA5
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0158007F
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01580058
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0158002C
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01580F63
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015800AB
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015800F2
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015800E1
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01580103
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0158003D
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0158000A
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01580F80
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01580FC0
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0158001B
.text C:\WINDOWS\system32\services.exe[692] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 015800BC
.text C:\WINDOWS\system32\services.exe[692] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0156001B
.text C:\WINDOWS\system32\services.exe[692] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0156005B
.text C:\WINDOWS\system32\services.exe[692] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01560FD4
.text C:\WINDOWS\system32\services.exe[692] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0156000A
.text C:\WINDOWS\system32\services.exe[692] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01560F9E
.text C:\WINDOWS\system32\services.exe[692] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01560FEF
.text C:\WINDOWS\system32\services.exe[692] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01560FB9
.text C:\WINDOWS\system32\services.exe[692] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [76, 89] {JBE 0xffffffffffffff8b}
.text C:\WINDOWS\system32\services.exe[692] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01560040
.text C:\WINDOWS\system32\services.exe[692] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0038
.text C:\WINDOWS\system32\services.exe[692] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FAD
.text C:\WINDOWS\system32\services.exe[692] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\services.exe[692] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[692] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FC8
.text C:\WINDOWS\system32\services.exe[692] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\services.exe[692] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01570000
.text C:\WINDOWS\system32\services.exe[692] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01570FE5
.text C:\WINDOWS\system32\services.exe[692] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 0157001B
.text C:\WINDOWS\system32\services.exe[692] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 01570FCA
.text C:\WINDOWS\system32\services.exe[692] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 006F000A
.text C:\WINDOWS\system32\lsass.exe[720] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0072000A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01290FEF
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0129005B
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01290F66
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0129004A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01290039
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01290FA8
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01290F1D
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01290F2E
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01290EE0
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01290EFB
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01290EC5
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01290F97
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01290FDE
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01290F4B
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01290FC3
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0129000A
.text C:\WINDOWS\system32\lsass.exe[720] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01290F0C
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01270FB2
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01270F75
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01270FC3
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01270FDE
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01270032
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01270FEF
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01270F90
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [47, 89]
.text C:\WINDOWS\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01270FA1
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01260FBC
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!system 77C293C7 5 Bytes JMP 01260FCD
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01260033
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0126000C
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01260FDE
.text C:\WINDOWS\system32\lsass.exe[720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01260FEF
.text C:\WINDOWS\system32\lsass.exe[720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01250000
.text C:\WINDOWS\system32\lsass.exe[720] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01280000
.text C:\WINDOWS\system32\lsass.exe[720] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01280FEF
.text C:\WINDOWS\system32\lsass.exe[720] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01280FDE
.text C:\WINDOWS\system32\lsass.exe[720] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 01280FC3
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[772] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0080000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[772] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0081000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[772] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[772] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe[776] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 008C000A
.text C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe[776] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 008E000A
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateFileA 7C801A28 3 Bytes JMP 010C0FE5
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateFileA + 4 7C801A2C 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!VirtualProtectEx 7C801A61 3 Bytes JMP 010C005D
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!VirtualProtectEx + 4 7C801A65 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!VirtualProtect 7C801AD4 3 Bytes JMP 010C004C
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!VirtualProtect + 4 7C801AD8 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010C0F72
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryExA 7C801D53 3 Bytes JMP 010C0F83
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryExA + 4 7C801D57 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryA 7C801D7B 3 Bytes JMP 010C0025
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryA + 4 7C801D7F 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetStartupInfoW 7C801E54 3 Bytes JMP 010C0F37
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetStartupInfoW + 4 7C801E58 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010C007F
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateProcessW 7C802336 3 Bytes JMP 010C0F01
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateProcessW + 4 7C80233A 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateProcessA 7C80236B 3 Bytes JMP 010C009A
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateProcessA + 4 7C80236F 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetProcAddress 7C80AE30 3 Bytes JMP 010C0EE6
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!GetProcAddress + 4 7C80AE34 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryW 7C80AEDB 3 Bytes JMP 010C0FA8
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!LoadLibraryW + 4 7C80AEDF 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateFileW 7C8107F0 3 Bytes JMP 010C0FD4
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateFileW + 4 7C8107F4 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 010C006E
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 010C000A
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 010C0FB9
.text C:\WINDOWS\system32\svchost.exe[888] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 010C0F1C
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 010A004A
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 010A0080
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 010A0025
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 010A0FEF
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 010A0FC3
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 010A000A
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 010A005B
.text C:\WINDOWS\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 010A0FD4
.text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01090066
.text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!system 77C293C7 5 Bytes JMP 01090055
.text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01090FEF
.text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0109000C
.text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01090044
.text C:\WINDOWS\system32\svchost.exe[888] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01090029
.text C:\WINDOWS\system32\svchost.exe[888] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 010B0000
.text C:\WINDOWS\system32\svchost.exe[888] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 010B001B
.text C:\WINDOWS\system32\svchost.exe[888] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 010B0FE5
.text C:\WINDOWS\system32\svchost.exe[888] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 010B0FCA
.text C:\WINDOWS\system32\svchost.exe[888] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01060FEF
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01250FE5
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012500A1
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01250090
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01250069
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01250FAC
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0125003D
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012500C6
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01250F8A
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01250F45
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012500E8
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetProcAddress 7C80AE30 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01250F34
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01250058
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01250000
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01250F9B
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0125002C
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0125001B
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 012500D7
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01230FE5
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01230F8D
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0123002C
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0123001B
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01230FA8
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0123000A
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01230FC3
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [43, 89]
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01230FD4
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0122007A
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!system 77C293C7 5 Bytes JMP 0122005F
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01220029
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0122000C
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01220044
.text C:\WINDOWS\system32\svchost.exe[940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01220FEF
.text C:\WINDOWS\system32\svchost.exe[940] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01240FEF
.text C:\WINDOWS\system32\svchost.exe[940] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 0124000A
.text C:\WINDOWS\system32\svchost.exe[940] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01240FD4
.text C:\WINDOWS\system32\svchost.exe[940] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 01240FAF
.text C:\WINDOWS\system32\svchost.exe[940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01210000
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[996] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 006D000A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[996] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02550000
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02550F68
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02550F79
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02550F8A
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02550FA5
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0255003D
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02550095
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02550084
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02550F10
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02550F21
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 025500C4
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02550FB6
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02550FE5
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02550F4D
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0255002C
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02550011
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02550F3C
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 024B0FEF
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 024B0FA8
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 024B0036
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 024B001B
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 024B0065
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 024B000A
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 024B0FCD
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [6B, 8A]
.text C:\WINDOWS\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 024B0FDE
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 024A004E
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!system 77C293C7 5 Bytes JMP 024A0FC3
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 024A0029
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_open 77C2F566 5 Bytes JMP 024A000C
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 024A0FD4
.text C:\WINDOWS\System32\svchost.exe[1040] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 024A0FEF
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 024C0FE5
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 024C0000
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 024C0FD4
.text C:\WINDOWS\System32\svchost.exe[1040] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 024C0FC3
.text C:\WINDOWS\System32\svchost.exe[1040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02490FE5
.text C:\Program Files\Bonjour\mDNSResponder.exe[1076] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0071000A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1076] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0072000A
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D20F79
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20F94
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D2006E
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D20FA5
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D20036
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D200AB
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D2009A
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D200D7
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D20F48
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D20F23
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D20047
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D2000A
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D20089
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D20FCA
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D200C6
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BD0014
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BD0F83
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00BD0040
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BD002F
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0049
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0038
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FD2
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0027
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0FE3
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00BE002F
.text C:\WINDOWS\system32\svchost.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF00A4
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0093
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0FAF
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF006C
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0047
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF00E3
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF00D2
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF0108
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF0F6F
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CF012D
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CF0FCA
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CF0011
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CF00B5
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CF0FDB
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CF0022
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CF0F8A
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CD0FAF
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CD0047
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CD0FC0
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CD0FE5
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CD0022
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00CD0011
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CD0F94
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CC0FB9
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CC0FCA
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CC000C
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CC0044
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CC001D
.text C:\WINDOWS\system32\svchost.exe[1196] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1196] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[1196] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\svchost.exe[1196] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\svchost.exe[1196] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CB0FEF
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[1272] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 008B000A
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[1272] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 008C000A
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0065
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0054
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F7C
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0F97
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE002F
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0091
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0080
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0F2E
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE00C7
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FE0F1D
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FE0FA8
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FE0F5F
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FE00AC
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F20FCA
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F20F8A
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F20FDB
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F20011
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F20047
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00F20036
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F20FB9
.text C:\WINDOWS\system32\svchost.exe[1320] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10038
.text C:\WINDOWS\system32\svchost.exe[1320] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F1001D
.text C:\WINDOWS\system32\svchost.exe[1320] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10FC8
.text C:\WINDOWS\system32\svchost.exe[1320] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[1320] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10FAD
.text C:\WINDOWS\system32\svchost.exe[1320] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FE3
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00F30FDE
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00F30FC3
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00FE5
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[1376] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A5000A
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[1376] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\spoolsv.exe[1448] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0097000A
.text C:\WINDOWS\system32\spoolsv.exe[1448] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0098000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[1644] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 006D000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[1644] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 006E000A
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1788] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0089000A
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1788] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 008A000A
.text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03660FE5
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0366004F
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03660034
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03660F5A
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03660F75
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03660F97
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0366008A
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03660F38
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03660F0C
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 036600A5
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 03660EFB
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 03660F86
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03660FD4
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 03660F49
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 03660FA8
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 03660FB9
.text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 03660F27
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01B1001B
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01B10054
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01B10FD4
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01B10FE5
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01B10F97
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01B10000
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01B10FA8
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [D1, 89]
.text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01B10FB9
.text C:\WINDOWS\Explorer.EXE[1816] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01AF0FA6
.text C:\WINDOWS\Explorer.EXE[1816] msvcrt.dll!system 77C293C7 5 Bytes JMP 01AF0031
.text C:\WINDOWS\Explorer.EXE[1816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01AF0FC1
.text C:\WINDOWS\Explorer.EXE[1816] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01AF0FEF
.text C:\WINDOWS\Explorer.EXE[1816] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01AF0016
.text C:\WINDOWS\Explorer.EXE[1816] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01AF0FD2
.text C:\WINDOWS\Explorer.EXE[1816] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 03650000
.text C:\WINDOWS\Explorer.EXE[1816] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 03650FE5
.text C:\WINDOWS\Explorer.EXE[1816] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 03650FD4
.text C:\WINDOWS\Explorer.EXE[1816] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 0365001B
.text C:\WINDOWS\Explorer.EXE[1816] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01970FEF
.text C:\WINDOWS\system32\ctfmon.exe[2020] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\ctfmon.exe[2020] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\RioMSC.exe[2032] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 006E000A
.text C:\WINDOWS\system32\RioMSC.exe[2032] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 006F000A
.text C:\WINDOWS\wanmpsvc.exe[2244] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0076000A
.text C:\WINDOWS\wanmpsvc.exe[2244] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0077000A
.text C:\WINDOWS\System32\alg.exe[3088] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\alg.exe[3088] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0070000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3908] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0085000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3908] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0086000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe[4104] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0084000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe[4104] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 0085000A
.text c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe[4444] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00CD000A
.text c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe[4444] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00A4000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00280FEF
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00280F66
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00280F77
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00280051
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00280F94
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00280025
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00280F4B
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00280087
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00280F15
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002800AE
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 002800D3
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00280036
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00280FD4
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00280076
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00280FC3
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00280014
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00280F30
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00370FCA
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00370FA8
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00370011
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00370000
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0037005B
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00370FEF
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00370040
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00370FB9
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00380050
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] msvcrt.dll!system 77C293C7 5 Bytes JMP 0038003F
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00380FD9
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0038000C
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0038002E
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0038001D
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] WININET.dll!HttpAddRequestHeadersA 7805FB35 5 Bytes JMP 00E2000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00BE0000
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00BE0011
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00BE0022
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00BE0033
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] WININET.dll!HttpAddRequestHeadersW 780CCF65 5 Bytes JMP 00EA000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00EBFC50 \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EC0CC0 \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F90000
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00EC0B00 \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EC09E0 \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00EC0000 \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[7220] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EC0230 \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00A4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00280FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0028006A
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00280059
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00280032
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00280F75
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00280FA1
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0028008C
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0028007B
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002800B1
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00280F0E
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 002800C2
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00280F90
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00280FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00280F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00280FB2
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00280FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00280F29
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00370036
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00370F8A
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0037001B
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00370FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00370FA5
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00370000
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00370FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [57, 88]
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00370047
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00380042
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] msvcrt.dll!system 77C293C7 5 Bytes JMP 00380FB7
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00380FE3
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0038000C
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00380FC8
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0038001D
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] WININET.dll!HttpAddRequestHeadersA 7805FB35 5 Bytes JMP 00E2000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00BE0000
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00BE0FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00BE001B
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00BE0FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] WININET.dll!HttpAddRequestHeadersW 780CCF65 5 Bytes JMP 00EA000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00EBFC50 \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EC0CC0 \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F90FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00EC0B00 \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EC09E0 \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00EC0000 \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[7892] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EC0230 \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
.text C:\DOCUME~1\Stacy\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[8780] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 009E000A
.text C:\DOCUME~1\Stacy\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[8780] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 009F000A
.text C:\Documents and Settings\Stacy\Desktop\z5ou3jbw.exe[9828] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 009E000A
.text C:\Documents and Settings\Stacy\Desktop\z5ou3jbw.exe[9828] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 009F000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\UACsucbivkj.sys (*** hidden *** ) F88C8000-F88D7000 (61440 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\Program Files\McAfee.com\Agent\mcagent.exe [216] 0x00DE0000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [296] 0x00A00000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\Program Files\Microsoft Office\Office\OSA.EXE [480] 0x00D30000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [644] 0x00870000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [668] 0x00B10000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [692] 0x00970000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [720] 0x00A30000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [772] 0x00AF0000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe [776] 0x00CB0000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [888] 0x00A00000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [940] 0x00A00000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [996] 0x00AC0000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1040] 0x00A00000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1076] 0x00B00000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1080] 0x00A00000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1196] 0x00A00000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [1272] 0x00B90000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1320] 0x00A00000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ c:\program files\common files\mcafee\mna\mcnasvc.exe [1376] 0x00D30000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1448] 0x00C90000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [1644] 0x00AC0000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\Program Files\McAfee\MPF\MPFSrv.exe [1788] 0x00B80000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1816] 0x00D00000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [2020] 0x00CA0000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\system32\RioMSC.exe [2032] 0x00AD0000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\wanmpsvc.exe [2244] 0x00B40000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3088] 0x00A10000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [3908] 0x00B40000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [4104] 0x00B20000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe [4444] 0x00DA0000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [7220] 0x00EB0000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [7892] 0x00EB0000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\DOCUME~1\Stacy\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe [8780] 0x00DD0000
Library \\?\globalroot\systemroot\system32\UACoulnxwpm.dll (*** hidden *** ) @ C:\Documents and Settings\Stacy\Desktop\z5ou3jbw.exe [9828] 0x00DD0000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACsucbivkj.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACsucbivkj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACsucbivkj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyxxuoxsr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACapuumnbo.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACesxutbhy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UAClqgoendm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACpudubgoy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACwfvldvkt.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACqrjddmxt.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACaiddudju.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACsucbivkj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACsucbivkj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACyxxuoxsr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACapuumnbo.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACesxutbhy.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UAClqgoendm.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACpudubgoy.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACoulnxwpm.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACwfvldvkt.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACqrjddmxt.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACaiddudju.log
Reg HKLM\SOFTWARE\Classes\so_activex.SOActiveX@ SOActiveX Class
Reg HKLM\SOFTWARE\Classes\so_activex.SOActiveX\CLSID
Reg HKLM\SOFTWARE\Classes\so_activex.SOActiveX\CLSID@ {67F2A879-82D5-4A6D-8CC5-FFB3C114B69D}
Reg HKLM\SOFTWARE\Classes\so_activex.SOActiveX\CurVer
Reg HKLM\SOFTWARE\Classes\so_activex.SOActiveX\CurVer@ so_activex.SOActiveX.1
Reg HKLM\SOFTWARE\Classes\so_activex.SOActiveX.1@ SOActiveX Class
Reg HKLM\SOFTWARE\Classes\so_activex.SOActiveX.1\CLSID
Reg HKLM\SOFTWARE\Classes\so_activex.SOActiveX.1\CLSID@ {67F2A879-82D5-4A6D-8CC5-FFB3C114B69D}

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Stacy\Local Settings\Temp\UAC67b6.tmp 343040 bytes executable
File C:\Documents and Settings\Stacy\Local Settings\Temporary Internet Files\Content.IE5\663077YY\s14502868239_4527[1].jpg 0 bytes
File C:\Documents and Settings\Stacy\Local Settings\Temporary Internet Files\Content.IE5\663077YY\s691842011_1710316_2064397[1].jpg 0 bytes
File C:\Documents and Settings\Stacy\Local Settings\Temporary Internet Files\Content.IE5\663077YY\photo-thumb-94959[1].jpg 1230 bytes
File C:\Documents and Settings\Stacy\Local Settings\Temporary Internet Files\Content.IE5\663077YY\__utm[7].gif 35 bytes
File C:\Documents and Settings\Stacy\Local Settings\Temporary Internet Files\Content.IE5\663077YY\q1474570358_6171[1].jpg 2196 bytes
File C:\Documents and Settings\Stacy\Local Settings\Temporary Internet Files\Content.IE5\663077YY\q1581340026_8496[1].jpg 2801 bytes
File C:\Documents and Settings\Stacy\Local Settings\Temporary Internet Files\Content.IE5\663077YY\q1582342544_5309[1].jpg 2113 bytes
File C:\Documents and Settings\Stacy\Local Settings\Temporary Internet Files\Content.IE5\663077YY\q615898423_3449[1].jpg 2908 bytes
File C:\WINDOWS\system32\drivers\UACsucbivkj.sys 49664 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\UACaiddudju.log 111 bytes
File C:\WINDOWS\system32\UACapuumnbo.dat 127 bytes
File C:\WINDOWS\system32\UACesxutbhy.dll 19968 bytes executable
File C:\WINDOWS\system32\uacinit.dll 5501 bytes
File C:\WINDOWS\system32\UAClqgoendm.dll 17408 bytes executable
File C:\WINDOWS\system32\UACoulnxwpm.dll 66048 bytes
File C:\WINDOWS\system32\UACpudubgoy.dll 18944 bytes executable
File C:\WINDOWS\system32\UACwfvldvkt.log 3468 bytes
File C:\WINDOWS\system32\UACyxxuoxsr.dll 23552 bytes executable

---- EOF - GMER 1.0.15 ----

#5 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:09:57 AM

Posted 30 March 2009 - 11:50 AM

We need to run Combofix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Make sure that you save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#6 mkmom

Topic Starter

Members
8 posts
OFFLINE

Local time:10:57 AM

Posted 30 March 2009 - 05:32 PM

Here is the combofix log

ComboFix 09-03-29.04 - Stacy 2009-03-30 18:08:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.291 [GMT -4:00]
Running from: c:\documents and settings\Stacy\Desktop\lou.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACsucbivkj.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\UACaiddudju.log
c:\windows\system32\UACapuumnbo.dat
c:\windows\system32\UACesxutbhy.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClqgoendm.dll
c:\windows\system32\UACoulnxwpm.dll
c:\windows\system32\UACpudubgoy.dll
c:\windows\system32\UACqrjddmxt.log
c:\windows\system32\UACwfvldvkt.log
c:\windows\system32\UACyxxuoxsr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-28 08:00 . 2009-03-28 08:05 26,327,040 --a------ C:\Backup.bkf
2009-03-28 07:57 . 2009-03-28 08:05 <DIR> d-------- c:\windows\system32\NtmsData
2009-03-27 22:34 . 2009-03-27 22:38 <DIR> d-------- c:\documents and settings\Stacy\DoctorWeb
2009-03-27 21:07 . 2009-03-27 21:07 <DIR> d-------- c:\program files\Ma
2009-03-27 21:07 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 21:07 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-27 19:18 . 2009-03-27 19:18 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\poydodkg
2009-03-27 19:16 . 2009-03-27 19:16 <DIR> d-------- c:\documents and settings\Stacy\Application Data\poydodkg
2009-03-26 15:52 . 2009-03-26 15:52 <DIR> d-------- c:\documents and settings\Stacy\Application Data\Malwarebytes
2009-03-26 15:51 . 2009-03-27 21:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-26 15:51 . 2009-03-26 15:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-22 19:02 . 2009-03-22 19:02 <DIR> d-------- c:\documents and settings\Stacy\Application Data\McAfee
2009-03-22 17:35 . 2009-03-22 17:35 <DIR> d-------- c:\windows\Google Toolbar
2009-03-11 22:22 . 2009-03-11 22:22 <DIR> d-------- c:\documents and settings\Owner\Application Data\OpenOffice.org
2009-03-11 22:18 . 2009-03-11 22:18 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-03-11 22:18 . 2009-03-11 22:18 <DIR> d-------- c:\program files\JRE
2009-03-01 11:07 . 2009-03-01 11:07 <DIR> d-------- c:\program files\USAPhotoMaps
2009-02-10 22:29 . 2009-02-11 04:09 664 --a------ c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-22 23:26 --------- d-----w c:\program files\AnvSoft Photo Flash Maker Professional
2009-03-22 23:02 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-22 21:29 --------- d-----w c:\program files\Java
2009-03-22 21:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-22 21:24 --------- d-----w c:\program files\Lexmark X125
2009-03-19 14:45 --------- d-----w c:\documents and settings\Owner\Application Data\Metacafe
2009-03-19 14:45 --------- d-----w c:\documents and settings\All Users\Application Data\Metacafe
2009-03-12 11:40 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-12 16:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 16:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-05 06:54 144,896 ----a-w c:\windows\system32\schannel.dll
2002-01-18 11:52 3,932 ------w c:\documents and settings\Stacy\Application Data\LMLayout.dat
2008-08-19 15:03 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 57,344 2005-06-07 03:46:24 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 39,792 2007-10-11 00:51:56 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 39,792 2008-01-12 02:16:38 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

----a-w 1,404,928 2004-10-14 19:42:54 c:\program files\Analog Devices\Core\bak\smax4pnp.exe

----a-w 1,197,648 2006-10-17 01:40:00 c:\program files\Canon\MyPrinter\bak\BJMyPrt.exe

----a-w 267,048 2007-11-15 18:11:04 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 290,088 2008-11-20 18:20:54 c:\program files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-09-25 06:11:35 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 582,992 2007-08-04 06:33:14 c:\program files\McAfee.com\Agent\bak\mcagent.exe
----a-w 582,992 2007-08-04 03:33:14 c:\program files\McAfee.com\Agent\mcagent.exe

----a-w 286,720 2007-11-15 04:43:10 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-11-04 15:30:50 c:\program files\QuickTime\QTTask.exe

----a-w 26,112 2007-03-28 02:11:55 c:\program files\Real\RealPlayer\bak\RealPlay.exe

----a-w 208,896 2004-08-04 10:00:00 c:\windows\inf\bak\unregmp2.exe
----a-w 208,896 2008-04-14 00:12:38 c:\windows\inf\unregmp2.exe

----a-w 15,360 2004-08-04 10:00:00 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2008-04-14 00:12:16 c:\windows\system32\ctfmon.exe

----a-w 77,824 2005-07-19 23:06:12 c:\windows\system32\bak\hkcmd.exe

----a-w 114,688 2005-07-19 23:10:06 c:\windows\system32\bak\igfxpers.exe

----a-w 94,208 2005-07-19 23:09:26 c:\windows\system32\bak\igfxtray.exe

----a-w 99,840 2003-05-27 00:00:00 c:\windows\system32\spool\drivers\w32x86\3\bak\E_S4I2G1.EXE

----a-w 45,056 2002-09-05 14:05:46 c:\windows\system32\spool\drivers\w32x86\3\bak\LMPDPSRV.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [N/A]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Metacafe.lnk - c:\program files\Metacafe\MetacafeAgent.exe [2007-09-04 149256]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-08-19 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2007-03-27 36953]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= gyuwtl.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ msv1_0 schannel wdigest

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 124832]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-11-21 24652]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xjsjcevf

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{120116c7-0e9f-11de-b4f6-00038a000015}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9cf87bc9-010b-11dd-b497-00038a000015}]
\Shell\AutoRun\command - D:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/home.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Search
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Stacy\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 18:18:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2009-03-30 18:23:00
ComboFix-quarantined-files.txt 2009-03-30 22:21:42

Pre-Run: 59,647,438,848 bytes free
Post-Run: 60,835,995,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

182 --- E O F --- 2009-03-15 07:02:07

#7 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:09:57 AM

Posted 31 March 2009 - 12:33 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Dirlook::
c:\documents and settings\NetworkService\Application Data\poydodkg
c:\documents and settings\Stacy\Application Data\poydodkg

NetSvc::
xjsjcevf

Driver::
xjsjcevf

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

================

Let's see if Malwarebytes will work now.

Open Malwarebytes and select the Update tab.
Click on the Check for Updates button and allow the program to download the latest updates.
Once you have the latest updates, select the Scanner tab.
Select "Perform quick scan" and click the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#8 mkmom

Topic Starter

Members
8 posts
OFFLINE

Local time:10:57 AM

Posted 31 March 2009 - 03:09 PM

Ok heres the combofix log then I will do the MBAM log

ComboFix 09-03-29.04 - Stacy 2009-03-31 15:42:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.212 [GMT -4:00]
Running from: c:\documents and settings\Stacy\Desktop\lou.exe
Command switches used :: c:\documents and settings\Stacy\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XJSJCEVF

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-28 08:00 . 2009-03-28 08:05 26,327,040 --a------ C:\Backup.bkf
2009-03-28 07:57 . 2009-03-28 08:05 <DIR> d-------- c:\windows\system32\NtmsData
2009-03-27 22:34 . 2009-03-27 22:38 <DIR> d-------- c:\documents and settings\Stacy\DoctorWeb
2009-03-27 21:07 . 2009-03-27 21:07 <DIR> d-------- c:\program files\Ma
2009-03-27 21:07 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 21:07 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-27 19:18 . 2009-03-27 19:18 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\poydodkg
2009-03-27 19:16 . 2009-03-27 19:16 <DIR> d-------- c:\documents and settings\Stacy\Application Data\poydodkg
2009-03-26 15:52 . 2009-03-26 15:52 <DIR> d-------- c:\documents and settings\Stacy\Application Data\Malwarebytes
2009-03-26 15:51 . 2009-03-27 21:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-26 15:51 . 2009-03-26 15:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-22 19:02 . 2009-03-22 19:02 <DIR> d-------- c:\documents and settings\Stacy\Application Data\McAfee
2009-03-22 17:35 . 2009-03-22 17:35 <DIR> d-------- c:\windows\Google Toolbar
2009-03-11 22:22 . 2009-03-11 22:22 <DIR> d-------- c:\documents and settings\Owner\Application Data\OpenOffice.org
2009-03-11 22:18 . 2009-03-11 22:18 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-03-11 22:18 . 2009-03-11 22:18 <DIR> d-------- c:\program files\JRE
2009-03-01 11:07 . 2009-03-01 11:07 <DIR> d-------- c:\program files\USAPhotoMaps
2009-02-10 22:29 . 2009-02-11 04:09 664 --a------ c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-22 23:26 --------- d-----w c:\program files\AnvSoft Photo Flash Maker Professional
2009-03-22 23:02 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-22 21:29 --------- d-----w c:\program files\Java
2009-03-22 21:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-22 21:24 --------- d-----w c:\program files\Lexmark X125
2009-03-19 14:45 --------- d-----w c:\documents and settings\Owner\Application Data\Metacafe
2009-03-19 14:45 --------- d-----w c:\documents and settings\All Users\Application Data\Metacafe
2009-03-12 11:40 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2002-01-18 11:52 3,932 ------w c:\documents and settings\Stacy\Application Data\LMLayout.dat
2008-08-19 15:03 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\NetworkService\Application Data\poydodkg ----

2009-03-27 20:43 2048 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\cookies.sqlite
2009-03-27 20:39 367 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\prefs.js
2009-03-27 20:39 2048 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\webappsstore.sqlite
2009-03-27 20:39 131072 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\places.sqlite
2009-03-27 20:39 127885 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\compreg.dat
2009-03-27 20:39 0 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\places.sqlite-journal
2009-03-27 20:38 96173 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\xpti.dat
2009-03-27 20:38 207 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\compatibility.ini
2009-03-27 19:19 65536 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\cert8.db
2009-03-27 19:18 6294 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\pluginreg.dat
2009-03-27 19:18 569 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\localstore.rdf
2009-03-27 19:18 4096 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\formhistory.sqlite
2009-03-27 19:18 2048 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\permissions.sqlite
2009-03-27 19:18 16384 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\secmod.db
2009-03-27 19:18 16384 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\Profiles\38g8fx8m.default\key3.db
2009-03-27 19:18 111 --a------ c:\documents and settings\NetworkService\Application Data\poydodkg\profiles.ini

---- Directory of c:\documents and settings\Stacy\Application Data\poydodkg ----

2009-03-27 19:39 0 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\places.sqlite-journal
2009-03-27 19:38 2048 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\webappsstore.sqlite
2009-03-27 19:21 131072 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\places.sqlite
2009-03-27 19:20 96173 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\xpti.dat
2009-03-27 19:20 367 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\prefs.js
2009-03-27 19:20 207 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\compatibility.ini
2009-03-27 19:20 127885 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\compreg.dat
2009-03-27 19:20 0 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\parent.lock
2009-03-27 19:17 65536 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\cert8.db
2009-03-27 19:17 2048 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\cookies.sqlite
2009-03-27 19:16 6294 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\pluginreg.dat
2009-03-27 19:16 569 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\localstore.rdf
2009-03-27 19:16 4096 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\formhistory.sqlite
2009-03-27 19:16 2048 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\permissions.sqlite
2009-03-27 19:16 16384 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\secmod.db
2009-03-27 19:16 16384 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\Profiles\0fwxh10o.default\key3.db
2009-03-27 19:16 111 --a------ c:\documents and settings\Stacy\Application Data\poydodkg\profiles.ini

((((((((((((((((((((((((((((( SnapShot@2009-03-30_18.20.04.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-03-30 21:41:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-31 15:12:02 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-30 21:41:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-31 15:12:02 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-30 21:41:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-31 15:12:02 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 57,344 2005-06-07 03:46:24 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 39,792 2007-10-11 00:51:56 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 39,792 2008-01-12 02:16:38 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

----a-w 1,404,928 2004-10-14 19:42:54 c:\program files\Analog Devices\Core\bak\smax4pnp.exe

----a-w 1,197,648 2006-10-17 01:40:00 c:\program files\Canon\MyPrinter\bak\BJMyPrt.exe

----a-w 267,048 2007-11-15 18:11:04 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 290,088 2008-11-20 18:20:54 c:\program files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-09-25 06:11:35 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 582,992 2007-08-04 06:33:14 c:\program files\McAfee.com\Agent\bak\mcagent.exe
----a-w 582,992 2007-08-04 03:33:14 c:\program files\McAfee.com\Agent\mcagent.exe

----a-w 286,720 2007-11-15 04:43:10 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-11-04 15:30:50 c:\program files\QuickTime\QTTask.exe

----a-w 26,112 2007-03-28 02:11:55 c:\program files\Real\RealPlayer\bak\RealPlay.exe

----a-w 208,896 2004-08-04 10:00:00 c:\windows\inf\bak\unregmp2.exe
----a-w 208,896 2008-04-14 00:12:38 c:\windows\inf\unregmp2.exe

----a-w 15,360 2004-08-04 10:00:00 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2008-04-14 00:12:16 c:\windows\system32\ctfmon.exe

----a-w 77,824 2005-07-19 23:06:12 c:\windows\system32\bak\hkcmd.exe

----a-w 114,688 2005-07-19 23:10:06 c:\windows\system32\bak\igfxpers.exe

----a-w 94,208 2005-07-19 23:09:26 c:\windows\system32\bak\igfxtray.exe

----a-w 99,840 2003-05-27 00:00:00 c:\windows\system32\spool\drivers\w32x86\3\bak\E_S4I2G1.EXE

----a-w 45,056 2002-09-05 14:05:46 c:\windows\system32\spool\drivers\w32x86\3\bak\LMPDPSRV.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [N/A]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Metacafe.lnk - c:\program files\Metacafe\MetacafeAgent.exe [2007-09-04 149256]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-08-19 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2007-03-27 36953]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ msv1_0 schannel wdigest

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 124832]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-11-21 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{120116c7-0e9f-11de-b4f6-00038a000015}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9cf87bc9-010b-11dd-b497-00038a000015}]
\Shell\AutoRun\command - D:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/home.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Stacy\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 15:50:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\RioMSC.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-03-31 16:04:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-31 20:02:43
ComboFix2.txt 2009-03-30 22:23:01

Pre-Run: 60,647,956,480 bytes free
Post-Run: 60,754,931,712 bytes free

218 --- E O F --- 2009-03-15 07:02:07

#9 mkmom

Topic Starter

Members
8 posts
OFFLINE

Local time:10:57 AM

Posted 31 March 2009 - 03:17 PM

Here is the MBAM log. Everything is clean!!!! :D Thank you so much! Is there anything else that I should do?

Malwarebytes' Anti-Malware 1.35
Database version: 1925
Windows 5.1.2600 Service Pack 3

3/31/2009 4:15:14 PM
mbam-log-2009-03-31 (16-15-14).txt

Scan type: Quick Scan
Objects scanned: 79758
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 mkmom

Topic Starter

Members
8 posts
OFFLINE

Local time:10:57 AM

Posted 31 March 2009 - 03:22 PM

I just checked the quarantine file for MBAM and there are 117 that were quarantined from the first time that I scanned. Should I click Delete all? Thanks.

#11 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:09:57 AM

Posted 01 April 2009 - 10:10 AM

Yes, you can delete those quarantined items now.

Let's remove Combofix now that we're done with it and clean up a few other things.

Click START then RUN
Now type Combofix /u in the runbox and click OK

==================

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2:

#12 mkmom

Topic Starter

Members
8 posts
OFFLINE

Local time:10:57 AM

Posted 03 April 2009 - 05:45 AM

Thank you Sam!
My computer is running much better now.
I cant tell you how much I appreciate your help :thumbup2:

#13 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:09:57 AM

Posted 03 April 2009 - 03:01 PM

I'm glad I could help you out! :thumbup2:

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.