Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with SKYNET and NTOSKRNL-HOOK with Bad Image Pop-up


  • This topic is locked This topic is locked
23 replies to this topic

#1 classic22

classic22

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 29 June 2009 - 05:16 PM

I started noticing that my Google search links were starting to get redirected, (I used to have this problem before but I fixed it, so I thought it was the same virus), but after running a scan on Malwarebytes' Anti-Malware and from McAfee SecurityCenter, I found two different results (maybe they are related?). Malwarebytes' showed that I had a few trojans called SKYNET. McAfee said I had 2 NTOSKRNL-HOOK trojans or also known as Generic.Rootkit.d!rootkit. Tried deleting them there, rebooted, then I got a blue screen a few minutes after rebooting, saying that my physical memory is being deleted. So I opened my computer on safe mode, ran the scans again, found them again, deleted them (I did this process like eight times). Finally, frustrated opened it on normal mode, to my surprose the blue screen and the google redirects have gone away. After deleting a few more files, ran the scans again: now I only have 3 files infected with SKYNET and only 1 NTOSKRNL-HOOK trojans, so I deleted them, and rebooted my computer. Upon reboot I starting getting a string of continuous windows process error messages, also happens when I try to open and run any application, they say:
taskmgr.exe (but it applies to all processes that run) - Bad Image
The application or DLL globalroot\systemroot\system32\SKYNETnbnsiplj.dll is not a valid Windows image. Please check this against your installation diskette.

I also still have those 3 files infected with SKYNET and only 1 NTOSKRNL-HOOK trojans that won't go away. Sorry for the wordiness...PLEASE HELP! Also I have had a Patched Termsrv for like ever, any help on that would be greatly appreciated too! Thank You!

Here is my HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:16 PM, on 6/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdkserv.exe
C:\WINDOWS\system32\lxdkcoms.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PMSveH.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\PMHandler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark 5300 Series\lxdkmon.exe
C:\Program Files\Lexmark 5300 Series\lxdkamon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [PMHandler] C:\WINDOWS\system32\PMHandler.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauthe] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" silent
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [lxdkmon.exe] "C:\Program Files\Lexmark 5300 Series\lxdkmon.exe"
O4 - HKLM\..\Run: [lxdkamon] "C:\Program Files\Lexmark 5300 Series\lxdkamon.exe"
O4 - HKLM\..\Run: [Lexmark 5300 Series Fax Server] "C:\Program Files\Lexmark 5300 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165289468046
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/dinerdash...tg.1.0.0.33.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdkCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe
O23 - Service: lxdk_device - - C:\WINDOWS\system32\lxdkcoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PMSveH - Lenovo - C:\WINDOWS\system32\PMSveH.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12808 bytes

Edited by Orange Blossom, 29 June 2009 - 11:07 PM.
Fix BB code tags. ~ OB


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:20 AM

Posted 02 July 2009 - 08:28 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 classic22

classic22
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 02 July 2009 - 10:20 PM

I put a $ every where the name appears let me know if that is a problem...


DDS (Ver_09-06-26.01) - NTFSx86
Run by $ at 22:55:09.44 on Thu 07/02/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.56 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdkserv.exe
C:\WINDOWS\system32\lxdkcoms.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PMSveH.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\PMHandler.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark 5300 Series\lxdkmon.exe
C:\Program Files\Lexmark 5300 Series\lxdkamon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\xcopy.exe
C:\Documents and Settings\$\Desktop\dds.scr
c:\PROGRA~1\mcafee\msc\mcuimgr.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [PMHandler] c:\windows\system32\PMHandler.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [suScheduler] c:\program files\thinkvantage\systemupdate\UCLauncher.exe /SCHEDULER
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [cssauthe] "c:\program files\ibm thinkvantage\client security solution\cssauthe.exe" silent
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [lxdkmon.exe] "c:\program files\lexmark 5300 series\lxdkmon.exe"
mRun: [lxdkamon] "c:\program files\lexmark 5300 series\lxdkamon.exe"
mRun: [Lexmark 5300 Series Fax Server] "c:\program files\lexmark 5300 series\fm3032.exe" /s
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie_ctx.htm
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165289468046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\$\applic~1\mozilla\firefox\profiles\4l5zufsn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\$\application data\mozilla\firefox\profiles\4l5zufsn.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {0D9B10EF-7B38-46BF-B565-CDBE207B5D75} - c:\windows\system32\config\systemprofile\local settings\application data\{0d9b10ef-7b38-46bf-b565-cdbe207b5d75}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-8-26 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-8-26 6016]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-3 201320]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2005-12-21 10240]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [2007-12-2 99248]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-3 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2009-1-3 144704]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-3 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-3 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-3 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-3 40488]
RUnknown plflxtkw;plflxtkw; [x]
S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ancsq.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-3 33832]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2005-12-28 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2005-12-28 85696]

=============== Created Last 30 ================

2009-06-29 18:25 <DIR> --d----- c:\program files\Trend Micro
2009-06-27 16:38 389,120 a------- c:\windows\system32\CF25932.exe
2009-06-27 16:35 389,120 a------- c:\windows\system32\cmd.execf
2009-06-21 18:15 56 ----h--- c:\docume~1\alluse~1\applic~1\ezsidmv.dat
2009-06-18 14:56 3,246 a------- c:\windows\system32\wbem\Outlook_01c9f04678779690.mof
2009-06-17 21:39 <DIR> --dsh--- c:\documents and settings\$\IECompatCache
2009-06-17 21:39 <DIR> --dsh--- c:\documents and settings\$\PrivacIE
2009-06-15 11:04 <DIR> --dsh--- c:\documents and settings\$\IETldCache
2009-06-15 00:53 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-15 00:53 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-15 00:53 <DIR> --d----- c:\windows\ie8updates
2009-06-15 00:51 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-15 00:39 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-06-28 01:00 5,427 a------- c:\windows\system32\EGATHDRV.SYS
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-29 00:55 133,120 -------- c:\windows\system32\dllcache\extmgr.dll
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 -------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-02-01 21:26 61,224 -------- c:\documents and settings\$\GoToAssistDownloadHelper.exe
2009-01-26 14:45 41 -------- c:\documents and settings\$\calibration.dat
2007-10-24 11:18 168,592,911 -------- c:\program files\Adobe Photoshop 7.0_for PC_with serial.zip
2007-08-11 00:01 88 ---shr-- c:\windows\system32\60C76D2363.sys
2007-09-23 17:16 168 ---shr-- c:\windows\system32\8F1E4B2287.sys
2008-12-09 23:07 10,644 ---sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-26 12:54 32,768 ---sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 23:05:13.67 ===============

Attached Files



#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:20 AM

Posted 05 July 2009 - 07:15 PM

Hang on. A team member should be with you shortly.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:20 PM

Posted 05 July 2009 - 07:37 PM

Hi Classic22,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

--------------------------------------------------------------

SKYNET is a stubborn rootkit. We need to use something strong to shift it.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Also

If you have any MBAM logs from previous runs showing the sort of infections it is finding then please attach them.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 classic22

classic22
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 05 July 2009 - 10:06 PM

I put a $ every where the computer name appears let me know if that is a problem...

ComboFix 09-03-28.06 - $ 2009-07-05 22:42:50.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.266 [GMT -4:00]
Running from: c:\documents and settings\$\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-02 23:02 . 2009-07-02 23:02 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-06-29 18:25 . 2009-06-29 18:25 <DIR> d-------- c:\program files\Trend Micro
2009-06-26 21:42 . 2009-06-26 21:42 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-06-25 22:51 . 2009-06-25 22:51 <DIR> d--hs---- c:\documents and settings\Guest\PrivacIE
2009-06-21 18:15 . 2009-06-22 17:56 <DIR> d-------- c:\documents and settings\Guest\Application Data\skypePM
2009-06-21 18:15 . 2009-06-21 18:15 56 ---h----- c:\documents and settings\All Users\Application Data\ezsidmv.dat
2009-06-21 18:14 . 2009-06-24 21:39 <DIR> d-------- c:\documents and settings\Guest\Application Data\Skype
2009-06-21 18:10 . 2009-06-21 18:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-06-17 21:39 . 2009-06-17 21:39 <DIR> d--hs---- c:\documents and settings\$\PrivacIE
2009-06-17 21:39 . 2009-06-17 21:39 <DIR> d--hs---- c:\documents and settings\$\IECompatCache
2009-06-16 20:56 . 2009-06-16 20:56 <DIR> d--hs---- c:\documents and settings\Guest\IETldCache
2009-06-15 11:04 . 2009-06-15 11:04 <DIR> d--hs---- c:\documents and settings\$\IETldCache
2009-06-15 11:04 . 2009-06-15 11:04 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-06-15 11:03 . 2009-06-15 11:03 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache
2009-06-15 00:53 . 2009-06-15 00:54 <DIR> d-------- c:\windows\ie8updates
2009-06-15 00:53 . 2009-04-30 17:22 246,272 --------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-15 00:53 . 2009-04-30 17:22 12,800 --------- c:\windows\system32\dllcache\xpshims.dll
2009-06-15 00:51 . 2009-05-12 01:11 102,912 --------- c:\windows\system32\dllcache\iecompat.dll
2009-06-15 00:39 . 2009-06-15 00:50 <DIR> d--h-c--- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 02:26 5,427 ----a-w c:\windows\system32\EGATHDRV.SYS
2009-06-23 01:16 --------- d-----w c:\documents and settings\Guest\Application Data\Move Networks
2009-06-18 01:26 --------- d-----w c:\program files\Java
2009-06-17 23:22 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-06-17 15:27 38,160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 19,096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-22 01:58 --------- d-----w c:\program files\AIM6
2009-05-22 01:58 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-22 01:58 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-05-22 01:55 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-05-13 05:15 915,456 ----a-w c:\windows\system32\wininet.dll
2009-05-13 05:15 915,456 ------w c:\windows\system32\dllcache\wininet.dll
2009-05-13 05:15 5,936,128 ------w c:\windows\system32\dllcache\mshtml.dll
2009-05-08 12:49 --------- d-----w c:\program files\Google
2009-05-07 15:32 345,600 ------w c:\windows\system32\localspl.dll
2009-05-07 15:32 345,600 ------w c:\windows\system32\dllcache\localspl.dll
2009-04-30 21:22 385,536 ------w c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 21:22 25,600 ------w c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 21:22 11,064,832 ------w c:\windows\system32\dllcache\ieframe.dll
2009-04-30 21:22 1,985,024 ------w c:\windows\system32\dllcache\iertutil.dll
2009-04-30 21:22 1,207,808 ------w c:\windows\system32\dllcache\urlmon.dll
2009-04-30 11:21 173,056 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-04-29 04:55 133,120 ------w c:\windows\system32\dllcache\extmgr.dll
2009-04-28 09:05 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-04-17 12:26 1,847,168 ------w c:\windows\system32\win32k.sys
2009-04-17 12:26 1,847,168 ------w c:\windows\system32\dllcache\win32k.sys
2009-04-15 14:51 585,216 ------w c:\windows\system32\rpcrt4.dll
2009-04-15 14:51 585,216 ------w c:\windows\system32\dllcache\rpcrt4.dll
2009-02-02 01:26 61,224 ------w c:\documents and settings\$\GoToAssistDownloadHelper.exe
2009-01-26 18:45 41 ------w c:\documents and settings\$\calibration.dat
2007-10-24 15:18 168,592,911 ------w c:\program files\Adobe Photoshop 7.0_for PC_with serial.zip
2007-08-11 04:01 88 --sh--r c:\windows\system32\60C76D2363.sys
2007-09-23 21:16 168 --sh--r c:\windows\system32\8F1E4B2287.sys
2008-12-10 03:07 10,644 --sh--w c:\windows\system32\KGyGaAvL.sys
2008-08-26 16:54 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-06-27_15.29.50.82 )))))))))))))))))))))))))))))))))))))))))
.
- 1998-10-29 21:45:06 306,688 ------w c:\windows\IsUninst.exe
+ 1998-10-29 20:45:06 306,688 ----a-w c:\windows\IsUninst.exe
- 2009-06-27 19:19:23 32,768 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-06 02:31:21 32,768 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-06-27 18:43:50 16,384 --sha-w c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-07-02 00:30:31 16,384 --sha-w c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-06-27 19:19:23 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-07-06 02:31:21 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-27 19:19:23 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-06 02:31:21 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-21 17:20:04 84,661 ------w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-04 18:14:59 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-06 02:25:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_780.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-28 761945]
"PMHandler"="c:\windows\system32\PMHandler.exe" [2006-05-20 24576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-01 40960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"cssauthe"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" [2005-12-21 1988144]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-21 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-21 307888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 c:\windows\AGRSMMSG.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 16:01 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\LXDKFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-08-26 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-08-26 6016]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2005-12-21 10240]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [2007-12-02 99248]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-12-21 3968]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-11 24652]
S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2005-12-28 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2005-12-28 85696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6dedf408-bf5e-11dd-ac10-0016cee025ca}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-07-04 c:\windows\Tasks\ghhronsv.job
- c:\windows\system32\byXRjjIB.dll []

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\$\Application Data\Mozilla\Firefox\Profiles\4l5zufsn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\$\Application Data\Mozilla\Firefox\Profiles\4l5zufsn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 22:44:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETtaekxjor]
"imagepath"="\systemroot\system32\drivers\SKYNETiylkdkeu.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETtaekxjor]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\SKYNETiylkdkeu.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

- - - - - - - > 'explorer.exe'(992)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
.
Completion time: 2009-07-05 22:49:56
ComboFix-quarantined-files.txt 2009-07-06 02:49:46
ComboFix2.txt 2009-06-27 19:33:20
ComboFix3.txt 2009-03-29 15:05:48

Pre-Run: 20,220,424,192 bytes free
Post-Run: 20,374,142,976 bytes free

237 --- E O F --- 2009-07-04 18:09:48

Malwarebytes' Anti-Malware 1.38
Database version: 2340
Windows 5.1.2600 Service Pack 3

7/1/2009 9:23:10 PM
mbam-log-2009-07-01 (21-23-10).txt

Scan type: Quick Scan
Objects scanned: 120312
Time elapsed: 12 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\SKYNETnbnsiplj.dll (Trojan.TDSS) -> Delete on reboot.
c:\WINDOWS\system32\SKYNETwuvjpsul.dll (Trojan.TDSS) -> Delete on reboot.
c:\WINDOWS\system32\drivers\SKYNETiylkdkeu.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETfvrncwbxus.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETnpsecwosce.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:20 PM

Posted 06 July 2009 - 03:02 PM

Changing your filename to $ is fine, Classic22. :thumbup2:

The MBAM log stripped the SKYNET rootkit out.

We need to run Combofix again.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\Tasks\ghhronsv.job
c:\windows\system32\byXRjjIB.dll

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETtaekxjor]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please run this scanner.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

Thanks :)

Edited by m0le, 06 July 2009 - 03:04 PM.
Code change

Posted Image
m0le is a proud member of UNITE

#8 classic22

classic22
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 06 July 2009 - 09:24 PM

ComboFix 09-03-28.06 - $ 2009-07-06 20:18:35.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.257 [GMT -4:00]
Running from: c:\documents and settings\$\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\$\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\windows\system32\byXRjjIB.dll
c:\windows\Tasks\ghhronsv.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\ghhronsv.job

.
((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-06 19:43 . 2009-07-06 19:43 <DIR> d-------- C:\32788R22FWJFW
2009-07-02 23:02 . 2009-07-02 23:02 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-06-29 18:25 . 2009-06-29 18:25 <DIR> d-------- c:\program files\Trend Micro
2009-06-26 21:42 . 2009-06-26 21:42 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-06-25 22:51 . 2009-06-25 22:51 <DIR> d--hs---- c:\documents and settings\Guest\PrivacIE
2009-06-21 18:15 . 2009-06-22 17:56 <DIR> d-------- c:\documents and settings\Guest\Application Data\skypePM
2009-06-21 18:15 . 2009-06-21 18:15 56 ---h----- c:\documents and settings\All Users\Application Data\ezsidmv.dat
2009-06-21 18:14 . 2009-06-24 21:39 <DIR> d-------- c:\documents and settings\Guest\Application Data\Skype
2009-06-21 18:10 . 2009-06-21 18:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-06-17 21:39 . 2009-06-17 21:39 <DIR> d--hs---- c:\documents and settings\$\PrivacIE
2009-06-17 21:39 . 2009-06-17 21:39 <DIR> d--hs---- c:\documents and settings\$\IECompatCache
2009-06-16 20:56 . 2009-06-16 20:56 <DIR> d--hs---- c:\documents and settings\Guest\IETldCache
2009-06-15 11:04 . 2009-06-15 11:04 <DIR> d--hs---- c:\documents and settings\$\IETldCache
2009-06-15 11:04 . 2009-06-15 11:04 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-06-15 11:03 . 2009-06-15 11:03 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache
2009-06-15 00:53 . 2009-06-15 00:54 <DIR> d-------- c:\windows\ie8updates
2009-06-15 00:53 . 2009-04-30 17:22 246,272 --------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-15 00:53 . 2009-04-30 17:22 12,800 --------- c:\windows\system32\dllcache\xpshims.dll
2009-06-15 00:51 . 2009-05-12 01:11 102,912 --------- c:\windows\system32\dllcache\iecompat.dll
2009-06-15 00:39 . 2009-06-15 00:50 <DIR> d--h-c--- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 02:26 5,427 ----a-w c:\windows\system32\EGATHDRV.SYS
2009-06-23 01:16 --------- d-----w c:\documents and settings\Guest\Application Data\Move Networks
2009-06-18 01:26 --------- d-----w c:\program files\Java
2009-06-17 23:22 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-06-17 15:27 38,160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 19,096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-22 01:58 --------- d-----w c:\program files\AIM6
2009-05-22 01:58 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-22 01:58 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-05-22 01:55 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-05-13 05:15 915,456 ----a-w c:\windows\system32\wininet.dll
2009-05-13 05:15 915,456 ------w c:\windows\system32\dllcache\wininet.dll
2009-05-13 05:15 5,936,128 ------w c:\windows\system32\dllcache\mshtml.dll
2009-05-08 12:49 --------- d-----w c:\program files\Google
2009-05-07 15:32 345,600 ------w c:\windows\system32\localspl.dll
2009-05-07 15:32 345,600 ------w c:\windows\system32\dllcache\localspl.dll
2009-04-30 21:22 385,536 ------w c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 21:22 25,600 ------w c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 21:22 11,064,832 ------w c:\windows\system32\dllcache\ieframe.dll
2009-04-30 21:22 1,985,024 ------w c:\windows\system32\dllcache\iertutil.dll
2009-04-30 21:22 1,207,808 ------w c:\windows\system32\dllcache\urlmon.dll
2009-04-30 11:21 173,056 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-04-29 04:55 133,120 ------w c:\windows\system32\dllcache\extmgr.dll
2009-04-28 09:05 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-04-17 12:26 1,847,168 ------w c:\windows\system32\win32k.sys
2009-04-17 12:26 1,847,168 ------w c:\windows\system32\dllcache\win32k.sys
2009-04-15 14:51 585,216 ------w c:\windows\system32\rpcrt4.dll
2009-04-15 14:51 585,216 ------w c:\windows\system32\dllcache\rpcrt4.dll
2009-02-02 01:26 61,224 ------w c:\documents and settings\$\GoToAssistDownloadHelper.exe
2009-01-26 18:45 41 ------w c:\documents and settings\$\calibration.dat
2007-10-24 15:18 168,592,911 ------w c:\program files\Adobe Photoshop 7.0_for PC_with serial.zip
2007-08-11 04:01 88 --sh--r c:\windows\system32\60C76D2363.sys
2007-09-23 21:16 168 --sh--r c:\windows\system32\8F1E4B2287.sys
2008-12-10 03:07 10,644 --sh--w c:\windows\system32\KGyGaAvL.sys
2008-08-26 16:54 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-06-27_15.29.50.82 )))))))))))))))))))))))))))))))))))))))))
.
- 1998-10-29 21:45:06 306,688 ------w c:\windows\IsUninst.exe
+ 1998-10-29 20:45:06 306,688 ----a-w c:\windows\IsUninst.exe
- 2009-06-27 19:19:23 32,768 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-06 23:36:11 32,768 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-06-27 18:43:50 16,384 --sha-w c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-07-06 23:30:46 16,384 --sha-w c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-06-27 19:19:23 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-07-06 23:36:11 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-27 19:19:23 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-06 23:36:11 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-21 17:20:04 84,661 ------w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-04 18:14:59 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-06 23:30:57 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-28 761945]
"PMHandler"="c:\windows\system32\PMHandler.exe" [2006-05-20 24576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-01 40960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"cssauthe"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" [2005-12-21 1988144]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-21 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-21 307888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 c:\windows\AGRSMMSG.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 16:01 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\LXDKFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-08-26 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-08-26 6016]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2005-12-21 10240]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [2007-12-02 99248]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-12-21 3968]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-11 24652]
S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2005-12-28 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2005-12-28 85696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6dedf408-bf5e-11dd-ac10-0016cee025ca}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\$\Application Data\Mozilla\Firefox\Profiles\4l5zufsn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\$\Application Data\Mozilla\Firefox\Profiles\4l5zufsn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 20:19:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETtaekxjor]
"imagepath"="\systemroot\system32\drivers\SKYNETiylkdkeu.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
.
Completion time: 2009-07-06 20:25:12
ComboFix-quarantined-files.txt 2009-07-07 00:25:04
ComboFix2.txt 2009-07-06 02:50:06
ComboFix3.txt 2009-06-27 19:33:20
ComboFix4.txt 2009-03-29 15:05:48

Pre-Run: 20,391,149,568 bytes free
Post-Run: 20,383,825,920 bytes free

234 --- E O F --- 2009-07-04 18:09:48

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-06 22:15:06
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAA1359AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAA135A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAA135958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAA13596C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAA135A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAA135A81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAA135AF4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAA135AD9]
Code 82BF3E40 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAA1359EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAA135B1E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAA135A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAA135930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAA135944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAA1359BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAA135B5A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAA135AC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAA135AAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAA135A6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAA135B46]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAA135B32]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAA135996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAA135982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAA135A97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAA135A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAA135B08]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAA135A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAA1359D4]
Code 82BB325E IofCallDriver
Code 82BD8736 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 82BB3263
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 82BD873B
.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP AA1359D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP AA1359AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A7500 7 Bytes JMP AA1359EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8316 5 Bytes JMP AA135A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC4 5 Bytes JMP 82BF3E44
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA94 7 Bytes JMP AA1359C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1322 5 Bytes JMP AA135934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15AE 5 Bytes JMP AA135948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE0 5 Bytes JMP AA135986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F6 7 Bytes JMP AA135970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AC 5 Bytes JMP AA13595C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B6 5 Bytes JMP AA13599A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB6 5 Bytes JMP AA135A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80618568 7 Bytes JMP AA135AB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP AA135A9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BE0 7 Bytes JMP AA135B0C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8061947E 7 Bytes JMP AA135AC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D52 7 Bytes JMP AA135A6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A330 5 Bytes JMP AA135A45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7C0 7 Bytes JMP AA135A59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A990 7 Bytes JMP AA135A85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB70 5 Bytes JMP AA135AF8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADDA 7 Bytes JMP AA135ADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B702 5 Bytes JMP AA135A31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA28 7 Bytes JMP AA135B5E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BCE8 5 Bytes JMP AA135B36 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C3DC 5 Bytes JMP AA135B4A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C4F6 5 Bytes JMP AA135B22 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? system32\drivers\raxjrh.sys The system cannot find the path specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\rundll32.exe[164] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009D000A
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdkserv.exe[184] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008E000A
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[404] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0089000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[536] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007F000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\McAfee\VirusScan\McShield.exe[560] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006C000A
.text C:\WINDOWS\system32\ctfmon.exe[608] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 088F000A
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[692] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0088000A
.text C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe[760] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C3000A
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[828] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0086000A
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F6D
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F8A
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007002C
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F21
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F48
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070EEB
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F06
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070ED0
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070073
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070084
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F76
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0006003D
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060F9B
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FC0
.text C:\WINDOWS\system32\services.exe[852] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\services.exe[852] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[852] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0005003A
.text C:\WINDOWS\system32\services.exe[852] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[852] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050055
.text C:\WINDOWS\system32\services.exe[852] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[852] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F57
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C00F72
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00F83
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00F94
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C00F29
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00071
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00EF6
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00F07
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C00EDB
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00FAF
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C00014
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00F46
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00036
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00025
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C00F18
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF002F
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0F9E
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0065
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF004A
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FC3
.text C:\WINDOWS\system32\lsass.exe[864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0FAD
.text C:\WINDOWS\system32\lsass.exe[864] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0038
.text C:\WINDOWS\system32\lsass.exe[864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0027
.text C:\WINDOWS\system32\lsass.exe[864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\lsass.exe[864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FD2
.text C:\WINDOWS\system32\lsass.exe[864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE000C
.text C:\WINDOWS\system32\lsass.exe[864] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[984] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003E000A
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F200A1
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F20090
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F20FB6
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F20069
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F2003D
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F200C8
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F20F76
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F20F5B
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F200F4
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F20119
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F20058
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F20011
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F20F91
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F20022
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F20FDB
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F200D9
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F10FDB
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F10F91
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F1002C
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F1001B
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F10058
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F10FC0
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [11, 89]
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F10047
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F00F9A
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F00025
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F00FC6
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F00FB5
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[1028] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[1028] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 00EE0FE5
.text C:\WINDOWS\system32\svchost.exe[1028] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 00EE0FD4
.text C:\WINDOWS\system32\svchost.exe[1028] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 00EE002F
.text C:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\explorer.exe[1040] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BA000A
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0036
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F4B
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F5C
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0025
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0082
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F30
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F15
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00AE
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F04
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0F79
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B000A
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B005B
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\explorer.exe[1040] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0093
.text C:\WINDOWS\explorer.exe[1040] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0011
.text C:\WINDOWS\explorer.exe[1040] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F6C
.text C:\WINDOWS\explorer.exe[1040] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0000
.text C:\WINDOWS\explorer.exe[1040] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\explorer.exe[1040] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0F91
.text C:\WINDOWS\explorer.exe[1040] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\explorer.exe[1040] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0033
.text C:\WINDOWS\explorer.exe[1040] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0022
.text C:\WINDOWS\explorer.exe[1040] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0070
.text C:\WINDOWS\explorer.exe[1040] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0055
.text C:\WINDOWS\explorer.exe[1040] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B003A
.text C:\WINDOWS\explorer.exe[1040] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B000C
.text C:\WINDOWS\explorer.exe[1040] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\explorer.exe[1040] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B001D
.text C:\WINDOWS\explorer.exe[1040] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 002D0000
.text C:\WINDOWS\explorer.exe[1040] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 002D0FDB
.text C:\WINDOWS\explorer.exe[1040] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 002D0FCA
.text C:\WINDOWS\explorer.exe[1040] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 002D001B
.text C:\WINDOWS\explorer.exe[1040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 09A30FEF
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0069
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0058
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F8A
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0047
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0036
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF0F3C
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0084
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00D5
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF00BA
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0F21
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0FA5
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F59
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FC0
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF009F
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D10FC3
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D10036
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D10080
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D10065
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D0002C
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D0001B
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00FBC
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00FE3
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00FAB
.text C:\WINDOWS\system32\svchost.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\svchost.exe[1120] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 00CE0FC0
.text C:\WINDOWS\system32\svchost.exe[1120] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02AD0000
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02AD009A
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02AD007F
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02AD0062
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02AD0FA5
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02AD0FC0
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02AD0F7E
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02AD00C6
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02AD0F48
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02AD0F63
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02AD0F37
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02AD0051
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02AD001B
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02AD00B5
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02AD0036
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02AD0FE5
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02AD00E1
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02A90FDE
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02A9005E
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02A90FEF
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02A9001B
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02A90FA1
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02A90000
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02A90FB2
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C9, 8A]
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02A90FC3
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01F30F90
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!system 77C293C7 5 Bytes JMP 01F30FAB
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01F30FC6
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01F30000
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01F30011
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01F30FE3
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 01F10000
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 01F10011
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 01F10FDB
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 01F10036
.text C:\WINDOWS\System32\svchost.exe[1172] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01F20000
.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00980000
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00980F8A
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00980F9B
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00980073
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00980062
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00980047
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009800B0
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00980F5E
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00980F2B
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00980F3C
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00980F10
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00980FC0
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00980025
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00980F6F
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00980FE5
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00980036
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00980F4D
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0097000A
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00970047
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00970FB9
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00970FD4
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00970F94
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00970FEF
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00970036
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0097001B
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0096003D
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!system 77C293C7 5 Bytes JMP 00960022
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00960FCD
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00960000
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00960FB2
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00960011
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 00950FEF
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 00950FDE
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 00950FC3
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 00950014
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A50096
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A50F97
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A50FA8
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A50FB9
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A50FCA
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A500B3
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A50F6B
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A500C4
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A50F2B
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A50F10
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A5005B
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A5001B
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A50F7C
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A50FDB
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A50036
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A50F46
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A40047
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A40087
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A4002C
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A4001B
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A40FC0
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A40FD1
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C4, 88]
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A40058
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A30FB9
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A30044
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A30FD4
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A30033
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1328] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1328] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1328] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 00A10FC0
.text C:\WINDOWS\system32\svchost.exe[1328] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 00A10011
.text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011B0000
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011B0F81
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011B0076
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011B0065
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011B0054
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011B002F
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011B0F50
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011B0098
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011B0F1A
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011B00BD
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011B0F09
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011B0FA8
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011B0FEF
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011B0087
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011B0FCD
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011B0FDE
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011B0F3F
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011A001B
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011A0F94
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011A0FCA
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011A000A
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011A0047
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011A0FEF
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 011A0036
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011A0FAF
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01190F97
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!system 77C293C7 5 Bytes JMP 01190FB2
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01190011
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01190000
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01190022
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01190FE3
.text C:\WINDOWS\system32\svchost.exe[1420] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 0117000A
.text C:\WINDOWS\system32\svchost.exe[1420] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 0117001B
.text C:\WINDOWS\system32\svchost.exe[1420] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 01170FDB
.text C:\WINDOWS\system32\svchost.exe[1420] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 0117002C
.text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0118000A
.text C:\WINDOWS\system32\HPZipm12.exe[1584] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006A000A
.text C:\WINDOWS\system32\svchost.exe[1744] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D20F3A
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20F4B
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D20F5C
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D20F79
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D20060
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D20F0E
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D20ED8
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D20EF3
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D20EC7
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D20F94
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D2000A
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D20F1F
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D20FAF
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D20FCA
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D2007B
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C10076
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C10011
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C1005B
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C10FB9
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E1, 88] {LOOPZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C10FCA
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00033
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00FB2
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00FCD
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C00018
.text C:\WINDOWS\system32\svchost.exe[1744] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1744] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1744] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\svchost.exe[1744] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 00BE0022
.text C:\WINDOWS\system32\svchost.exe[1744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0000
.text C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe[1776] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006F000A
.text C:\WINDOWS\system32\svchost.exe[1852] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A20074
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A20F7F
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A20F9A
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A20FAB
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A20043
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A20096
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A20F4E
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A200CC
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A20F29
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A20F18
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A20FBC
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A20085
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A20FCD
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A20FDE
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A200A7
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00940FE5
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00940F8A
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00940036
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0094001B
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00940F9B
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0094000A
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00940047
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00940FCA
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930F8B
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930016
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930FC1
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930FE3
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930FA6
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930FD2
.text C:\WINDOWS\system32\svchost.exe[1852] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 0091000A
.text C:\WINDOWS\system32\svchost.exe[1852] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 0091001B
.text C:\WINDOWS\system32\svchost.exe[1852] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\svchost.exe[1852] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 0091002C
.text C:\WINDOWS\system32\svchost.exe[1852] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920FEF
.text C:\WINDOWS\System32\svchost.exe[1928] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EE0FE5
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EE0F3C
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EE0F4D
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EE0F68
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EE0F79
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EE0014
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EE0078
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EE0067
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EE00A4
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EE0093
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EE00B5
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EE0025
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EE0FD4
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EE0056
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EE0FA8
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EE0FC3
.text C:\WINDOWS\System32\svchost.exe[1928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EE0F15
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00ED0FCA
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00ED005B
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00ED0FDB
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00ED001B
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00ED0F9E
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00ED000A
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00ED0FAF
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0D, 89]
.text C:\WINDOWS\System32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00ED0036
.text C:\WINDOWS\System32\svchost.exe[1928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0072003D
.text C:\WINDOWS\System32\svchost.exe[1928] msvcrt.dll!system 77C293C7 5 Bytes JMP 00720FB2
.text C:\WINDOWS\System32\svchost.exe[1928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00720FDE
.text C:\WINDOWS\System32\svchost.exe[1928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0072000C
.text C:\WINDOWS\System32\svchost.exe[1928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00720FC3
.text C:\WINDOWS\System32\svchost.exe[1928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00720FEF
.text C:\WINDOWS\System32\svchost.exe[1928] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[1928] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\System32\svchost.exe[1928] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 006E0FDE
.text C:\WINDOWS\System32\svchost.exe[1928] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 006E0FC3
.text C:\WINDOWS\System32\svchost.exe[1928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00710000
.text C:\WINDOWS\system32\PMSveH.exe[2000] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe[2088] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2156] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003B000A
.text C:\WINDOWS\AGRSMMSG.exe[2196] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003E000A
.text C:\WINDOWS\system32\hkcmd.exe[2324] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003C000A
.text ...
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60F4D
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60038
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60F5E
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60F6F
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60FA5
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F10
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60F2B
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D60EDA
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D60EF5
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D6008E
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60F94
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60FD4
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D60F3C
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\svchost.exe[2532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D60073
.text C:\WINDOWS\system32\svchost.exe[2532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50025
.text C:\WINDOWS\system32\svchost.exe[2532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D5005B
.text C:\WINDOWS\system32\svchost.exe[2532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50014
.text C:\WINDOWS\system32\svchost.exe[2532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D50FD4
.text C:\WINDOWS\system32\svchost.exe[2532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50FA8
.text C:\WINDOWS\system32\svchost.exe[2532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\svchost.exe[2532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D5004A
.text C:\WINDOWS\system32\svchost.exe[2532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50FC3
.text C:\WINDOWS\system32\svchost.exe[2532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40075
.text C:\WINDOWS\system32\svchost.exe[2532] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D4005A
.text C:\WINDOWS\system32\svchost.exe[2532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40038
.text C:\WINDOWS\system32\svchost.exe[2532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D4000C
.text C:\WINDOWS\system32\svchost.exe[2532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40049
.text C:\WINDOWS\system32\svchost.exe[2532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D4001D
.text C:\WINDOWS\system32\svchost.exe[2532] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 00D30000
.text C:\WINDOWS\system32\svchost.exe[2532] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 00D3001B
.text C:\WINDOWS\system32\svchost.exe[2532] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 00D3002C
.text C:\WINDOWS\system32\svchost.exe[2532] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 00D30FE5
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[2560] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003E000A
.text C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe[2640] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00F3000A
.text C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe[2696] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BA000A
.text C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe[2772] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003E000A
.text C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe[2792] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0097000A
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A851CD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETiylkdkeu.sys (*** hidden *** ) [SYSTEM] SKYNETtaekxjor <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cee025ca
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cee025ca@0007e05f6d1e 0x68 0x05 0x51 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cee025ca@001963c34d4b 0xA0 0x93 0x78 0x28 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cee025ca@001edc278ccb 0x8D 0x5D 0x81 0xA8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cee025ca@0021065e16b5 0x59 0x24 0xD1 0xDF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cee025ca@001edc28587e 0x8F 0x59 0x6B 0xEE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cee025ca@0021064b7d19 0x2A 0x39 0x2C 0xA1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor@imagepath \systemroot\system32\drivers\SKYNETiylkdkeu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETiylkdkeu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\modules@SKYNETcmd.dll \systemroot\system32\SKYNETwuvjpsul.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\modules@SKYNETlog.dat \systemroot\system32\SKYNETkodqcnkm.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\modules@SKYNETwsp.dll \systemroot\system32\SKYNETnbnsiplj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETtaekxjor\modules@SKYNET.dat \systemroot\system32\SKYNETejnqmtoa.dat
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016cee025ca
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016cee025ca@0007e05f6d1e 0x68 0x05 0x51 0x7F ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016cee025ca@001963c34d4b 0xA0 0x93 0x78 0x28 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016cee025ca@001edc278ccb 0x8D 0x5D 0x81 0xA8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016cee025ca@0021065e16b5 0x59 0x24 0xD1 0xDF ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016cee025ca@001edc28587e 0x8F 0x59 0x6B 0xEE ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016cee025ca@0021064b7d19 0x2A 0x39 0x2C 0xA1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor@imagepath \systemroot\system32\drivers\SKYNETiylkdkeu.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\main
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\main\delete
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\main\injector
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\main\tasks
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\modules
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETiylkdkeu.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\modules@SKYNETcmd.dll \systemroot\system32\SKYNETwuvjpsul.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\modules@SKYNETlog.dat \systemroot\system32\SKYNETkodqcnkm.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\modules@SKYNETwsp.dll \systemroot\system32\SKYNETnbnsiplj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETtaekxjor\modules@SKYNET.dat \systemroot\system32\SKYNETejnqmtoa.dat

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\Temp\SKYNEThtxvkosecy.tmp 18944 bytes executable
File C:\WINDOWS\system32\drivers\SKYNETiylkdkeu.sys 68608 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\SKYNETejnqmtoa.dat 93 bytes
File C:\WINDOWS\system32\SKYNETkodqcnkm.dat 171598 bytes
File C:\WINDOWS\system32\SKYNETnbnsiplj.dll 19456 bytes executable
File C:\WINDOWS\system32\SKYNETwuvjpsul.dll 43520 bytes executable

---- EOF - GMER 1.0.15 ----

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:20 PM

Posted 07 July 2009 - 03:31 PM

The Combofix script didn't remove the registry entries that SKYNET put there and so it's still present.

Please run Combofix in safe mode.

Then rerun MBAM.

Then we'll see what that leaves us. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 classic22

classic22
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 07 July 2009 - 04:29 PM

Did I need to drag and drop the script into the Combofix again, or just run Combofix alone?

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:20 PM

Posted 07 July 2009 - 05:36 PM

Just run Combofix alone. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#12 classic22

classic22
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 07 July 2009 - 10:46 PM

McAfee is still picking up on the NTOSKRNL-HOOK rootkit, the bad image pop ups seem to have gone, but the google redirects are back and seems MBAM found a lot more SKYNET infections.

ComboFix 09-03-28.06 - $ 2009-07-07 21:58:31.5 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.335 [GMT -4:00]
Running from: c:\documents and settings\$\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-02 23:02 . 2009-07-02 23:02 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-06-29 18:25 . 2009-06-29 18:25 <DIR> d-------- c:\program files\Trend Micro
2009-06-26 21:42 . 2009-06-26 21:42 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-06-25 22:51 . 2009-06-25 22:51 <DIR> d--hs---- c:\documents and settings\Guest\PrivacIE
2009-06-21 18:15 . 2009-06-22 17:56 <DIR> d-------- c:\documents and settings\Guest\Application Data\skypePM
2009-06-21 18:15 . 2009-06-21 18:15 56 ---h----- c:\documents and settings\All Users\Application Data\ezsidmv.dat
2009-06-21 18:14 . 2009-06-24 21:39 <DIR> d-------- c:\documents and settings\Guest\Application Data\Skype
2009-06-21 18:10 . 2009-06-21 18:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-06-17 21:39 . 2009-06-17 21:39 <DIR> d--hs---- c:\documents and settings\$\PrivacIE
2009-06-17 21:39 . 2009-06-17 21:39 <DIR> d--hs---- c:\documents and settings\$\IECompatCache
2009-06-16 20:56 . 2009-06-16 20:56 <DIR> d--hs---- c:\documents and settings\Guest\IETldCache
2009-06-15 11:04 . 2009-06-15 11:04 <DIR> d--hs---- c:\documents and settings\$\IETldCache
2009-06-15 11:04 . 2009-06-15 11:04 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-06-15 11:03 . 2009-06-15 11:03 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache
2009-06-15 00:53 . 2009-06-15 00:54 <DIR> d-------- c:\windows\ie8updates
2009-06-15 00:53 . 2009-04-30 17:22 246,272 --------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-15 00:53 . 2009-04-30 17:22 12,800 --------- c:\windows\system32\dllcache\xpshims.dll
2009-06-15 00:51 . 2009-05-12 01:11 102,912 --------- c:\windows\system32\dllcache\iecompat.dll
2009-06-15 00:39 . 2009-06-15 00:50 <DIR> d--h-c--- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 02:26 5,427 ----a-w c:\windows\system32\EGATHDRV.SYS
2009-06-23 01:16 --------- d-----w c:\documents and settings\Guest\Application Data\Move Networks
2009-06-18 01:26 --------- d-----w c:\program files\Java
2009-06-17 23:22 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-06-17 15:27 38,160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 19,096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-22 01:58 --------- d-----w c:\program files\AIM6
2009-05-22 01:58 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-22 01:58 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-05-22 01:55 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-05-13 05:15 915,456 ----a-w c:\windows\system32\wininet.dll
2009-05-13 05:15 915,456 ------w c:\windows\system32\dllcache\wininet.dll
2009-05-13 05:15 5,936,128 ------w c:\windows\system32\dllcache\mshtml.dll
2009-05-08 12:49 --------- d-----w c:\program files\Google
2009-05-07 15:32 345,600 ------w c:\windows\system32\localspl.dll
2009-05-07 15:32 345,600 ------w c:\windows\system32\dllcache\localspl.dll
2009-04-30 21:22 385,536 ------w c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 21:22 25,600 ------w c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 21:22 11,064,832 ------w c:\windows\system32\dllcache\ieframe.dll
2009-04-30 21:22 1,985,024 ------w c:\windows\system32\dllcache\iertutil.dll
2009-04-30 21:22 1,207,808 ------w c:\windows\system32\dllcache\urlmon.dll
2009-04-30 11:21 173,056 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-04-29 04:55 133,120 ------w c:\windows\system32\dllcache\extmgr.dll
2009-04-28 09:05 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-04-17 12:26 1,847,168 ------w c:\windows\system32\win32k.sys
2009-04-17 12:26 1,847,168 ------w c:\windows\system32\dllcache\win32k.sys
2009-04-15 14:51 585,216 ------w c:\windows\system32\rpcrt4.dll
2009-04-15 14:51 585,216 ------w c:\windows\system32\dllcache\rpcrt4.dll
2009-02-02 01:26 61,224 ------w c:\documents and settings\$\GoToAssistDownloadHelper.exe
2009-01-26 18:45 41 ------w c:\documents and settings\$\calibration.dat
2007-10-24 15:18 168,592,911 ------w c:\program files\Adobe Photoshop 7.0_for PC_with serial.zip
2007-08-11 04:01 88 --sh--r c:\windows\system32\60C76D2363.sys
2007-09-23 21:16 168 --sh--r c:\windows\system32\8F1E4B2287.sys
2008-12-10 03:07 10,644 --sh--w c:\windows\system32\KGyGaAvL.sys
2008-08-26 16:54 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-06-27_15.29.50.82 )))))))))))))))))))))))))))))))))))))))))
.
- 1998-10-29 21:45:06 306,688 ------w c:\windows\IsUninst.exe
+ 1998-10-29 20:45:06 306,688 ----a-w c:\windows\IsUninst.exe
- 2009-06-27 19:19:23 32,768 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-08 01:50:02 32,768 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-06-27 18:43:50 16,384 --sha-w c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-07-08 01:50:02 16,384 --sha-w c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-06-27 19:19:23 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-07-08 01:50:02 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-27 19:19:23 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-08 01:50:02 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-21 17:20:04 84,661 ------w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-04 18:14:59 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-28 761945]
"PMHandler"="c:\windows\system32\PMHandler.exe" [2006-05-20 24576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-01 40960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"cssauthe"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" [2005-12-21 1988144]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-21 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-21 307888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 c:\windows\AGRSMMSG.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 16:01 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\LXDKFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2005-12-21 10240]
S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-08-26 11520]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-08-26 6016]
S2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
S2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
S2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [2007-12-02 99248]
S2 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-12-21 3968]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-11 24652]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2005-12-28 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2005-12-28 85696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6dedf408-bf5e-11dd-ac10-0016cee025ca}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\$\Application Data\Mozilla\Firefox\Profiles\4l5zufsn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\$\Application Data\Mozilla\Firefox\Profiles\4l5zufsn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 21:59:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETtaekxjor]
"imagepath"="\systemroot\system32\drivers\SKYNETiylkdkeu.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(244)
c:\windows\system32\WININET.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

- - - - - - - > 'lsass.exe'(304)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(256)
c:\windows\system32\WININET.dll
.
Completion time: 2009-07-07 22:05:48
ComboFix-quarantined-files.txt 2009-07-08 02:05:41
ComboFix2.txt 2009-07-07 00:25:19
ComboFix3.txt 2009-07-06 02:50:06
ComboFix4.txt 2009-06-27 19:33:20
ComboFix5.txt 2009-07-08 01:54:46

Pre-Run: 20,925,739,008 bytes free
Post-Run: 20,910,120,960 bytes free

230 --- E O F --- 2009-07-04 18:09:48

Malwarebytes' Anti-Malware 1.38
Database version: 2389
Windows 5.1.2600 Service Pack 3

7/7/2009 11:36:03 PM
mbam-log-2009-07-07 (23-36-03).txt

Scan type: Quick Scan
Objects scanned: 122530
Time elapsed: 10 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\SKYNETnbnsiplj.dll (Trojan.TDSS) -> Delete on reboot.
c:\WINDOWS\system32\SKYNETwuvjpsul.dll (Trojan.TDSS) -> Delete on reboot.
c:\WINDOWS\system32\drivers\SKYNETiylkdkeu.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETfaqqojtutt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEThtxvkosecy.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETejnqmtoa.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETkodqcnkm.dat (Trojan.Agent) -> Quarantined and deleted successfully.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:20 PM

Posted 08 July 2009 - 07:16 PM

Okay, Classic22, this could take some time to remove.

We need to run Combofix in normal mode and see if it will strip out the parts of SKYNET that MBAM didn't remove.
Posted Image
m0le is a proud member of UNITE

#14 classic22

classic22
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 09 July 2009 - 01:55 PM

Just an update the blue screen and bad image pop-ups are back. I am sorry but I will be gone for a week starting tomorrow, so what will we do about this topic?

ComboFix 09-03-28.06 - $ 2009-07-09 14:38:55.6 - NTFSx86
Running from: c:\documents and settings\$\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-02 23:02 . 2009-07-02 23:02 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-06-29 18:25 . 2009-06-29 18:25 <DIR> d-------- c:\program files\Trend Micro
2009-06-26 21:42 . 2009-06-26 21:42 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-06-25 22:51 . 2009-06-25 22:51 <DIR> d--hs---- c:\documents and settings\Guest\PrivacIE
2009-06-21 18:15 . 2009-06-22 17:56 <DIR> d-------- c:\documents and settings\Guest\Application Data\skypePM
2009-06-21 18:15 . 2009-06-21 18:15 56 ---h----- c:\documents and settings\All Users\Application Data\ezsidmv.dat
2009-06-21 18:14 . 2009-06-24 21:39 <DIR> d-------- c:\documents and settings\Guest\Application Data\Skype
2009-06-21 18:10 . 2009-06-21 18:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-06-17 21:39 . 2009-06-17 21:39 <DIR> d--hs---- c:\documents and settings\$\PrivacIE
2009-06-17 21:39 . 2009-06-17 21:39 <DIR> d--hs---- c:\documents and settings\$\IECompatCache
2009-06-16 20:56 . 2009-06-16 20:56 <DIR> d--hs---- c:\documents and settings\Guest\IETldCache
2009-06-15 11:04 . 2009-06-15 11:04 <DIR> d--hs---- c:\documents and settings\$\IETldCache
2009-06-15 11:04 . 2009-06-15 11:04 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-06-15 11:03 . 2009-06-15 11:03 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache
2009-06-15 00:53 . 2009-06-15 00:54 <DIR> d-------- c:\windows\ie8updates
2009-06-15 00:53 . 2009-04-30 17:22 246,272 --------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-15 00:53 . 2009-04-30 17:22 12,800 --------- c:\windows\system32\dllcache\xpshims.dll
2009-06-15 00:51 . 2009-05-12 01:11 102,912 --------- c:\windows\system32\dllcache\iecompat.dll
2009-06-15 00:39 . 2009-06-15 00:50 <DIR> d--h-c--- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 02:26 5,427 ----a-w c:\windows\system32\EGATHDRV.SYS
2009-06-23 01:16 --------- d-----w c:\documents and settings\Guest\Application Data\Move Networks
2009-06-18 01:26 --------- d-----w c:\program files\Java
2009-06-17 23:22 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-06-17 15:27 38,160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 19,096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-22 01:58 --------- d-----w c:\program files\AIM6
2009-05-22 01:58 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-22 01:58 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-05-22 01:55 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-05-13 05:15 915,456 ----a-w c:\windows\system32\wininet.dll
2009-05-13 05:15 915,456 ------w c:\windows\system32\dllcache\wininet.dll
2009-05-13 05:15 5,936,128 ------w c:\windows\system32\dllcache\mshtml.dll
2009-05-07 15:32 345,600 ------w c:\windows\system32\localspl.dll
2009-05-07 15:32 345,600 ------w c:\windows\system32\dllcache\localspl.dll
2009-04-30 21:22 385,536 ------w c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 21:22 25,600 ------w c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 21:22 11,064,832 ------w c:\windows\system32\dllcache\ieframe.dll
2009-04-30 21:22 1,985,024 ------w c:\windows\system32\dllcache\iertutil.dll
2009-04-30 21:22 1,207,808 ------w c:\windows\system32\dllcache\urlmon.dll
2009-04-30 11:21 173,056 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-04-29 04:55 133,120 ------w c:\windows\system32\dllcache\extmgr.dll
2009-04-28 09:05 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-04-17 12:26 1,847,168 ------w c:\windows\system32\win32k.sys
2009-04-17 12:26 1,847,168 ------w c:\windows\system32\dllcache\win32k.sys
2009-04-15 14:51 585,216 ------w c:\windows\system32\rpcrt4.dll
2009-04-15 14:51 585,216 ------w c:\windows\system32\dllcache\rpcrt4.dll
2009-02-02 01:26 61,224 ------w c:\documents and settings\$\GoToAssistDownloadHelper.exe
2009-01-26 18:45 41 ------w c:\documents and settings\$\calibration.dat
2007-10-24 15:18 168,592,911 ------w c:\program files\Adobe Photoshop 7.0_for PC_with serial.zip
2007-08-11 04:01 88 --sh--r c:\windows\system32\60C76D2363.sys
2007-09-23 21:16 168 --sh--r c:\windows\system32\8F1E4B2287.sys
2008-12-10 03:07 10,644 --sh--w c:\windows\system32\KGyGaAvL.sys
2008-08-26 16:54 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-06-27_15.29.50.82 )))))))))))))))))))))))))))))))))))))))))
.
- 1998-10-29 21:45:06 306,688 ------w c:\windows\IsUninst.exe
+ 1998-10-29 20:45:06 306,688 ----a-w c:\windows\IsUninst.exe
- 2009-06-27 19:19:23 32,768 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-09 18:23:35 32,768 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-06-27 18:43:50 16,384 --sha-w c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-07-08 02:52:37 16,384 --sha-w c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-06-27 19:19:23 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-07-09 18:23:35 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-06-27 19:19:23 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-09 18:23:35 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-21 17:20:04 84,661 ------w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-04 18:14:59 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-09 18:15:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-28 761945]
"PMHandler"="c:\windows\system32\PMHandler.exe" [2006-05-20 24576]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-01 40960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"cssauthe"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" [2005-12-21 1988144]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-21 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-21 307888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 c:\windows\AGRSMMSG.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-04-17 16:01 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\LXDKFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-08-26 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-08-26 6016]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2005-12-21 10240]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [2007-12-02 99248]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [2005-12-21 3968]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-11 24652]
S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2005-12-28 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2005-12-28 85696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6dedf408-bf5e-11dd-ac10-0016cee025ca}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\$\Application Data\Mozilla\Firefox\Profiles\4l5zufsn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\$\Application Data\Mozilla\Firefox\Profiles\4l5zufsn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 14:40:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETtaekxjor]
"imagepath"="\systemroot\system32\drivers\SKYNETiylkdkeu.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

- - - - - - - > 'explorer.exe'(3764)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
.
Completion time: 2009-07-09 14:45:56
ComboFix-quarantined-files.txt 2009-07-09 18:45:47
ComboFix2.txt 2009-07-08 02:05:54
ComboFix3.txt 2009-07-07 00:25:19
ComboFix4.txt 2009-07-06 02:50:06
ComboFix5.txt 2009-07-09 18:37:49

Pre-Run: 20,394,811,392 bytes free
Post-Run: 20,380,753,920 bytes free

227 --- E O F --- 2009-07-04 18:09:48

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:20 PM

Posted 09 July 2009 - 05:22 PM

Okay, firstly we can hold this topic until you return.

Second, here are some instructions for you. If you can let me know when you are going and when you'll be back that would be useful.

--------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\WINDOWS\system32\SKYNETnbnsiplj.dll
c:\WINDOWS\system32\SKYNETwuvjpsul.dll
c:\windows\Temp\Perflib_Perfdata_7a8.dat

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETtaekxjor]

Driver::
SKYNETiylkdkeu


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks :thumbup2:

Edited by m0le, 09 July 2009 - 05:23 PM.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users