Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't completely remove Virus (probably Virtumonde)


  • Please log in to reply
29 replies to this topic

#1 the_seligmans

the_seligmans

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 29 March 2009 - 05:23 PM

I was infected with Virtumonde last week. Using various tools, mostly MalwareBytes, I've gotten rid of almost all of it (I think). I can now update McAfee. However, I still have two symptoms.
  • Google Results are still hijacked, taking me to random sites when I search for something related to security
  • I can't run mbam.exe unless I rename it
I have run a full scan with MalwareBytes repeatedly and it usually comes back with one Trojan in WINDOWS\System32\gaopdxcounter.exe. It quarantines and removes it, but there doesn't seem to be any effect from this.

I also see cookies showing up for Google that I remove, and that works sometimes but the hijacking always comes back.

Here's a copy of my latest MalwareBytes log:

Malwarebytes' Anti-Malware 1.35
Database version: 1916
Windows 5.1.2600 Service Pack 3

3/29/2009 2:39:03 PM
mbam-log-2009-03-29 (14-39-03).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 480978
Time elapsed: 1 hour(s), 54 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

Any help would be greatly appreciated. Thanks.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:15 AM

Posted 29 March 2009 - 08:04 PM

GAO infections are hard to kill

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 the_seligmans

the_seligmans
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 30 March 2009 - 10:07 PM

Here's my SDFix log. I can't boot into Safemode, only Safemode with Networking. This is the result:


SDFix: Version 1.240
Run by Randy on Mon 03/30/2009 at 07:21 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 19:57:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Randy.HP-DESKTOP\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"G:\\setup\\HPZnet01.exe"="G:\\setup\\HPZnet01.exe:*:Disabled:Install Consumer Experience Network Plug in"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Nortel\\Nortel VPN Client\\Extranet.exe"="C:\\Program Files\\Nortel\\Nortel VPN Client\\Extranet.exe:*:Enabled:Nortel VPN Client"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"="C:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE:*:Enabled:SC3UpdaterMFC"
"C:\\WINDOWS\\system32\\muzapp.exe"="C:\\WINDOWS\\system32\\muzapp.exe:*:Enabled:MUZ AOD APP player"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Motorola\\RSD Lite\\SDL.exe"="C:\\Program Files\\Motorola\\RSD Lite\\SDL.exe:*:Enabled:SDL"
"C:\\Program Files\\Best Buy Digital Music Store Powered by Rhapsody\\rhapsody.exe"="C:\\Program Files\\Best Buy Digital Music Store Powered by Rhapsody\\rhapsody.exe:*:Enabled:Rhapsody Media Player"
"C:\\Program Files\\Winpopup LAN Messenger\\WinPopup.exe"="C:\\Program Files\\Winpopup LAN Messenger\\WinPopup.exe:*:Enabled:Winpopup LAN Messenger"
"C:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe"="C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Mon 28 Jul 2008 196 A.SHR --- "C:\BOOT.BAK"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\File Scanner Library (Spybot - Search & Destroy)\advcheck.dll"
Thu 11 Sep 2008 4,740,424 ...H. --- "C:\Program Files\Mahjong Towers Eternity\Mahjong Towers Eternity.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)\Tools.dll"
Wed 30 Apr 2008 19,764,552 ...H. --- "C:\Program Files\Mystery Case Files - Huntsville\Huntsville.exe"
Wed 10 Oct 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\SDHelper (Spybot - Search & Destroy)\SDHelper.dll"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - S&D\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - S&D\SDHelper.dll"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - S&D\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - S&D\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - S&D\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - S&D\Tools.dll"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"
Sat 7 Mar 2009 308,200 A.SH. --- "C:\RECYCLER\S-1-5-21-611975900-1841857741-694989945-1009\Dc834.exe"
Wed 1 Jun 2005 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Wed 27 Aug 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 12 Dec 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRMbackup\DRMv1.bak"
Fri 7 Mar 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\RNBackupWMDRM\DRMv1.bak"
Fri 7 Jul 2000 2,097,152 ..SH. --- "C:\Documents and Settings\Randy\My Documents\MUSIC.bak"
Thu 19 Mar 2009 20,688 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Thu 19 Mar 2009 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Mon 12 Dec 2005 4,348 ...H. --- "C:\Documents and Settings\All Users\Documents\License Backup\drmv1key.bak"
Sun 1 Oct 2006 20 ...H. --- "C:\Documents and Settings\All Users\Documents\License Backup\drmv1lic.bak"
Mon 12 Dec 2005 488 A.SH. --- "C:\Documents and Settings\All Users\Documents\License Backup\drmv2key.bak"
Wed 27 Aug 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 3 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRMbackup\Cache\Indiv02.tmp"
Tue 29 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\RNBackupWMDRM\Cache\Indiv01.tmp"
Sat 20 Jan 2007 69,632 ...H. --- "C:\Documents and Settings\Randy\My Documents\New Room\~WRL0481.tmp"
Fri 19 Jan 2007 19,456 ...H. --- "C:\Documents and Settings\Randy\My Documents\New Room\~WRL2183.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT9.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT7.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BITB.tmp"
Fri 9 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4844df1d57a292079101da42a26d7d72\BITB.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BITA.tmp"
Fri 9 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT2E.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BITC.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT8.tmp"
Mon 12 Dec 2005 4,348 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Mon 6 Mar 2006 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 12 Dec 2005 488 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"
Sun 16 Sep 2007 154,112 ...H. --- "C:\Documents and Settings\Randy\Application Data\Microsoft\Word\~WRL1610.tmp"
Sun 22 Jul 2007 1,288,192 ...H. --- "C:\Documents and Settings\Randy\Application Data\Microsoft\Word\~WRL2065.tmp"
Tue 25 Sep 2007 17,408 ...H. --- "C:\Documents and Settings\Randy\Application Data\Microsoft\Word\~WRL2252.tmp"
Sun 16 Sep 2007 34,304 ...H. --- "C:\Documents and Settings\Randy\Application Data\Microsoft\Word\~WRL2653.tmp"
Sat 20 Jan 2007 19,456 ...H. --- "C:\Documents and Settings\Randy\Application Data\Microsoft\Word\~WRL2744.tmp"
Mon 30 Jan 2006 2,146 A.SH. --- "C:\Documents and Settings\Randy\Application Data\Roxio\Dragon\DiscInfoCache\SAMSUNG__CD-ROM_SC-148A___B401_310_DICV018_DRGV2050102.TMP"

Finished!

Thanks.

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:15 AM

Posted 31 March 2009 - 07:40 PM

That is fine. SDFix showed files that are a concern in the hidden section. Let continue with a few steps.

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Next

Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start. (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)[/color]
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 the_seligmans

the_seligmans
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 01 April 2009 - 12:07 PM

OK. Here's the SuperAntiSpyware log (had to rename it to get it to run).

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/01/2009 at 00:26 AM

Application Version : 4.26.1000

Core Rules Database Version : 3822
Trace Rules Database Version: 1776

Scan type : Complete Scan
Total Scan Time : 03:45:39

Memory items scanned : 317
Memory threats detected : 0
Registry items scanned : 8322
Registry threats detected : 0
File items scanned : 295994
File threats detected : 0


And here's the Eset Log

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3980 (20090401)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=71e28884e21f42499b894a7c67864400
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-04-01 04:45:57
# local_time=2009-04-01 09:45:57 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=1164766
# found=5
# scan_time=11205
C:\RECYCLER\S-1-5-21-611975900-1841857741-694989945-1010\Dc5.snd a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned)

C1E4CC7C6A34EA10279B12830A0F6603
C:\SDFix\backups_old\backups.zip Win32/AutoRun.ABH worm (deleted) 00000000000000000000000000000000
C:\SDFix\backups_old\backups.zip »ZIP »backups/tmpF6.tmp Win32/AutoRun.ABH worm (error while cleaning - operation unavailable for this type of object - error

while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
D:\RECYCLER\S-4-4-63-100024685-100027091-100026013-8087.com Win32/AutoRun.ABH worm (unable to clean - deleted) 00000000000000000000000000000000
E:\RECYCLER\S-4-4-63-100024685-100027091-100026013-8087.com Win32/AutoRun.ABH worm (unable to clean - deleted) 00000000000000000000000000000000

No change in symptoms.

#6 the_seligmans

the_seligmans
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 01 April 2009 - 06:04 PM

It seems to have gotten worse.

While using the computer today, the disk drive started being continuously accessed. I rebooted twice and got this both times:

The system has recovered from a serious error.

The error signature is:

BCCode : 1000008e BCP1 : C0000005 BCP2 : F5D4CD36 BCP3 : B577DA88
BCP4 : 00000000 OSVer : 5_1_2600 SP : 3_0 Product : 768_1

The following files will be included in this error report:

C:\DOCUME~1\RANDY~1.HP-\LOCALS~1\Temp\WER8e01.dir00\Mini040109-02.dmp
C:\DOCUME~1\RANDY~1.HP-\LOCALS~1\Temp\WER8e01.dir00\sysdata.xml

Uh oh.

#7 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:15 AM

Posted 01 April 2009 - 08:52 PM

Can you still boot this computer? In Safe mode?

If so, Let's do a few tasks.

1) Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

2) Flush system restore
Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
3) Please rerun Eset and post its new log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 the_seligmans

the_seligmans
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 02 April 2009 - 01:37 AM

OK. Here's the latest ESET log. Looks good.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3982 (20090402)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=71e28884e21f42499b894a7c67864400
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-04-02 06:23:47
# local_time=2009-04-01 11:23:47 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=1172394
# found=0
# scan_time=15070

#9 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:15 AM

Posted 02 April 2009 - 07:50 AM

Excellent!

Our next step - search for rootkits.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
Please be sure to follow these directions carefully - Thanks!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 the_seligmans

the_seligmans
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 02 April 2009 - 11:11 PM

Wow. Gmer took forever. But, it did find a rootkit!


GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-02 20:57:07
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF772787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7727C10]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF325744A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF32573F8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF325740C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF32574F7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF3257523]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF3257596]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF325757B]
Code 86E3A658 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF325748A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF32575C0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF32574CD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF32573D0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF32573E4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF325745E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF32575FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF3257565]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF325754F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF325750D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF32575E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF32575D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF3257436]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF3257422]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF32574B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF32575AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF32574A0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF3257474]
Code 86E0919E IofCallDriver
Code 845D110E IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 86E091A3
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 845D1113
PAGE ntoskrnl.exe!ZwEnumerateKey + 3 80570D67 2 Bytes [CE, 72]
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 86E3A65C

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027E0FEF
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027E0F94
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027E0FAF
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027E007D
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027E006C
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027E0FD4
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027E0F43
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027E0F5E
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027E00C4
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027E0F21
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 027E0F06
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 027E005B
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 027E000A
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 027E0F6F
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 027E0036
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 027E0025
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 027E0F32
.text C:\WINDOWS\System32\svchost.exe[316] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 026B0022
.text C:\WINDOWS\System32\svchost.exe[316] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 026B005F
.text C:\WINDOWS\System32\svchost.exe[316] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 026B0011
.text C:\WINDOWS\System32\svchost.exe[316] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 026B0FE5
.text C:\WINDOWS\System32\svchost.exe[316] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 026B004E
.text C:\WINDOWS\System32\svchost.exe[316] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 026B0000
.text C:\WINDOWS\System32\svchost.exe[316] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 026B0FAC
.text C:\WINDOWS\System32\svchost.exe[316] ADVAPI32.dll!RegCreateKeyW + 4 77DFBA29 1 Byte [8A]
.text C:\WINDOWS\System32\svchost.exe[316] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 3 Bytes JMP 026B0033
.text C:\WINDOWS\System32\svchost.exe[316] ADVAPI32.dll!RegCreateKeyA + 4 77DFBCC7 1 Byte [8A]
.text C:\WINDOWS\System32\svchost.exe[316] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 026A0F8D
.text C:\WINDOWS\System32\svchost.exe[316] msvcrt.dll!system 77C293C7 5 Bytes JMP 026A0FB2
.text C:\WINDOWS\System32\svchost.exe[316] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 026A0FD4
.text C:\WINDOWS\System32\svchost.exe[316] msvcrt.dll!_open 77C2F566 5 Bytes JMP 026A000C
.text C:\WINDOWS\System32\svchost.exe[316] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 026A0FC3
.text C:\WINDOWS\System32\svchost.exe[316] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 026A0FEF
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02690000
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0087000A
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 008A000A
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0089000A
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 027D000A
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 027D0FEF
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 027D0FDE
.text C:\WINDOWS\System32\svchost.exe[316] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 027D0FC3
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B70F69
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B70F7A
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B70F95
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B7005E
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B70FC3
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B70F31
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B70079
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B70F0C
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B700A5
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B70EFB
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B70FB2
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B7001B
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B70F4E
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[364] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B70094
.text C:\WINDOWS\system32\svchost.exe[364] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 008D0036
.text C:\WINDOWS\system32\svchost.exe[364] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 008D0073
.text C:\WINDOWS\system32\svchost.exe[364] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 008D001B
.text C:\WINDOWS\system32\svchost.exe[364] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 008D000A
.text C:\WINDOWS\system32\svchost.exe[364] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 008D0FC0
.text C:\WINDOWS\system32\svchost.exe[364] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\svchost.exe[364] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 008D0062
.text C:\WINDOWS\system32\svchost.exe[364] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 008D0051
.text C:\WINDOWS\system32\svchost.exe[364] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008C005A
.text C:\WINDOWS\system32\svchost.exe[364] msvcrt.dll!system 77C293C7 5 Bytes JMP 008C0049
.text C:\WINDOWS\system32\svchost.exe[364] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008C002E
.text C:\WINDOWS\system32\svchost.exe[364] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008C0000
.text C:\WINDOWS\system32\svchost.exe[364] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008C0FD9
.text C:\WINDOWS\system32\svchost.exe[364] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008C001D
.text C:\WINDOWS\system32\svchost.exe[364] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008B000A
.text C:\WINDOWS\system32\svchost.exe[364] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0087000A
.text C:\WINDOWS\system32\svchost.exe[364] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 008A000A
.text C:\WINDOWS\system32\svchost.exe[364] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0088000A
.text C:\WINDOWS\system32\svchost.exe[364] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0089000A
.text C:\WINDOWS\system32\svchost.exe[364] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 008E0FEF
.text C:\WINDOWS\system32\svchost.exe[364] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[364] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 008E001B
.text C:\WINDOWS\system32\svchost.exe[364] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 008E0036
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A90000
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A90F5A
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A90F6B
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A90F7C
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A90F8D
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A9001B
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A90F18
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A90060
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A9009D
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A90082
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A90EE9
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A90F9E
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A90F35
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A90FAF
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A90FD4
.text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A90071
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A7001B
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A70F8A
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A70FCA
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A70000
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A70047
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A70FE5
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00A7002C
.text C:\WINDOWS\System32\svchost.exe[612] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A70FA5
.text C:\WINDOWS\System32\svchost.exe[612] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60FAF
.text C:\WINDOWS\System32\svchost.exe[612] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60FCA
.text C:\WINDOWS\System32\svchost.exe[612] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A6003A
.text C:\WINDOWS\System32\svchost.exe[612] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A6000C
.text C:\WINDOWS\System32\svchost.exe[612] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60FDB
.text C:\WINDOWS\System32\svchost.exe[612] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A6001D
.text C:\WINDOWS\System32\svchost.exe[612] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\System32\svchost.exe[612] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0087000A
.text C:\WINDOWS\System32\svchost.exe[612] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 008A000A
.text C:\WINDOWS\System32\svchost.exe[612] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[612] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0089000A
.text C:\WINDOWS\System32\svchost.exe[612] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\System32\svchost.exe[612] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A8000A
.text C:\WINDOWS\System32\svchost.exe[612] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A8001B
.text C:\WINDOWS\System32\svchost.exe[612] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00A80FD4
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[724] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 10001040 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[724] USER32.dll!DrawIconEx 7E42CB84 5 Bytes JMP 100011E0 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[724] USER32.dll!GetIconInfo 7E42D427 5 Bytes JMP 10001120 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90F8D
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90F9E
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F90078
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90051
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90FB9
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F55
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F90F7C
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F900D3
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F90F3A
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F90F1F
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F90040
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F9000A
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F900A7
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F90FCA
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F9001B
.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F900B8
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F7000A
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F70F83
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F70FC3
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F70FDE
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F70040
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F70F9E
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [17, 89]
.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F70025
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F60FAD
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F60038
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F6001D
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F60FC8
.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F6000C
.text C:\WINDOWS\System32\svchost.exe[904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F5000A
.text C:\WINDOWS\System32\svchost.exe[904] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0087000A
.text C:\WINDOWS\System32\svchost.exe[904] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 008A000A
.text C:\WINDOWS\System32\svchost.exe[904] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[904] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0089000A
.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00F80000
.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00F8001B
.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00F80040
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DE0F8A
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DE007F
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DE0064
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DE003D
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DE0FA5
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DE00B7
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DE0F65
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DE0F2F
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DE0F40
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DE0F14
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DE002C
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DE0FD4
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DE0090
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DE001B
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DE000A
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DE00C8
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DC006C
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DC0040
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DC0025
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DC0FAF
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DC000A
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00DC0FCA
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [FC, 88]
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DC0051
.text C:\WINDOWS\Explorer.EXE[1080] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 00CB1040 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\WINDOWS\Explorer.EXE[1080] USER32.dll!DrawIconEx 7E42CB84 5 Bytes JMP 00CB11E0 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\WINDOWS\Explorer.EXE[1080] USER32.dll!GetIconInfo 7E42D427 5 Bytes JMP 00CB1120 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\WINDOWS\Explorer.EXE[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DB004E
.text C:\WINDOWS\Explorer.EXE[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DB0033
.text C:\WINDOWS\Explorer.EXE[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DB0FC3
.text C:\WINDOWS\Explorer.EXE[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\Explorer.EXE[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DB0018
.text C:\WINDOWS\Explorer.EXE[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DB0FDE
.text C:\WINDOWS\Explorer.EXE[1080] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00DD0FE5
.text C:\WINDOWS\Explorer.EXE[1080] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00DD0000
.text C:\WINDOWS\Explorer.EXE[1080] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00DD0011
.text C:\WINDOWS\Explorer.EXE[1080] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00DD0FB6
.text C:\WINDOWS\Explorer.EXE[1080] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B2000A
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B20076
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B20F8B
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B20FA8
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B2005B
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B20FD4
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B20F66
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B200A2
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B200C9
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B20F30
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B20F15
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B20FB9
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B2001B
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B20091
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B20036
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B20FE5
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B20F4B
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B00036
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B00098
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B00025
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B00FE5
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B0007D
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B0006C
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B00047
.text C:\WINDOWS\system32\svchost.exe[1412] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF005F
.text C:\WINDOWS\system32\svchost.exe[1412] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0FD4
.text C:\WINDOWS\system32\svchost.exe[1412] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF003A
.text C:\WINDOWS\system32\svchost.exe[1412] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF000C
.text C:\WINDOWS\system32\svchost.exe[1412] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0FE5
.text C:\WINDOWS\system32\svchost.exe[1412] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF001D
.text C:\WINDOWS\system32\svchost.exe[1412] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE000A
.text C:\WINDOWS\system32\svchost.exe[1412] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0087000A
.text C:\WINDOWS\system32\svchost.exe[1412] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 008A000A
.text C:\WINDOWS\system32\svchost.exe[1412] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0088000A
.text C:\WINDOWS\system32\svchost.exe[1412] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0089000A
.text C:\WINDOWS\system32\svchost.exe[1412] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1412] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1412] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00B10FDE
.text C:\WINDOWS\system32\svchost.exe[1412] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00B1002F
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F6D
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F8A
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070084
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F48
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700C1
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700B0
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700D2
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070073
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[1576] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 0007009F
.text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0006002F
.text C:\WINDOWS\system32\services.exe[1576] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[1576] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050025
.text C:\WINDOWS\system32\services.exe[1576] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050F9A
.text C:\WINDOWS\system32\services.exe[1576] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FB5
.text C:\WINDOWS\system32\services.exe[1576] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[1576] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[1576] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[1576] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F75
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0060
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F86
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FA1
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00AC
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA009B
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F31
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F42
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BA0F16
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BA0FB2
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BA0F64
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BA0014
.text C:\WINDOWS\system32\lsass.exe[1588] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BA0F53
.text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B90FB9
.text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B90054
.text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B90FCA
.text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B90043
.text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B90F97
.text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [D9, 88]
.text C:\WINDOWS\system32\lsass.exe[1588] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B90FA8
.text C:\WINDOWS\system32\lsass.exe[1588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80064
.text C:\WINDOWS\system32\lsass.exe[1588] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80049
.text C:\WINDOWS\system32\lsass.exe[1588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80FE3
.text C:\WINDOWS\system32\lsass.exe[1588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\lsass.exe[1588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80038
.text C:\WINDOWS\system32\lsass.exe[1588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B8001D
.text C:\WINDOWS\system32\lsass.exe[1588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027B0000
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027B0089
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027B0078
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027B0F94
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027B0FA5
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027B0033
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027B00C6
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027B00B5
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027B0F3E
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027B0F59
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 027B00F2
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 027B0FB6
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 027B0FE5
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 027B00A4
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 027B0022
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 027B0011
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 027B00D7
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02790033
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02790F8E
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02790022
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02790011
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02790055
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02790000
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02790FB3
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [99, 8A]
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02790044
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02780FB4
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!system 77C293C7 5 Bytes JMP 02780049
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02780FE3
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0278000C
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02780038
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0278001D
.text C:\WINDOWS\system32\svchost.exe[1760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02770000
.text C:\WINDOWS\system32\svchost.exe[1760] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0087000A
.text C:\WINDOWS\system32\svchost.exe[1760] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 008A000A
.text C:\WINDOWS\system32\svchost.exe[1760] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0088000A
.text C:\WINDOWS\system32\svchost.exe[1760] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0089000A
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 027A0FEF
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 027A0FD4
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 027A000A
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 027A001B
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01040FEF
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01040056
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01040045
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01040F6B
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01040F7C
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01040FA8
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01040F2B
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01040067
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010400BA
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010400A9
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 010400D5
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01040F97
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0104000A
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01040F3C
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01040FC3
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01040FD4
.text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 0104008E
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0102002C
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01020058
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01020FDB
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01020011
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01020047
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01020000
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01020FA5
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [22, 89]
.text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01020FC0
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01010F64
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!system 77C293C7 5 Bytes JMP 01010F7F
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01010FB5
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01010FE3
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01010F90
.text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01010FD2
.text C:\WINDOWS\system32\svchost.exe[1836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1836] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0087000A
.text C:\WINDOWS\system32\svchost.exe[1836] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 008A000A
.text C:\WINDOWS\system32\svchost.exe[1836] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0088000A
.text C:\WINDOWS\system32\svchost.exe[1836] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0089000A
.text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01030FE5
.text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01030FCA
.text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 0103001B
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2036] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2036] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01090FEF
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01090082
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01090F8D
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01090F9E
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01090FAF
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01090036
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010900BA
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01090F68
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010900F0
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01090F4D
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 0109010B
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01090047
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0109000A
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01090093
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01090025
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01090FD4
.text C:\WINDOWS\System32\svchost.exe[2936] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 010900CB
.text C:\WINDOWS\System32\svchost.exe[2936] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01070FDE
.text C:\WINDOWS\System32\svchost.exe[2936] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01070F8D
.text C:\WINDOWS\System32\svchost.exe[2936] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01070FEF
.text C:\WINDOWS\System32\svchost.exe[2936] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0107001B
.text C:\WINDOWS\System32\svchost.exe[2936] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01070F9E
.text C:\WINDOWS\System32\svchost.exe[2936] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0107000A
.text C:\WINDOWS\System32\svchost.exe[2936] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01070040
.text C:\WINDOWS\System32\svchost.exe[2936] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01070FB9
.text C:\WINDOWS\System32\svchost.exe[2936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01060FAB
.text C:\WINDOWS\System32\svchost.exe[2936] msvcrt.dll!system 77C293C7 5 Bytes JMP 01060036
.text C:\WINDOWS\System32\svchost.exe[2936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01060000
.text C:\WINDOWS\System32\svchost.exe[2936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01060FEF
.text C:\WINDOWS\System32\svchost.exe[2936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01060025
.text C:\WINDOWS\System32\svchost.exe[2936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01060FC6
.text C:\WINDOWS\System32\svchost.exe[2936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01050FE5
.text C:\WINDOWS\System32\svchost.exe[2936] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0087000A
.text C:\WINDOWS\System32\svchost.exe[2936] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 008A000A
.text C:\WINDOWS\System32\svchost.exe[2936] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[2936] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0089000A
.text C:\WINDOWS\System32\svchost.exe[2936] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01080FE5
.text C:\WINDOWS\System32\svchost.exe[2936] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01080000
.text C:\WINDOWS\System32\svchost.exe[2936] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01080FCA
.text C:\WINDOWS\System32\svchost.exe[2936] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 0108001B
.text C:\WINDOWS\system32\SearchIndexer.exe[3272] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[3652] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 01C11040 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[3652] USER32.dll!DrawIconEx 7E42CB84 5 Bytes JMP 01C111E0 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[3652] USER32.dll!GetIconInfo 7E42D427 5 Bytes JMP 01C11120 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text c:\Gmer\gmer.exe[4768] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 10001040 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text c:\Gmer\gmer.exe[4768] USER32.dll!DrawIconEx 7E42CB84 5 Bytes JMP 100011E0 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text c:\Gmer\gmer.exe[4768] USER32.dll!GetIconInfo 7E42D427 5 Bytes JMP 10001120 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\gaopdxavmatrvymyormeuexwwxhsmbbwhcqeaq.sys (*** hidden *** ) F340E000-F3423000 (86016 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gaopdxavmatrvymyormeuexwwxhsmbbwhcqeaq.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272cc0d4e
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxavmatrvymyormeuexwwxhsmbbwhcqeaq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxavmatrvymyormeuexwwxhsmbbwhcqeaq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxomimsyhcycmuqdygxwbkscgqhbuikjft.dll
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272cc0d4e
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxavmatrvymyormeuexwwxhsmbbwhcqeaq.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxavmatrvymyormeuexwwxhsmbbwhcqeaq.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxomimsyhcycmuqdygxwbkscgqhbuikjft.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- EOF - GMER 1.0.15 ----

#11 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:15 AM

Posted 04 April 2009 - 09:57 PM

Please update and rerun malwarebytes in Full Mode... post its new log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#12 the_seligmans

the_seligmans
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 05 April 2009 - 01:16 AM

Here's my MBAM log. Looks the same. I deleted my cygwin directory to speed up the scan:

Malwarebytes' Anti-Malware 1.35
Database version: 1940
Windows 5.1.2600 Service Pack 3

4/4/2009 10:22:53 PM
mbam-log-2009-04-04 (22-22-53).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 342913
Time elapsed: 1 hour(s), 21 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

#13 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:15 AM

Posted 05 April 2009 - 07:22 PM

Ok... let's beat this thing.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Then update and rerun malwarebyte - quick scan.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#14 the_seligmans

the_seligmans
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 07 April 2009 - 10:31 PM

Sorry this took so long. I had a lot of trouble getting Dr Web to run without crashing. Whenever it hit a certain directory in <C:/WINDOWS/Downloaded Installations> it would crash. I went ahead and deleted the directory and ran it again. However, now there are several logs, 2 of which are over 80 MB. Since they're so big, I can't post them but Dr Web did find several infections (5 I think).

The results from MBAM look the same too. GAO looks like it's still there.

Malwarebytes' Anti-Malware 1.36
Database version: 1949
Windows 5.1.2600 Service Pack 3

4/7/2009 7:51:52 PM
mbam-log-2009-04-07 (19-51-52).txt

Scan type: Quick Scan
Objects scanned: 119519
Time elapsed: 7 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

#15 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:15 AM

Posted 08 April 2009 - 11:32 AM

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users