Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I can't remove freddy46.exe, ld09.exe, mstre19.exe from my registry.


  • This topic is locked This topic is locked
22 replies to this topic

#1 reira

reira

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 20 July 2009 - 02:41 PM

Hello.

I have been trying to get rid of these viruses (freddy46.exe, ld09.exe, and mstre19) for a while and neither Ad-Aware, McAfee, Malwarebytes, CCleaner, or HijackThis have been able to get rid of them from my registry. The problem originated when I went on a random website and suddenly my computer started giving me pop-ups saying that my computer was infected and that I needed to run an anti-virus program (one that I did not have). I ran McAfee and Malwarebytes and it deleted all of the viruses and trojans it detected except for the ones I have mentioned that seem to be stuck on my start-up registry.

I also was not able to use Windows Live Messenger without Ad-Watch popping up detecting registry modifications and blocked cookies nonstop and I have since deleted the program from my computer (although an old version seems to have remained there?).

I guess I should also mention that I am still able to use many major programs and the internet (using Firefox) without any problems, except for Windows Live Messenger.

Any help would be much appreciated, thank you!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:51 PM, on 7/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\GSP\Software\GspTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://email.consolidated.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld09.exe
O4 - HKLM\..\Run: [sysmstray] C:\windows\mstre19.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy46.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\Schmidt\LOCALS~1\Temp\zg8sv.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Schmidt\LOCALS~1\Temp\services.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GSPTray.lnk = C:\GSP\Software\GspTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199112779640
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h20264.www2.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 6918 bytes

Edited by reira, 20 July 2009 - 03:20 PM.


BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:10:42 AM

Posted 31 July 2009 - 12:02 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 reira

reira
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 31 July 2009 - 03:51 PM

Hi, thank you for the reply!

Freddy46.exe, ld09.exe, and mstre19.exe are still in my registry settings on Start Up.

The problem originated while I was trying to look for a picture and clicked on a random website. Suddenly, a pop-up started telling me that my computer was infected and that I needed to buy their anti-virus program for complete protection. I would also hear random music or advertisements on my headphones even when all of my windows were closed. If I tried to Google up something, the page would redirect to some other unrelated website. Internet Explorer's history also logged websites I had never visited (some for foot cream and others for hotels) and ended up blocking them all. I got McAfee and Ad-Aware SE Professional installed on my computer and ran scans on both (I also disabled System Restore until it's safe to turn it back on). They quarantined many viruses and I managed to delete even more with Malwarebytes.

Since then, I have had no pop ups or random advertisements playing in the background or random website visitations on IE but when I ran Messenger Live one day, Ad-Watch would pop up logging many blocked cookies and registry changes. I uninstalled Windows Live and have tried many times to delete those .exe viruses from my registry but they keep showing up again every time I restart my computer. I have run a few more scans on Malwarebytes and it'll detect those three viruses every time and only once (two weeks ago?) did it detect a few more trojans as well. HijackThis and CCleaner have also been unsuccessful in getting rid of them.

Everything else runs smoothly and I've had no other problems with IE or Firefox (which I installed after deleting all the viruses/Trojans). I'm just worried they'll let in more viruses or trojans when I use the internet and I want to get rid of them completely. I hope you guys can help me, I'd appreciate it so much! :thumbup2:




Here's my DDS log, I hope I did this right:





DDS (Ver_09-07-30.01) - NTFSx86
Run by Schmidt at 15:21:50.00 on Fri 07/31/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1016.561 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\GSP\Software\GspTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Schmidt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://email.consolidated.net/
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [system tool] c:\windows\sysguard.exe
uRun: [hsf7husjnfg98gi498aejhiugjkdg4] c:\docume~1\schmidt\locals~1\temp\zg8sv.exe
uRun: [Windows System Recover!] c:\docume~1\schmidt\locals~1\temp\services.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [AWMON] "c:\progra~1\lavasoft\ad-awa~1\Ad-Watch.exe"
mRun: [CaAvTray] "c:\program files\ca\etrust ez armor\etrust ez antivirus\CAVTray.exe"
mRun: [CAVRID] "c:\program files\ca\etrust ez armor\etrust ez antivirus\CAVRID.exe"
mRun: [sysldtray] c:\windows\ld09.exe
mRun: [sysmstray] c:\windows\mstre19.exe
mRun: [sysfbtray] c:\windows\freddy46.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gsptray.lnk - c:\gsp\software\GspTray.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199112779640
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h20264.www2.hp.com/ediags/hpfix/sj/en/check/xp/qdiagh.cab?326
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\schmidt\applic~1\mozilla\firefox\profiles\mne0p2rj.default\
FF - prefs.js: browser.startup.homepage - hxxp://email.consolidated.net/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-19 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-19 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-19 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-19 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-19 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-19 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-19 40552]
S2 EdgeStat;EdgeStat;\??\c:\windows\system32\drivers\edgestat.sys --> c:\windows\system32\drivers\edgestat.sys [?]
S2 PAR1284;PAR1284;\??\c:\windows\system32\drivers\par1284.sys --> c:\windows\system32\drivers\PAR1284.sys [?]
S3 Caiiskleairu;Caiiskleairu; [x]
S3 Edgemdsk;Edgemdsk; [x]
S3 Fltbiukko;Fltbiukko; [x]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-19 34248]
S3 Mxdostsft;Mxdostsft; [x]
S3 Pci.ne;Pci.ne;c:\windows\system32\drivers\processr.sys [2002-8-28 35328]
S3 Ql1msiskdstp;Ql1msiskdstp; [x]
S3 Seripe30bu;Seripe30bu; [x]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2004-12-1 438912]

=============== Created Last 30 ================


==================== Find3M ====================

2009-06-29 11:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-20 09:51 622,080 a------- c:\windows\system32\netcfgx.dll
2009-06-19 12:07 144 a------- C:\nm8912.bat
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll

============= FINISH: 15:22:26.15 ===============

Attached Files


Edited by reira, 31 July 2009 - 03:55 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 31 July 2009 - 05:55 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 reira

reira
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 01 August 2009 - 02:27 PM

After running ComboFix, it restarted my computer normally and I saved the log. However, I got a warning from McAfee saying that regedit.exe was added to C:\WINDOWS\ as C:\WINDOWS\regedit.exe. I allowed the change so that GMER could scan and it did so successfully. I restarted my computer and those three .exe viruses returned to my registry. Ad-Watch also informed me of 18 more registry changes that were made to my computer. Also, "Just-In-Time Debugging" popped up asking me to select a debugger with New Instance of Microsoft Script Editor being the only option. I have not clicked anything yet.

Here is a picture of the warning I got from McAfee.

Posted Image



I haven't made any changes to my computer since I started the topic. I did "free up space" and "rearrange items" cleaning before running the DDS though. The only programs I have used are Photoshop, Gerber Omega, and Firefox.




Here is the ComboFix log:


ComboFix 09-07-31.04 - Schmidt 08/01/2009 12:27.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1016.684 [GMT -5:00]
Running from: c:\documents and settings\Schmidt\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1070123276
c:\program files\driver

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRIVER
-------\Legacy_DRIVERDRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-08-01 17:31 . 2004-08-04 06:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-01 17:31 . 2004-08-04 06:56 50176 ----a-w- c:\windows\system32\proquota.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 14:09 . 2008-01-02 16:37 -------- d-----w- c:\program files\Windows Live
2009-06-29 16:12 . 2002-09-03 17:12 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2007-12-28 20:31 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2002-09-03 16:29 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 15:45 . 2009-06-19 18:29 -------- d-----w- c:\program files\McAfee
2009-06-23 19:05 . 2009-06-23 19:05 -------- d-----w- c:\program files\Trend Micro
2009-06-22 22:53 . 2009-06-22 22:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-22 18:53 . 2009-06-22 18:52 -------- d-----w- c:\program files\CCleaner
2009-06-20 18:14 . 2009-06-20 18:14 -------- d-----w- c:\documents and settings\Schmidt\Application Data\Malwarebytes
2009-06-20 18:14 . 2009-06-20 18:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 18:14 . 2009-06-20 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 15:23 . 2009-06-20 15:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-20 15:22 . 2009-06-20 15:22 0 ----a-w- c:\windows\nsreg.dat
2009-06-20 14:51 . 2002-09-03 16:47 622080 ----a-w- c:\windows\system32\netcfgx.dll
2009-06-19 18:36 . 2009-06-19 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-19 18:34 . 2009-06-19 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-06-19 18:34 . 2009-06-19 18:34 -------- d-----w- c:\program files\SiteAdvisor
2009-06-19 18:33 . 2009-06-19 18:33 130 ----a-w- c:\documents and settings\Schmidt\Local Settings\Application Data\fusioncache.dat
2009-05-14 04:25 . 2009-05-14 04:25 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-05-14 04:24 . 2009-06-19 18:27 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-05-07 15:44 . 2002-09-03 16:39 344064 ----a-w- c:\windows\system32\localspl.dll
2009-07-22 17:06 . 2009-06-20 15:21 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-06-06 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-06-06 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-25 385024]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"AWMON"="c:\progra~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2004-09-16 538112]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-02-14 88107]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-1-2 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
GSPTray.lnk - c:\gsp\Software\GspTray.exe [2008-1-2 331776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/19/2009 1:34 PM 210216]
R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [12/1/2004 7:35 PM 438912]
S2 EdgeStat;EdgeStat;\??\c:\windows\system32\drivers\edgestat.sys --> c:\windows\system32\drivers\edgestat.sys [?]
S3 Caiiskleairu;Caiiskleairu; [x]
S3 Edgemdsk;Edgemdsk; [x]
S3 Fltbiukko;Fltbiukko; [x]
S3 Mxdostsft;Mxdostsft; [x]
S3 Pci.ne;Pci.ne;c:\windows\system32\drivers\processr.sys [8/28/2002 8:05 PM 35328]
S3 Ql1msiskdstp;Ql1msiskdstp; [x]
S3 Seripe30bu;Seripe30bu; [x]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-06-19 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-19 13:57]

2009-06-19 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-19 13:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CaAvTray - c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
HKLM-Run-CAVRID - c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
HKLM-Run-sysldtray - c:\windows\ld09.exe
HKLM-Run-sysmstray - c:\windows\mstre19.exe
HKLM-Run-sysfbtray - c:\windows\freddy46.exe
HKLM-Run-<NO NAME> - (no file)
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://email.consolidated.net/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Schmidt\Application Data\Mozilla\Firefox\Profiles\mne0p2rj.default\
FF - prefs.js: browser.startup.homepage - hxxp://email.consolidated.net/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 12:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
.
**************************************************************************
.
Completion time: 2009-08-01 12:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-01 17:40

Pre-Run: 52,210,462,720 bytes free
Post-Run: 53,193,940,992 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

170 --- E O F --- 2009-07-29 23:20









GMER Log:



GMER 1.0.15.15011 [o58ewmj1.exe] - http://www.gmer.net
Rootkit scan 2009-08-01 14:02:54
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEE4CB4EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEE4CB581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEE4CB498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEE4CB4AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEE4CB595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEE4CB5C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEE4CB62F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEE4CB619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEE4CB52A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEE4CB65B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEE4CB56D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEE4CB470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEE4CB484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEE4CB4FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEE4CB697]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEE4CB603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEE4CB5ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEE4CB5AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEE4CB683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEE4CB66F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEE4CB4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEE4CB4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEE4CB5D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEE4CB559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEE4CB645]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEE4CB540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEE4CB514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F8B8D 7 Bytes JMP EE4CB518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80567D7B 5 Bytes JMP EE4CB571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056B183 7 Bytes JMP EE4CB5F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056BDCD 5 Bytes JMP EE4CB4C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8056E829 5 Bytes JMP EE4CB585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 8056EC39 7 Bytes JMP EE4CB69B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 7 Bytes JMP EE4CB633 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056FC78 5 Bytes JMP EE4CB4EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571F71 5 Bytes JMP EE4CB544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 805723EC 7 Bytes JMP EE4CB52E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80572D86 5 Bytes JMP EE4CB474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80573135 7 Bytes JMP EE4CB502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80573D0D 7 Bytes JMP EE4CB5DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 8057FC04 7 Bytes JMP EE4CB61D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581F0E 7 Bytes JMP EE4CB4B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805847CC 5 Bytes JMP EE4CB55D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058C892 5 Bytes JMP EE4CB488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 80590EA2 5 Bytes JMP EE4CB65F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80593B38 7 Bytes JMP EE4CB5C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805951C2 7 Bytes JMP EE4CB599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0B34 5 Bytes JMP EE4CB49C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062C4B3 5 Bytes JMP EE4CB4DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064C148 5 Bytes JMP EE4CB673 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064C421 7 Bytes JMP EE4CB649 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064CCF0 7 Bytes JMP EE4CB607 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064D137 7 Bytes JMP EE4CB5AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064D62A 5 Bytes JMP EE4CB687 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00860FEF
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00860067
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00860056
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00860F7C
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0086002F
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00860FA8
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008600A6
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00860089
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00860F28
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00860F39
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008600DC
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00860F97
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00860FDE
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00860078
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00860FC3
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00860014
.text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008600B7
.text C:\WINDOWS\System32\svchost.exe[424] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 0085001B
.text C:\WINDOWS\System32\svchost.exe[424] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00850F94
.text C:\WINDOWS\System32\svchost.exe[424] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00850FCA
.text C:\WINDOWS\System32\svchost.exe[424] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00850FE5
.text C:\WINDOWS\System32\svchost.exe[424] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0085005B
.text C:\WINDOWS\System32\svchost.exe[424] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00850000
.text C:\WINDOWS\System32\svchost.exe[424] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00850040
.text C:\WINDOWS\System32\svchost.exe[424] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00850FAF
.text C:\WINDOWS\System32\svchost.exe[424] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0084004C
.text C:\WINDOWS\System32\svchost.exe[424] msvcrt.dll!system 77C293C7 5 Bytes JMP 00840FC1
.text C:\WINDOWS\System32\svchost.exe[424] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00840FD2
.text C:\WINDOWS\System32\svchost.exe[424] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00840FE3
.text C:\WINDOWS\System32\svchost.exe[424] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00840027
.text C:\WINDOWS\System32\svchost.exe[424] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0084000C
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00EB0F83
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00EB006E
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00EB0051
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00EB0F9E
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00EB0FCA
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00EB00A6
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00EB0F5E
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00EB0F1E
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00EB0F39
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00EB00D2
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00EB0FAF
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00EB0089
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00EB0040
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00EB0025
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00EB00B7
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00A30051
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00A30FAF
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyExA 77DD7832 1 Byte [E9]
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00A30036
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00A3001B
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00A30FCA
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00A3006C
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20FB5
.text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20036
.text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20011
.text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20FE3
.text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20FC6
.text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\services.exe[736] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E70075
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E70F80
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E70F9B
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E70058
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E7002C
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E700B7
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E70090
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E700E3
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E70F4A
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00E70F2F
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00E7003D
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00E70FE5
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00E70F65
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00E70FC0
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00E7001B
.text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00E700C8
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00E60036
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00E60087
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00E6001B
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00E6000A
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00E60FCA
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00E60062
.text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00E60051
.text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E50FB2
.text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E50FC3
.text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E50FE5
.text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E5000C
.text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E50FD4
.text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E5001D
.text C:\WINDOWS\system32\lsass.exe[748] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BD0000
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0000
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A00A2
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0FAD
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0FCA
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0087
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A006C
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F75
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0F90
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A00FD
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F64
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001A010E
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001A0FE5
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001A001B
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001A00BD
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001A0047
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001A0036
.text C:\Program Files\Messenger\msmsgs.exe[836] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001A00D8
.text C:\Program Files\Messenger\msmsgs.exe[836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00280042
.text C:\Program Files\Messenger\msmsgs.exe[836] msvcrt.dll!system 77C293C7 5 Bytes JMP 00280FB7
.text C:\Program Files\Messenger\msmsgs.exe[836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00280FD2
.text C:\Program Files\Messenger\msmsgs.exe[836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00280FE3
.text C:\Program Files\Messenger\msmsgs.exe[836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00280027
.text C:\Program Files\Messenger\msmsgs.exe[836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0028000C
.text C:\Program Files\Messenger\msmsgs.exe[836] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 0029001B
.text C:\Program Files\Messenger\msmsgs.exe[836] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00290F72
.text C:\Program Files\Messenger\msmsgs.exe[836] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00290FCA
.text C:\Program Files\Messenger\msmsgs.exe[836] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00290000
.text C:\Program Files\Messenger\msmsgs.exe[836] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00290F83
.text C:\Program Files\Messenger\msmsgs.exe[836] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00290FEF
.text C:\Program Files\Messenger\msmsgs.exe[836] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00290F94
.text C:\Program Files\Messenger\msmsgs.exe[836] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00290FAF
.text C:\Program Files\Messenger\msmsgs.exe[836] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 002A0000
.text C:\Program Files\Messenger\msmsgs.exe[836] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 002B0000
.text C:\Program Files\Messenger\msmsgs.exe[836] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 002B001B
.text C:\Program Files\Messenger\msmsgs.exe[836] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 002B0FE5
.text C:\Program Files\Messenger\msmsgs.exe[836] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007C0F71
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007C0070
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007C005F
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007C004E
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007C0FC7
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007C0097
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007C0F4F
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007C0F23
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007C00BC
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 007C0F08
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 007C0FB6
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 007C001B
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 007C0F60
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 007C003D
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 007C002C
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 007C0F3E
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 007B0FAF
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 007B0F72
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 007B0FCA
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 007B0FE5
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 007B0F83
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 007B0F94
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 007B001B
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007A0FCA
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!system 77C293C7 5 Bytes JMP 007A0055
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007A0033
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007A0044
.text C:\WINDOWS\system32\svchost.exe[892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007A000C
.text C:\WINDOWS\system32\svchost.exe[892] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00900087
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00900076
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00900065
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00900FA8
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00900FB9
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009000C9
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00900F77
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009000EB
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00900F5C
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00900106
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0090004A
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 009000A2
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00900FCA
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 009000DA
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 008F0FC3
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 008F0054
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 008F001E
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 008F0FDE
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 008F0F97
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 008F0FEF
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 008F0FA8
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 008F002F
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008E0FC8
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!system 77C293C7 5 Bytes JMP 008E0FD9
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008E002E
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008E0049
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008E001D
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02540000
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02540084
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02540F85
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0254005F
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0254004E
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0254002C
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02540095
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02540F59
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 025400CB
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02540F32
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 025400DC
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0254003D
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02540FEF
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02540F74
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0254001B
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02540FCA
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 025400B0
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 02530FCA
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 02530F6F
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 02530011
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 02530000
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 02530F8A
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 02530FEF
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0253002C
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 02530FAF
.text C:\WINDOWS\System32\svchost.exe[988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02520F8D
.text C:\WINDOWS\System32\svchost.exe[988] msvcrt.dll!system 77C293C7 5 Bytes JMP 02520FA8
.text C:\WINDOWS\System32\svchost.exe[988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02520FC3
.text C:\WINDOWS\System32\svchost.exe[988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02520FEF
.text C:\WINDOWS\System32\svchost.exe[988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02520018
.text C:\WINDOWS\System32\svchost.exe[988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02520FDE
.text C:\WINDOWS\System32\svchost.exe[988] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02510FEF
.text C:\WINDOWS\System32\svchost.exe[988] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 02130FEF
.text C:\WINDOWS\System32\svchost.exe[988] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 02130014
.text C:\WINDOWS\System32\svchost.exe[988] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 02130025
.text C:\WINDOWS\System32\svchost.exe[988] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 02130036
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00640F7E
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00640069
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00640058
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00640047
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00640025
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00640F3F
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00640F50
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006400C4
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006400A9
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 006400DF
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00640036
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00640FD4
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00640F6D
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00640014
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00640FC3
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00640098
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 0063003D
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00630087
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0063002C
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 0063001B
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00630FC0
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00630062
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00630FDB
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00620FA6
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!system 77C293C7 5 Bytes JMP 00620FB7
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0062001D
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00620000
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00620FD2
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00620FE3
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00760FEF
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00760093
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00760078
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00760F9E
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0076005B
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00760040
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00760F7C
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007600C4
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00760F4D
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007600F0
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00760F32
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00760FAF
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0076000A
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00760F8D
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00760025
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00760FD4
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 007600DF
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00750FC3
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00750F7C
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00750FD4
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00750FE5
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00750F97
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00750000
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00750FA8
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00750025
.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00740FAF
.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00740FC0
.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00740029
.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00740000
.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0074003A
.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00740FEF
.text C:\WINDOWS\System32\svchost.exe[1136] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00730FEF
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 006E0F4B
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 006E004A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 006E0039
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 006E0F7C
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 006E0F9E
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006E0065
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006E0F29
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006E0EF8
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006E0091
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 006E00AC
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 006E0F8D
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 006E0FDB
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 006E0F3A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 006E0FB9
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 006E0FCA
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 006E0080
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 006D007D
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 006D0025
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 006D000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 006D0062
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 006D0047
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 006D0036
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C0F92
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C0FAD
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C000C
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C001D
.text C:\WINDOWS\system32\svchost.exe[1176] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C0FDE
.text C:\WINDOWS\system32\svchost.exe[1176] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008B0FE5
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008B008E
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008B0073
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008B0062
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008B0047
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008B002C
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008B00AB
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008B0F63
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008B00CD
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008B00BC
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008B0F19
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 008B0FA5
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 008B0FCA
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 008B0F7E
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 008B001B
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 008B0000
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008B0F3E
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00650025
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00650F94
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00650FD4
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00650014
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00650FA5
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00650FEF
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00650047
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00650036
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640F7F
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!system 77C293C7 5 Bytes JMP 00640F9A
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640FC6
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640000
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640FB5
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640FE3
.text C:\WINDOWS\System32\svchost.exe[1524] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00620000
.text C:\WINDOWS\System32\svchost.exe[1524] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00620011
.text C:\WINDOWS\System32\svchost.exe[1524] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00620FD1
.text C:\WINDOWS\System32\svchost.exe[1524] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00620022
.text C:\WINDOWS\System32\svchost.exe[1524] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00630000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1728] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1728] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A007F
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A006E
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0051
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0F94
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A002C
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F43
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0F54
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A00C8
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A00B7
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001A0F0A
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001A0FA5
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001A001B
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001A0F65
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001A0FDB
.text C:\WINDOWS\explorer.exe[1912] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001A009C
.text C:\WINDOWS\explorer.exe[1912] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00280FAF
.text C:\WINDOWS\explorer.exe[1912] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00280F68
.text C:\WINDOWS\explorer.exe[1912] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00280FCA
.text C:\WINDOWS\explorer.exe[1912] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00280000
.text C:\WINDOWS\explorer.exe[1912] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00280F79
.text C:\WINDOWS\explorer.exe[1912] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00280FEF
.text C:\WINDOWS\explorer.exe[1912] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00280F94
.text C:\WINDOWS\explorer.exe[1912] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0028001B
.text C:\WINDOWS\explorer.exe[1912] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290F8B
.text C:\WINDOWS\explorer.exe[1912] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290F9C
.text C:\WINDOWS\explorer.exe[1912] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FD2
.text C:\WINDOWS\explorer.exe[1912] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\WINDOWS\explorer.exe[1912] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FAD
.text C:\WINDOWS\explorer.exe[1912] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FE3
.text C:\WINDOWS\explorer.exe[1912] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\explorer.exe[1912] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 002B0000
.text C:\WINDOWS\explorer.exe[1912] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 002B001B
.text C:\WINDOWS\explorer.exe[1912] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\explorer.exe[1912] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 018D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B00A4
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0093
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0F63
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F8A
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0F2D
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00D0
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001B00E1
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001B0062
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001B00B5
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001B0051
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[2128] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001B0F52
.text C:\WINDOWS\system32\wuauclt.exe[2128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290038
.text C:\WINDOWS\system32\wuauclt.exe[2128] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290027
.text C:\WINDOWS\system32\wuauclt.exe[2128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FD2
.text C:\WINDOWS\system32\wuauclt.exe[2128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\WINDOWS\system32\wuauclt.exe[2128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FC1
.text C:\WINDOWS\system32\wuauclt.exe[2128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FE3
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 002A0040
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 002A0087
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 002A002F
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 002A000A
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 002A0062
.text C:\WINDOWS\system32\wuauclt.exe[2128] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 002A0051
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0F85
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A007A
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0069
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0058
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A002C
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F5E
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A00A6
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A0F28
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F43
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001A00DC
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001A003D
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001A0095
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001A001B
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[3084] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001A00C1
.text C:\WINDOWS\System32\svchost.exe[3084] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00280036
.text C:\WINDOWS\System32\svchost.exe[3084] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00280FB9
.text C:\WINDOWS\System32\svchost.exe[3084] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00280025
.text C:\WINDOWS\System32\svchost.exe[3084] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 0028000A
.text C:\WINDOWS\System32\svchost.exe[3084] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0028006C
.text C:\WINDOWS\System32\svchost.exe[3084] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00280FEF
.text C:\WINDOWS\System32\svchost.exe[3084] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00280051
.text C:\WINDOWS\System32\svchost.exe[3084] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00280FCA
.text C:\WINDOWS\System32\svchost.exe[3084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003D0FA3
.text C:\WINDOWS\System32\svchost.exe[3084] msvcrt.dll!system 77C293C7 5 Bytes JMP 003D0038
.text C:\WINDOWS\System32\svchost.exe[3084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003D0FD9
.text C:\WINDOWS\System32\svchost.exe[3084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003D000C
.text C:\WINDOWS\System32\svchost.exe[3084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003D0FC8
.text C:\WINDOWS\System32\svchost.exe[3084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003D001D
.text C:\WINDOWS\System32\svchost.exe[3084] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006D0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

Edited by reira, 01 August 2009 - 02:36 PM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 01 August 2009 - 09:23 PM

Hello.

Looks like the infection was removed. ComboFix did not remove the files associated with those entries.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    
    Registry::
    
    Driver::
    Caiiskleairu
    Edgemdsk
    Fltbiukko
    Mxdostsft
    Ql1msiskdstp
    Seripe30bu
    SetupNTGLM7X
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Take a new DDS.txt log from after the updates please.

With Regards,
The Panda

#7 reira

reira
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 03 August 2009 - 10:40 AM

Hello Panda. :thumbup2:


ComFix seemed to have gotten rid of ld09.exe and mstre19.exe but not freddy46.exe this time but after it restarted the computer, the viruses showed up in my registry again. I noticed the Windows Live folder was still there and deleted it but Windows Live Installer still shows up in my Add or Remove Programs, is it okay to delete it?

I've skimmed the logs and there are some files that show up for eTrust EZAnti-Virus and I think the program was deleted a while ago from my computer. There's still a caavsetuplog in my C:\ folder from 2007 apparently. Also, McAfee seems to detect Ad-Aware as an intruder when Ad-Aware detects registry changes for some reason?

Thank you for all your help, by the way. I hope this doesn't end up being too time consuming for you. ^^;


Here are the logs:




ComboFix 09-07-31.04 - Schmidt 08/03/2009 9:03.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1016.661 [GMT -5:00]
Running from: c:\documents and settings\Schmidt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Schmidt\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CAIISKLEAIRU
-------\Legacy_EDGEMDSK
-------\Legacy_FLTBIUKKO
-------\Legacy_MXDOSTSFT
-------\Legacy_QL1MSISKDSTP
-------\Legacy_SERIPE30BU
-------\Legacy_SETUPNTGLM7X
-------\Service_Caiiskleairu
-------\Service_Edgemdsk
-------\Service_Fltbiukko
-------\Service_Mxdostsft
-------\Service_Ql1msiskdstp
-------\Service_Seripe30bu
-------\Service_SetupNTGLM7X


((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
.

2009-08-01 17:31 . 2004-08-04 06:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-01 17:31 . 2004-08-04 06:56 50176 ----a-w- c:\windows\system32\proquota.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 14:09 . 2008-01-02 16:37 -------- d-----w- c:\program files\Windows Live
2009-06-29 16:12 . 2002-09-03 17:12 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2007-12-28 20:31 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2002-09-03 16:29 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 15:45 . 2009-06-19 18:29 -------- d-----w- c:\program files\McAfee
2009-06-23 19:05 . 2009-06-23 19:05 -------- d-----w- c:\program files\Trend Micro
2009-06-22 22:53 . 2009-06-22 22:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-22 18:53 . 2009-06-22 18:52 -------- d-----w- c:\program files\CCleaner
2009-06-20 18:14 . 2009-06-20 18:14 -------- d-----w- c:\documents and settings\Schmidt\Application Data\Malwarebytes
2009-06-20 18:14 . 2009-06-20 18:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 18:14 . 2009-06-20 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 15:23 . 2009-06-20 15:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-20 15:22 . 2009-06-20 15:22 0 ----a-w- c:\windows\nsreg.dat
2009-06-20 14:51 . 2002-09-03 16:47 622080 ----a-w- c:\windows\system32\netcfgx.dll
2009-06-19 18:36 . 2009-06-19 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-19 18:34 . 2009-06-19 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-06-19 18:34 . 2009-06-19 18:34 -------- d-----w- c:\program files\SiteAdvisor
2009-06-19 18:33 . 2009-06-19 18:33 130 ----a-w- c:\documents and settings\Schmidt\Local Settings\Application Data\fusioncache.dat
2009-05-14 04:25 . 2009-05-14 04:25 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-05-14 04:24 . 2009-06-19 18:27 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-05-07 15:44 . 2002-09-03 16:39 344064 ----a-w- c:\windows\system32\localspl.dll
2009-07-22 17:06 . 2009-06-20 15:21 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-01_17.38.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-28 19:08 . 2009-08-03 13:55 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-28 19:08 . 2009-08-01 14:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-28 19:08 . 2009-08-03 13:55 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-28 19:08 . 2009-08-01 14:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-28 19:08 . 2009-08-03 13:55 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-12-28 19:08 . 2009-08-01 14:20 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-06-06 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-06-06 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-25 385024]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"AWMON"="c:\progra~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2004-09-16 538112]
"CaAvTray"="c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [BU]
"CAVRID"="c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [BU]
"sysfbtray"="c:\windows\freddy46.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-02-14 88107]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-1-2 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
GSPTray.lnk - c:\gsp\Software\GspTray.exe [2008-1-2 331776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/19/2009 1:34 PM 210216]
R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [12/1/2004 7:35 PM 438912]
S2 EdgeStat;EdgeStat;\??\c:\windows\system32\drivers\edgestat.sys --> c:\windows\system32\drivers\edgestat.sys [?]
S3 Pci.ne;Pci.ne;c:\windows\system32\drivers\processr.sys [8/28/2002 8:05 PM 35328]
.
Contents of the 'Scheduled Tasks' folder

2009-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-06-19 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-19 13:57]

2009-06-19 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-19 13:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://email.consolidated.net/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Schmidt\Application Data\Mozilla\Firefox\Profiles\mne0p2rj.default\
FF - prefs.js: browser.startup.homepage - hxxp://email.consolidated.net/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-03 09:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2996)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\program files\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-08-03 9:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-03 14:13
ComboFix2.txt 2009-08-01 17:40

Pre-Run: 53,175,635,968 bytes free
Post-Run: 53,150,572,544 bytes free

175 --- E O F --- 2009-07-29 23:20













DDS (Ver_09-07-30.01) - NTFSx86
Run by Schmidt at 10:15:34.31 on Mon 08/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1016.398 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\GSP\Software\GspTray.exe
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\Schmidt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://email.consolidated.net/
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [system tool] c:\windows\sysguard.exe
uRun: [hsf7husjnfg98gi498aejhiugjkdg4] c:\docume~1\schmidt\locals~1\temp\zg8sv.exe
uRun: [Windows System Recover!] c:\docume~1\schmidt\locals~1\temp\services.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [AWMON] "c:\progra~1\lavasoft\ad-awa~1\Ad-Watch.exe"
mRun: [CaAvTray] "c:\program files\ca\etrust ez armor\etrust ez antivirus\CAVTray.exe"
mRun: [CAVRID] "c:\program files\ca\etrust ez armor\etrust ez antivirus\CAVRID.exe"
mRun: [sysfbtray] c:\windows\freddy46.exe
mRun: [sysldtray] c:\windows\ld09.exe
mRun: [sysmstray] c:\windows\mstre19.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gsptray.lnk - c:\gsp\software\GspTray.exe
uPolicies-explorer: NoFolderOptions = 1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199112779640
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h20264.www2.hp.com/ediags/hpfix/sj/en/check/xp/qdiagh.cab?326
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\schmidt\applic~1\mozilla\firefox\profiles\mne0p2rj.default\
FF - prefs.js: browser.startup.homepage - hxxp://email.consolidated.net/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-19 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-19 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-19 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-19 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-19 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-19 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-19 40552]
R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2004-12-1 438912]
S2 EdgeStat;EdgeStat;\??\c:\windows\system32\drivers\edgestat.sys --> c:\windows\system32\drivers\edgestat.sys [?]
S2 PAR1284;PAR1284;\??\c:\windows\system32\drivers\par1284.sys --> c:\windows\system32\drivers\PAR1284.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-19 34248]
S3 Pci.ne;Pci.ne;c:\windows\system32\drivers\processr.sys [2002-8-28 35840]

=============== Created Last 30 ================

2009-08-03 09:59 <DIR> --d----- c:\windows\LastGood.Tmp
2009-08-03 09:54 <DIR> --d----- c:\windows\system32\scripting
2009-08-03 09:54 <DIR> --d----- c:\windows\l2schemas
2009-08-03 09:54 <DIR> --d----- c:\windows\system32\en
2009-08-03 09:54 <DIR> --d----- c:\windows\system32\bits
2009-08-01 12:39 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-01 12:31 50,176 a------- c:\windows\system32\proquota.exe
2009-08-01 12:26 <DIR> a-dshr-- C:\cmdcons
2009-08-01 12:09 219,648 a------- c:\windows\PEV.exe
2009-08-01 12:09 161,792 a------- c:\windows\SWREG.exe
2009-08-01 12:09 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-08-03 09:57 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-29 11:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-19 12:07 144 a------- C:\nm8912.bat
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll

============= FINISH: 10:16:13.82 ===============

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 03 August 2009 - 10:51 AM

Hello.

Let's try this.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    DDS::
    uRun: [system tool] c:\windows\sysguard.exe
    uRun: [hsf7husjnfg98gi498aejhiugjkdg4] c:\docume~1\schmidt\locals~1\temp\zg8sv.exe
    uRun: [Windows System Recover!] c:\docume~1\schmidt\locals~1\temp\services.exe
    mRun: [CaAvTray] "c:\program files\ca\etrust ez armor\etrust ez antivirus\CAVTray.exe"
    mRun: [CAVRID] "c:\program files\ca\etrust ez armor\etrust ez antivirus\CAVRID.exe"
    mRun: [sysfbtray] c:\windows\freddy46.exe
    mRun: [sysldtray] c:\windows\ld09.exe
    mRun: [sysmstray] c:\windows\mstre19.exe
    uPolicies-explorer: NoFolderOptions = 1
    
    File::
    C:\nm8912.bat
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Followup with a new DDS log too please.

With Regards,
The Panda

#9 reira

reira
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 03 August 2009 - 11:47 AM

Okay, after the ComboFix log popped up, I got a couple of notices. Ad-Watch.exe had encountered a problem and needed to be closed. I clicked to report the error and another message error for Ad-Watch popped up. Then a warning from McAfee about a Registry change for regedit.exe again (same as last time). Here are two screencaps I took.


Posted Image


Posted Image


I'm kind of afraid to restart my computer since the viruses might show up again, lol.


I'm attaching the ComboFix log as it seems to be too long to post.


DDS LOG:





DDS (Ver_09-07-30.01) - NTFSx86
Run by Schmidt at 11:30:37.21 on Mon 08/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1016.617 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\GSP\Software\GspTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Schmidt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://email.consolidated.net/
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [AWMON] "c:\progra~1\lavasoft\ad-awa~1\Ad-Watch.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gsptray.lnk - c:\gsp\software\GspTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199112779640
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h20264.www2.hp.com/ediags/hpfix/sj/en/check/xp/qdiagh.cab?326
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\schmidt\applic~1\mozilla\firefox\profiles\mne0p2rj.default\
FF - prefs.js: browser.startup.homepage - hxxp://email.consolidated.net/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-19 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-19 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-19 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-19 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-19 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-19 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-19 40552]
R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2004-12-1 438912]
S2 EdgeStat;EdgeStat;\??\c:\windows\system32\drivers\edgestat.sys --> c:\windows\system32\drivers\edgestat.sys [?]
S2 PAR1284;PAR1284;\??\c:\windows\system32\drivers\par1284.sys --> c:\windows\system32\drivers\PAR1284.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-19 34248]
S3 Pci.ne;Pci.ne;c:\windows\system32\drivers\processr.sys [2002-8-28 35840]

=============== Created Last 30 ================

2009-08-03 09:54 <DIR> --d----- c:\windows\system32\scripting
2009-08-03 09:54 <DIR> --d----- c:\windows\l2schemas
2009-08-03 09:54 <DIR> --d----- c:\windows\system32\en
2009-08-03 09:54 <DIR> --d----- c:\windows\system32\bits
2009-08-01 12:39 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-01 12:31 50,176 a------- c:\windows\system32\proquota.exe
2009-08-01 12:26 <DIR> a-dshr-- C:\cmdcons
2009-08-01 12:09 219,648 a------- c:\windows\PEV.exe
2009-08-01 12:09 161,792 a------- c:\windows\SWREG.exe
2009-08-01 12:09 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-08-03 09:57 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-29 11:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll

============= FINISH: 11:30:56.51 ===============

Attached Files



#10 reira

reira
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 03 August 2009 - 12:00 PM

I restarted the computer and the viruses returned to my registry, so did CaAvTray and CAVRID. Ad-Watch detects about 17 registry changes.

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 03 August 2009 - 12:00 PM

Hello.

Ah... the infection is not really there. McAfee is preventing ComboFix from removing the registry entries.

Please restart your computer and take a new DDS.txt log.

Next time, allow all the registry changes.

With Regards,
The Panda

#12 reira

reira
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 03 August 2009 - 12:14 PM

Okay, here is the new DDS log. :thumbup2:

But if I may ask, why are they in my registry? Is it possible for them to re-infect my computer in the long run or are they not threats?







DDS (Ver_09-07-30.01) - NTFSx86
Run by Schmidt at 12:11:53.00 on Mon 08/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1016.416 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\GSP\Software\GspTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Schmidt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://email.consolidated.net/
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [system tool] c:\windows\sysguard.exe
uRun: [hsf7husjnfg98gi498aejhiugjkdg4] c:\docume~1\schmidt\locals~1\temp\zg8sv.exe
uRun: [Windows System Recover!] c:\docume~1\schmidt\locals~1\temp\services.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [AWMON] "c:\progra~1\lavasoft\ad-awa~1\Ad-Watch.exe"
mRun: [CaAvTray] "c:\program files\ca\etrust ez armor\etrust ez antivirus\CAVTray.exe"
mRun: [CAVRID] "c:\program files\ca\etrust ez armor\etrust ez antivirus\CAVRID.exe"
mRun: [sysldtray] c:\windows\ld09.exe
mRun: [sysmstray] c:\windows\mstre19.exe
mRun: [sysfbtray] c:\windows\freddy46.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gsptray.lnk - c:\gsp\software\GspTray.exe
uPolicies-explorer: NoFolderOptions = 1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199112779640
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h20264.www2.hp.com/ediags/hpfix/sj/en/check/xp/qdiagh.cab?326
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\schmidt\applic~1\mozilla\firefox\profiles\mne0p2rj.default\
FF - prefs.js: browser.startup.homepage - hxxp://email.consolidated.net/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-19 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-19 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-19 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-19 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-19 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-19 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-19 40552]
R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2004-12-1 438912]
S2 EdgeStat;EdgeStat;\??\c:\windows\system32\drivers\edgestat.sys --> c:\windows\system32\drivers\edgestat.sys [?]
S2 PAR1284;PAR1284;\??\c:\windows\system32\drivers\par1284.sys --> c:\windows\system32\drivers\PAR1284.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-19 34248]
S3 Pci.ne;Pci.ne;c:\windows\system32\drivers\processr.sys [2002-8-28 35840]
S4 Tci.nvraw;Tci.nvraw; [x]

=============== Created Last 30 ================

2009-08-03 09:54 <DIR> --d----- c:\windows\system32\scripting
2009-08-03 09:54 <DIR> --d----- c:\windows\l2schemas
2009-08-03 09:54 <DIR> --d----- c:\windows\system32\en
2009-08-03 09:54 <DIR> --d----- c:\windows\system32\bits
2009-08-01 12:39 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-01 12:31 50,176 a------- c:\windows\system32\proquota.exe
2009-08-01 12:26 <DIR> a-dshr-- C:\cmdcons
2009-08-01 12:09 219,648 a------- c:\windows\PEV.exe
2009-08-01 12:09 161,792 a------- c:\windows\SWREG.exe
2009-08-01 12:09 98,816 a------- c:\windows\sed.exe
2009-07-29 18:20 2,639 a------- c:\windows\imsins.BAK

==================== Find3M ====================

2009-08-03 09:57 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-29 11:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll

============= FINISH: 12:12:32.70 ===============

Edited by reira, 03 August 2009 - 12:16 PM.


#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 03 August 2009 - 01:42 PM

Hello.

Please run that scrip with ComboFix again.

ALlow any registry changes.

#14 reira

reira
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 03 August 2009 - 01:58 PM

Quick question, should I keep Ad-Watch enabled or does it not matter if it is disabled?

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 03 August 2009 - 04:58 PM

Hello.

I would suggest disabling it.

I had missed your other question. No, the files associated with them are gone, so they cannot reinfect you.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users