Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NTOSKRNL-HOOK Trojan - Search Engine re-directs


  • This topic is locked This topic is locked
22 replies to this topic

#1 MileHighV

MileHighV

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 04 August 2009 - 11:56 PM

NTOSKRNL-HOOK Trojan - When using any search engine (Google, Bing, Yahoo), the links are re-directed to random search engines, which then search on the original parameters.
No other problems that I can detect (not really doing much in case it gets worse).

McAfee VirusScan detects NTOSKRNL-HOOK, says it fixes it, and that there is nothing to do.
If I re-scan, it is still there.

Since then, I have tried Malwarebytes, Super-Anti Spyware to no effect (neither can find it), although there does not seem to be additional issues. I also tried SmitFraud (it could not find it), although things seem to be running slower since SmitFraud - McAfee said I had problems (everything was bad), then no problems, then email needed fixing. All is well at the moment.

Please help!

DDS (Ver_09-07-30.01) - NTFSx86
Run by Earl at 22:33:42.73 on Tue 08/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2429 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
SVCHOST.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Documents and Settings\Earl\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uCustomizeSearch =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\mskagent.exe
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IAAnotif] "c:\program files\intel\intel application accelerator\iaanotif.exe"
mRun: [IntelMeM] "c:\program files\intel\modem event monitor\IntelMEM.exe"
mRun: [CTSysVol] "c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe" /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] "c:\windows\system32\CTHELPER.EXE"
mRun: [UpdReg] "c:\windows\UpdReg.EXE"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [MaxtorOneTouch] "c:\progra~1\maxtor\onetouch\utils\OneTouch.exe"
mRun: [RetroExpress] "c:\progra~1\dantz\retros~1\RetroExpress.exe" /h
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MXOBG] "c:\windows\MXOALDR.EXE"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5691/mcfscan.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-6-4 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-28 72944]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-6-4 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-6-4 144704]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-4-21 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2008-12-5 1205760]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-6-4 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-6-4 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-6-4 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-6-4 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-28 7408]
S3 DPCNET5U;Satellite USB Driver;c:\windows\system32\drivers\dpcnet5u.sys --> c:\windows\system32\drivers\dpcnet5u.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-6-4 34216]

=============== Created Last 30 ================

2009-08-04 08:02 4,826 a------- c:\windows\system32\tmp.reg
2009-08-03 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-03 20:27 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-03 20:27 <DIR> --d----- c:\docume~1\earl\applic~1\SUPERAntiSpyware.com
2009-07-29 23:49 <DIR> --d----- c:\docume~1\earl\applic~1\Malwarebytes
2009-07-29 23:48 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-29 23:48 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-29 23:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 23:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-29 17:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-07-29 17:18 <DIR> --d----- c:\program files\Citrix
2009-07-29 17:18 61,224 a------- c:\documents and settings\earl\GoToAssistDownloadHelper.exe
2009-07-28 21:34 <DIR> --d----- c:\windows\McAfee.com
2009-07-10 21:22 3,246 a------- c:\windows\system32\wbem\Outlook_01ca01d6dbfab430.mof

==================== Find3M ====================

2009-07-18 10:20 3,062,272 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 10:20 1,506,304 a------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-22 05:38 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-06-16 08:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 08:55 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 08:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 08:55 82,432 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-03 13:24 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 13:24 1,291,264 a------- c:\windows\system32\dllcache\quartz.dll
2009-05-13 15:39 1,563,008 a------- c:\windows\WRSetup.dll
2009-05-07 09:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 09:44 344,064 a------- c:\windows\system32\dllcache\localspl.dll
2009-03-08 11:54 7,460 a------- c:\docume~1\earl\applic~1\ViewerApp.dat

============= FINISH: 22:37:01.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 14 August 2009 - 02:21 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 MileHighV

MileHighV
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 14 August 2009 - 10:07 PM

elise025,
Thanks for your reply - I appreciate the help.

I am not a well versed computer user, although I have learned a lot over the last few weeks since this started.

When I turned my computer on (I have been leaving it off until the virus is removed) several programs ran before I opened email:
Microsoft Malicious Software Removal tool scanned and removed (I think this is right, I can't seem to find the log):
Trojan WinNT/Alureon.C
SpySweeper scanned, and found only cookies,
McAfee scanned and did not find NTOSKRNL-HOOK (the first time this has not been found since this began).
However, it did find two new virus':
PrcViewer Potentially unwanted program Detected
C:/WINDOWS/SYSTEM32/VSFOCEFVRAQFML.DLL TROJAN QUARANTINED

Interestingly, my Google searches are no longer being misdirected (Yay!), although I have done no further cleanings ?!

Anyway - Thanks for the assistance!

DDS Log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Earl at 20:47:05.25 on Fri 08/14/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2124 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
SVCHOST.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\McAfee\MSC\mcshell.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Earl\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uCustomizeSearch =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\mskagent.exe
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IAAnotif] "c:\program files\intel\intel application accelerator\iaanotif.exe"
mRun: [IntelMeM] "c:\program files\intel\modem event monitor\IntelMEM.exe"
mRun: [CTSysVol] "c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe" /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] "c:\windows\system32\CTHELPER.EXE"
mRun: [UpdReg] "c:\windows\UpdReg.EXE"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [MaxtorOneTouch] "c:\progra~1\maxtor\onetouch\utils\OneTouch.exe"
mRun: [RetroExpress] "c:\progra~1\dantz\retros~1\RetroExpress.exe" /h
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MXOBG] "c:\windows\MXOALDR.EXE"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5691/mcfscan.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-6-4 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-28 74480]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-6-4 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-6-4 144704]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-4-21 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2008-12-5 1205760]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-6-4 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-6-4 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-6-4 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-6-4 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-6-4 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-28 7408]
S3 DPCNET5U;Satellite USB Driver;c:\windows\system32\drivers\dpcnet5u.sys --> c:\windows\system32\drivers\dpcnet5u.sys [?]

=============== Created Last 30 ================

2009-08-13 18:43 118 a------- c:\windows\system32\MRT.INI
2009-08-13 18:42 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-09 13:05 <DIR> --d----- c:\windows\system32\NtmsData
2009-08-04 08:02 4,826 -------- c:\windows\system32\tmp.reg
2009-08-03 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-03 20:27 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-03 20:27 <DIR> --d----- c:\docume~1\earl\applic~1\SUPERAntiSpyware.com
2009-07-29 23:49 <DIR> --d----- c:\docume~1\earl\applic~1\Malwarebytes
2009-07-29 23:48 38,160 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-29 23:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 23:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-29 23:48 19,096 -------- c:\windows\system32\drivers\mbam.sys
2009-07-29 18:35 91 a------- c:\windows\system32\vsfocekhfrlrtw.dat
2009-07-29 18:25 43,920 a------- c:\windows\system32\vsfoceoolxordt.dat
2009-07-29 17:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-07-29 17:18 <DIR> --d----- c:\program files\Citrix
2009-07-29 17:18 61,224 -------- c:\documents and settings\earl\GoToAssistDownloadHelper.exe
2009-07-28 21:34 <DIR> --d----- c:\windows\McAfee.com
2009-07-24 21:21 67,072 -------- c:\windows\system32\drivers\vsfocequfilmvt.sys

==================== Find3M ====================

2009-08-05 03:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 03:11 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-18 10:20 3,062,272 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 10:20 1,506,304 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 12:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:55 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-10 07:42 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-06-25 12:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-22 05:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 05:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 05:49 117,248 -------- c:\windows\system32\dllcache\mqtgsvc.exe
2009-06-22 05:49 19,968 -------- c:\windows\system32\dllcache\mqbkup.exe
2009-06-22 05:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-22 05:49 4,608 -------- c:\windows\system32\dllcache\mqsvc.exe
2009-06-22 05:48 91,776 a------- c:\windows\system32\drivers\mqac.sys
2009-06-22 05:48 91,776 -------- c:\windows\system32\dllcache\mqac.sys
2009-06-22 05:38 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-06-16 08:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 08:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 08:55 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 08:55 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 05:50 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:50 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 05:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 05:50 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 08:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 08:21 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 00:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 00:32 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-05 11:42 2,060,288 -------- c:\windows\system32\usbaaplrc.dll
2009-06-05 01:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-05 01:42 655,872 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-03 13:24 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 13:24 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-03-08 11:54 7,460 -------- c:\docume~1\earl\applic~1\ViewerApp.dat

============= FINISH: 20:48:09.06 ===============

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 15 August 2009 - 01:19 AM

Hello ,
And :thumbup2: to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your Malware issues, this may or may not solve other issues you may have with your machine.

Sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • All of my posts need to be checked by my coach, so please be patient while I attempt to remove your malware.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime Please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 16 August 2009 - 06:58 AM

Hello MileHighV,

BACKDOOR WARNING
------------------------------
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


UNINSTALL PROGRAMS
--------------------------------
Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.
  • AutoUpdate
  • Internet Explorer Default Page
  • My Way Search Assistant
  • Viewpoint Media Player
If you are unsure of how to use Add or Remove Programs, then please see this tutorial:
How To Remove An Installed Program From Your Computer


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
GeeksToGo
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 MileHighV

MileHighV
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 16 August 2009 - 11:56 AM

Elise,
Thanks for the help!

I backed up my entire hard drive to an external hard drive - Should I scan this with ComboFix too?
I don't access my bank on this computer, although I do purchase things using credit cards.
Primarily, this is a standalone gaming machine (some online), music download, surf, & check email.

How difficult is a reformat & reinstall?
My machine is a Dell Dimension 8400, which came pre-loaded with Windows XP Media Center edition.
I do not seem to have the disk for re-installing Windows XP Media Center, although I seem to have the disks for all the other pre-loaded software. ?!

Could I re-install Windows XP (If I figure out how), and then copy my backup back over?
Woudl this potentially have a virus in the backup?

Sorry about all of the questions, but I am unfamiliar with these issues.

Thanks again!

ComboFix log below:

ComboFix 09-08-10.06 - Earl 08/16/2009 10:29.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2536 [GMT -6:00]
Running from: c:\documents and settings\Earl\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1045e53d.msp
c:\windows\Installer\105a5d1b.msp
c:\windows\Installer\107c0a2.msp
c:\windows\Installer\10f32fb9.msp
c:\windows\Installer\10f72239.msp
c:\windows\Installer\11375e31.msp
c:\windows\Installer\128c4f6.msp
c:\windows\Installer\12bf5881.msp
c:\windows\Installer\13be8a28.msp
c:\windows\Installer\148a7587.msp
c:\windows\Installer\14935a04.msp
c:\windows\Installer\1581ccdd.msp
c:\windows\Installer\15f48729.msp
c:\windows\Installer\16197534.msp
c:\windows\Installer\16202e36.msp
c:\windows\Installer\165d40ac.msp
c:\windows\Installer\16fd8f2.msp
c:\windows\Installer\18e55a4e.msp
c:\windows\Installer\19b0c6a9.msp
c:\windows\Installer\19b62ae9.msp
c:\windows\Installer\1a76f420.msp
c:\windows\Installer\1aa72519.msp
c:\windows\Installer\1b454959.msp
c:\windows\Installer\1b83ff1f.msp
c:\windows\Installer\1bc68fb.msp
c:\windows\Installer\1c3ba07.msp
c:\windows\Installer\1e0b8fea.msp
c:\windows\Installer\1ed7782c.msp
c:\windows\Installer\1edc9205.msp
c:\windows\Installer\1fcdea71.msp
c:\windows\Installer\206c03a6.msp
c:\windows\Installer\23fdccc9.msp
c:\windows\Installer\2402d80c.msp
c:\windows\Installer\24f4a328.msp
c:\windows\Installer\259233c4.msp
c:\windows\Installer\292451ae.msp
c:\windows\Installer\29293a36.msp
c:\windows\Installer\29aaf.msp
c:\windows\Installer\2a1a7d07.msp
c:\windows\Installer\2ab8a407.msp
c:\windows\Installer\2b9b1.msp
c:\windows\Installer\2bb18.msp
c:\windows\Installer\2e4a9062.msp
c:\windows\Installer\2e4f8156.msp
c:\windows\Installer\2f412708.msp
c:\windows\Installer\2fdf2aa1.msp
c:\windows\Installer\2fe4df72.msp
c:\windows\Installer\3370d4b4.msp
c:\windows\Installer\33799a3f.msp
c:\windows\Installer\34c6a78.msp
c:\windows\Installer\35054ca6.msp
c:\windows\Installer\429b171.msp
c:\windows\Installer\482af7c.msp
c:\windows\Installer\515450f.msp
c:\windows\Installer\5173e9d.msp
c:\windows\Installer\51e6780.msp
c:\windows\Installer\56f78d0e.msp
c:\windows\Installer\56f78d13.msp
c:\windows\Installer\56f78d18.msp
c:\windows\Installer\5785b0c0.msp
c:\windows\Installer\5b1c9b2e.msp
c:\windows\Installer\5b1c9b33.msp
c:\windows\Installer\5b2738d5.msp
c:\windows\Installer\5b2738da.msp
c:\windows\Installer\5b2738df.msp
c:\windows\Installer\5b3327c3.msp
c:\windows\Installer\5b3327c8.msp
c:\windows\Installer\5b3327d1.msp
c:\windows\Installer\5f98f04.msp
c:\windows\Installer\60ed4b2.msp
c:\windows\Installer\650272b.msp
c:\windows\Installer\6969283.msp
c:\windows\Installer\6ac1067.msp
c:\windows\Installer\6cd057a.msp
c:\windows\Installer\6eb3496.msp
c:\windows\Installer\82da69.msi
c:\windows\Installer\872b5af.msp
c:\windows\Installer\9a89ea9.msp
c:\windows\Installer\a3db941.msp
c:\windows\Installer\a44c17c.msp
c:\windows\Installer\b1ea601.msp
c:\windows\Installer\b33e507.msp
c:\windows\Installer\b74d878.msp
c:\windows\Installer\bbdd6a1.msp
c:\windows\Installer\bcb7775.msp
c:\windows\Installer\bd46f1d.msp
c:\windows\Installer\c0f7807.msp
c:\windows\Installer\d1f880.msp
c:\windows\Installer\d9903a6.msp
c:\windows\Installer\e76770.msp
c:\windows\Installer\ecfd25c.msp
c:\windows\Installer\f64069b.msp
c:\windows\Installer\f6b1ef3.msp
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\vsfocequfilmvt.sys
c:\windows\system32\tmp.reg
c:\windows\system32\vsfocekhfrlrtw.dat
c:\windows\system32\vsfoceoolxordt.dat
G:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_vsfocebtcxonxy
-------\Service_vsfocebtcxonxy


((((((((((((((((((((((((( Files Created from 2009-07-16 to 2009-08-16 )))))))))))))))))))))))))))))))
.

2009-08-14 00:42 . 2009-08-14 00:42 -------- d-----w- c:\windows\ServicePackFiles
2009-08-09 19:05 . 2009-08-09 20:18 -------- d-----w- c:\windows\system32\NtmsData
2009-08-04 02:28 . 2009-08-16 16:37 117760 ----a-w- c:\documents and settings\Earl\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-04 02:27 . 2009-08-04 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-04 02:27 . 2009-08-08 17:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-04 02:27 . 2009-08-04 02:27 -------- d-----w- c:\documents and settings\Earl\Application Data\SUPERAntiSpyware.com
2009-08-04 00:10 . 2009-08-04 00:10 3942048 ------w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-30 05:49 . 2009-07-30 05:49 -------- d-----w- c:\documents and settings\Earl\Application Data\Malwarebytes
2009-07-30 05:48 . 2009-08-03 19:36 38160 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-30 05:48 . 2009-08-04 00:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-30 05:48 . 2009-08-03 19:36 19096 ------w- c:\windows\system32\drivers\mbam.sys
2009-07-30 05:48 . 2009-07-30 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-29 23:22 . 2009-07-29 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-07-29 23:18 . 2009-07-29 23:18 -------- d-----w- c:\program files\Citrix
2009-07-29 23:18 . 2009-07-29 23:18 -------- d-----w- c:\documents and settings\Earl\Local Settings\Application Data\Citrix
2009-07-29 23:18 . 2009-07-29 23:18 61224 ------w- c:\documents and settings\Earl\GoToAssistDownloadHelper.exe
2009-07-29 03:34 . 2009-07-29 03:34 -------- d-----w- c:\windows\McAfee.com
2009-07-29 02:25 . 2009-07-13 07:42 286880 ------w- c:\documents and settings\Earl\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-07-29 02:25 . 2009-07-29 02:25 49152 ------r- c:\documents and settings\Earl\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-07-29 02:25 . 2009-07-29 02:25 49152 ------r- c:\documents and settings\Earl\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-07-19 23:40 . 2009-07-19 23:40 75040 ------w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 16:38 . 2005-04-22 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\RetroExp
2009-08-16 16:35 . 2005-04-17 23:21 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-08-16 16:35 . 2005-04-17 23:21 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2009-08-16 16:18 . 2005-04-17 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-15 18:43 . 2005-08-18 03:02 -------- d-----w- c:\program files\Diablo II
2009-08-05 09:11 . 2004-08-10 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 02:27 . 2009-06-18 22:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-29 02:24 . 2005-04-21 05:54 -------- d-----w- c:\program files\McAfee
2009-07-29 02:24 . 2005-04-21 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-20 01:53 . 2007-07-06 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-19 23:47 . 2008-04-12 15:25 -------- d-----w- c:\program files\Safari
2009-07-19 23:45 . 2008-09-05 01:15 -------- d-----w- c:\program files\iTunes
2009-07-19 23:44 . 2005-11-12 18:36 -------- d-----w- c:\program files\iPod
2009-07-19 23:44 . 2007-07-06 21:40 -------- d-----w- c:\program files\Common Files\Apple
2009-07-17 18:55 . 2004-08-10 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 16:08 . 2004-08-10 10:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 03:14 . 2005-04-17 23:24 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-26 16:18 . 2004-08-10 10:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-10 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-10 10:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-10 10:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-10 10:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-10 10:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-10 10:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-10 10:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-10 10:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-10 10:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-10 10:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-10 10:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-10 10:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-10 10:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2004-08-10 10:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-10 10:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-10 10:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-10 10:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-18 22:43 . 2009-06-18 22:43 -------- d-----w- c:\program files\AGEIA Technologies
2009-06-18 22:00 . 2005-04-17 23:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-16 14:55 . 2004-08-10 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-10 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-10 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2004-08-10 10:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-10 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-10 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 17:42 . 2009-03-13 00:38 2060288 ------w- c:\windows\system32\usbaaplrc.dll
2009-06-05 17:42 . 2008-10-11 17:30 39424 ------w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 07:42 . 2004-08-10 10:00 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:24 . 2004-08-10 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-31 18:18 . 2009-03-16 11:48 164 ------w- c:\windows\install.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-03-05 23:02 238968 ------w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-08 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 136600]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTHelper"="c:\windows\system32\CTHELPER.EXE" [2004-03-11 28672]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"MaxtorOneTouch"="c:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2004-08-31 823296]
"RetroExpress"="c:\progra~1\Dantz\RETROS~1\RetroExpress.exe" [2004-07-30 6946816]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"MXOBG"="c:\windows\MXOALDR.EXE" [2003-10-10 94208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2009-02-18 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-7-30 217195]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-7-22 221247]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-12-25 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-12-25 106496]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\MechWarrior Vengeance\\MW4.ICD"=
"c:\\Program Files\\Diablo II\\Diablo II.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Starcraft\\starcraft.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [8/9/2008 02:42 PM 29808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/28/2009 10:53 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 74480]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [12/5/2008 11:49 PM 1205760]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 7408]
S3 DPCNET5U;Satellite USB Driver;c:\windows\system32\DRIVERS\dpcnet5u.sys --> c:\windows\system32\DRIVERS\dpcnet5u.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-10 c:\windows\Tasks\Complete Backup.job
- c:\windows\system32\NTBACKUP.EXE [2004-08-10 10:00]

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-06-05 17:53]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-06-05 17:53]

2009-08-15 c:\windows\Tasks\wrSpySweeper20051020230255.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-08-10 21:40]

2009-08-15 c:\windows\Tasks\wrSpySweeper20051020230255.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-08-10 21:40]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MSKAGENTEXE - c:\progra~1\mcafee\SPAMKI~1\mskagent.exe
SafeBoot-svcWRSSSDK


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-16 10:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\SST-A49B68A3-BF4C-4A83-AAFB-0748176CD407.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(4724)
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\DRIVERS\CDAC11BA.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\windows\EHOME\ehRecvr.exe
c:\windows\EHOME\ehSched.exe
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\windows\SYSTEM32\DLLHOST.EXE
c:\windows\EHOME\EHMSAS.EXE
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Dantz\RETROS~1\Retrospect.exe
c:\progra~1\Dantz\RETROS~1\retrorun.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
.
**************************************************************************
.
Completion time: 2009-08-16 10:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-16 16:43

Pre-Run: 190,817,460,224 bytes free
Post-Run: 191,170,191,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

359 --- E O F --- 2009-08-14 00:45

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 17 August 2009 - 06:34 AM

Hello MileHighV,

First of all, since you mentioned you used your credit card to make online transactions on this computer, I would recommend you to contact your bank and explain them your credit card information might have been compromised. They know what to do about that.


If you are considering a reformat, you should first make sure you have one of the following
1. XP Media Center Installation CD
2. Dell CDs containing the factory settings of your computer.


You should back up only the data you really need and can't replace - like Word files, spreadsheets, pictures and other important (personal) data files you are in need of. Reformatting will destroy them all and you cannot retrieve the files once you have performed the reformat. There is no harm in backing up documents and other important (personal) data.

You should NOT back up:
  • any Operating System-related files
  • any files you do not recognize.
If the backup on your external hard drive is an exact copy/image of the data on your hard drive (as it is now), restoring the entire backup would reinfect your system as OS-related/unknown files will be restored too.

For these reasons it makes no sense to scan your backed up data now. Instead, you should select only the files you really need and back those up separately.


I see evidence of a flash drive infection. To avoid re-infecting your own computer or infecting others, I recommend you to use Flash Disinfector.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Please let me know if the information I provided is enough for you to make the decision to reformat or to go through with the cleaning process.
If you have still questions, I will be glad to try to answer them!


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 MileHighV

MileHighV
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 17 August 2009 - 07:02 PM

Elise,

I did the FlashDisinfector that you recommended, although I have some questions/observations:
1. McAfee treated FlashDisinfector as a trojan, and refused to let it download.
I disabled VirusScan & System Guards, and then loaded it onto my desktop.
2. I ran the program, although no mention was made of what was infecting the flash drive.
I can not find the hidden folder named autorun.inf (I changed the folder views, but no luck).
3. I enabled VirusScan & System Guards, and they then removed FlashDisinfector from my desktop.

I am not sure if the above is normal, and i hope that the flash drive is now okay.

Let's go ahead and clean this machine.
After cleaning, I will either write over the external hard drive data in another backup, or I can re-format that easily enough.

Thanks!

Edited by MileHighV, 17 August 2009 - 07:03 PM.


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 18 August 2009 - 04:04 AM

Hello MileHighV,

Lets leave the Flash Disinfector problem for now. We will try to solve this a bit later in the fix.


ROOTREPEAL
-------------
We need to check for rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please start MBAM and go to the Update tab.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.


In your next reply, please include the following:
  • RootRepeal.txt
  • MBAM log
  • A new DDS log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 MileHighV

MileHighV
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 18 August 2009 - 09:29 PM

Elise,
Thanks for the reply.

Please find the attached logs as requestd (I have the attach.txt file also, if you need it).
RootRepeal found a few things, although MBAM did not find anything (I also scanned the external hard drive & flash drive).
I used the DDS program that I initially used a few weeks ago, I hope that is okay.

Thanks again!

Root Repeal log:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/18 18:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA5155000 Size: 479232 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA37F0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_94c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\sqlite_am6rcs94o9vyphv
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\earl\application data\webroot\spy sweeper\logs\090818175917.ses
Status: Size mismatch (API: 1152082, Raw: 1151533)

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8ad09c60

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x8ad0e150

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x8ad58918

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x8ad041b0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8ad09f30

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x8ad4a118

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8ad0e9e8

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x8ad09cd8

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x8ad09b70

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x8ad4f250

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8ad09dc8

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x8ad0a460

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8ad09020

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8ad09e40

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x8ad4a1f8

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8ad09fa8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8ad09d50

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa52a00b0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8ad09eb8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8ad09be8

Stealth Objects
-------------------
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x8a429110 Size: 737

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a426140 Size: 185

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x8a42d350 Size: 750

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x8a4da298 Size: 2409

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x8a4da160 Size: 303

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a5207f0 Size: 2064

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a50b9e8 Size: 1561

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a50ab58 Size: 1193

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x8a4dbd00 Size: 738

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a3fb3c0 Size: 3137

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a42ffa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a3d58c8 Size: 1049

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a564fa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a261d48 Size: 241

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5a0348 Size: 3260

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5a0180 Size: 447

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a93e6c8 Size: 2361

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a23bfa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x8a23bd00 Size: 671

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a60b2e0 Size: 1135

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89b88c28 Size: 984

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89b87c28 Size: 985

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x89b86c28 Size: 985

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b85c28 Size: 985

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89b83c28 Size: 984

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89b82c28 Size: 985

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89b81c28 Size: 984

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x89b80c28 Size: 985

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8a1c9170

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x898acf30

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x897f73e8

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x898acfa8

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x88fdd600

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x88fe0790

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x8901f020

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x8a43a950

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x89e75490

==EOF==

MBAM log:
Malwarebytes' Anti-Malware 1.40
Database version: 2651
Windows 5.1.2600 Service Pack 2

8/18/2009 07:27:48 PM
mbam-log-2009-08-18 (19-27-48).txt

Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 202893
Time elapsed: 50 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Earl at 19:28:59.09 on Tue 08/18/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2384 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
SVCHOST.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Earl\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IAAnotif] "c:\program files\intel\intel application accelerator\iaanotif.exe"
mRun: [IntelMeM] "c:\program files\intel\modem event monitor\IntelMEM.exe"
mRun: [CTSysVol] "c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe" /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] "c:\windows\system32\CTHELPER.EXE"
mRun: [UpdReg] "c:\windows\UpdReg.EXE"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [MaxtorOneTouch] "c:\progra~1\maxtor\onetouch\utils\OneTouch.exe"
mRun: [RetroExpress] "c:\progra~1\dantz\retros~1\RetroExpress.exe" /h
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MXOBG] "c:\windows\MXOALDR.EXE"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5691/mcfscan.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-6-4 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-28 74480]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-6-4 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-6-4 144704]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-4-21 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2008-12-5 1205760]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-6-4 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-6-4 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-6-4 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-6-4 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-28 7408]
S3 DPCNET5U;Satellite USB Driver;c:\windows\system32\drivers\dpcnet5u.sys --> c:\windows\system32\drivers\dpcnet5u.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-6-4 34216]

=============== Created Last 30 ================

2009-08-17 22:36 <DIR> --ds---- c:\documents and settings\earl\UserData
2009-08-17 17:43 <DIR> a-dshr-- C:\autorun.inf
2009-08-16 10:42 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-08-16 10:28 <DIR> a-dshr-- C:\cmdcons
2009-08-16 10:26 216,064 a------- c:\windows\PEV.exe
2009-08-16 10:26 161,792 a------- c:\windows\SWREG.exe
2009-08-16 10:26 98,816 a------- c:\windows\sed.exe
2009-08-13 18:43 118 a------- c:\windows\system32\MRT.INI
2009-08-13 18:42 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-09 13:05 <DIR> --d----- c:\windows\system32\NtmsData
2009-08-03 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-03 20:27 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-03 20:27 <DIR> --d----- c:\docume~1\earl\applic~1\SUPERAntiSpyware.com
2009-07-29 23:49 <DIR> --d----- c:\docume~1\earl\applic~1\Malwarebytes
2009-07-29 23:48 38,160 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-29 23:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 23:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-29 23:48 19,096 -------- c:\windows\system32\drivers\mbam.sys
2009-07-29 17:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-07-29 17:18 <DIR> --d----- c:\program files\Citrix
2009-07-29 17:18 61,224 -------- c:\documents and settings\earl\GoToAssistDownloadHelper.exe
2009-07-28 21:34 <DIR> --d----- c:\windows\McAfee.com

==================== Find3M ====================

2009-08-05 03:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 03:11 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-18 10:20 3,062,272 a------- c:\windows\system32\dllcache\cache\mshtml.dll
2009-07-18 10:20 3,062,272 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 10:20 1,506,304 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 12:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:55 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-10 07:42 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-06-25 12:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-22 05:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 05:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 05:49 117,248 -------- c:\windows\system32\dllcache\mqtgsvc.exe
2009-06-22 05:49 19,968 -------- c:\windows\system32\dllcache\mqbkup.exe
2009-06-22 05:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-22 05:49 4,608 -------- c:\windows\system32\dllcache\mqsvc.exe
2009-06-22 05:48 91,776 a------- c:\windows\system32\drivers\mqac.sys
2009-06-22 05:48 91,776 -------- c:\windows\system32\dllcache\mqac.sys
2009-06-22 05:38 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-06-16 08:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 08:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 08:55 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 08:55 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 05:50 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:50 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 05:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 05:50 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 08:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 08:21 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 00:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 00:32 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-05 11:42 2,060,288 -------- c:\windows\system32\usbaaplrc.dll
2009-06-05 01:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-05 01:42 655,872 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-03 13:24 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 13:24 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-03-08 11:54 7,460 -------- c:\docume~1\earl\applic~1\ViewerApp.dat

============= FINISH: 19:29:39.93 ===============

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 19 August 2009 - 09:26 AM

Hello MileHighV,


Going over your logs, I noticed you don't have the latest version of Adobe Acrobat Reader installed. Some older versions have vulnerabilities which may be used by malware to gain access to your computer. I recommend you update to the latest version as soon as possible!


I see evidence in your logs that Flash Disinfector ran succesfully. After we clean out all malware traces, we can find a way to prevent McAfee from detecting it as a baddie.


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

ATF-CLEANER
------------------
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


DR. WEB CUREIT
----------------------
Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks (make sure you check your back up disk as well!) and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
In your next reply, please include the following:
  • Dr. Web.cvs report
  • Please let me know how everything is working now

Edited by elise025, 19 August 2009 - 09:27 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 MileHighV

MileHighV
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 19 August 2009 - 09:34 PM

Elise,
Thanks for sticking with me on this.

I have good news:
I updated Adobe Acrobat & Adobe Reader, as suggested.
I also downloaded and ran ATF Cleaner, which freed up 330 MB of space!

I also have bad news (unfortunately):
I downloaded Dr. Web CureIt, and then rebooted the computer into Safe Mode.
Once in Safe Mode, I launched the program.
The screen seemed normal for about three seconds (Green Dr. CureIt dashboard in the middle of the screen).

BEEP - Blue Screen with the following message (part of it anyway):
A PROBLEM HAS DETECTED - WINDOWS HAS BEEN SHUT DOWN TO PREVENT DAMAGE TO YOUR COMPUTER (paraphrasing)
A few paragraphs about if this has happened before, and if so contact a system administrator.

Technical:
STOP: 0X0000007E (0XC0000005, 0XB9E6EC2C, 0XBA563C4C, 0XBA563948)
iastor.sys - Address B9E6EC2C base at B9E3B000 date stamp 40@1B22A

I tried twice, with the same result.
When I restarted Windows normally, it said that I had recovered from a serious error.

Help me, Please!!

Thanks again!

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 20 August 2009 - 02:50 AM

Hello MileHighV,


GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


KASPERSKY ONLINE SCAN
-----------------------------------
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • GMER log
  • Kaspersky scan results

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 MileHighV

MileHighV
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 20 August 2009 - 08:36 PM

Elise,
Thanks for the reply.

All seems to have gone well today!
GMER loaded and ran fine.
Kaspersky loaded and ran, and found no threats.


Thanks!

At some point, I probably need to load XP Service Pack 3, but have been afraid to until this is resolved.

Here are the logs:

GMER.LOG
GMER 1.0.15.15077 [iqckdduo.exe] - http://www.gmer.net
Rootkit scan 2009-08-20 17:10:51
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT 8ACC1BE8 ZwAllocateVirtualMemory
SSDT 8AD0B6F8 ZwCreateKey
SSDT 8ACC24C0 ZwCreateProcess
SSDT 8ACC2448 ZwCreateProcessEx
SSDT 8ACC1EB8 ZwCreateThread
SSDT 8ACC2718 ZwDeleteKey
SSDT 8ACC2538 ZwDeleteValueKey
SSDT 8ACC1C60 ZwQueueApcThread
SSDT 8ACC1AF8 ZwReadVirtualMemory
SSDT 8ACC26A0 ZwRenameKey
SSDT 8ACC1D50 ZwSetContextThread
SSDT 8ACC2628 ZwSetInformationKey
SSDT 8ACC1FA8 ZwSetInformationProcess
SSDT 8ACC1DC8 ZwSetInformationThread
SSDT 8ACC25B0 ZwSetValueKey
SSDT 8ACC1F30 ZwSuspendProcess
SSDT 8ACC1CD8 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB0FF20B0]
SSDT 8ACC1E40 ZwTerminateThread
SSDT 8ACC1B70 ZwWriteVirtualMemory

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB0F354E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB0F35625]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB0F3560F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB0F35528]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB0F35651]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB0F3556B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB0F35470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB0F35484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB0F354FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB0F3568D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB0F355F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB0F355E3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB0F35679]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB0F35665]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB0F3563B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB0F3553E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB0F35512]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2BD0 805039A4 4 Bytes CALL 8EDB05C4
.text ntkrnlpa.exe!ZwYieldExecution 80503FE8 7 Bytes JMP B0F35516 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577ED2 5 Bytes JMP B0F354EC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0A7E 7 Bytes JMP B0F3552C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B188C 5 Bytes JMP B0F35542 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B6E5E 7 Bytes JMP B0F35500 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C9D0A 5 Bytes JMP B0F35474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C9F96 5 Bytes JMP B0F35488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806201E8 7 Bytes JMP B0F355E7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80620536 5 Bytes JMP B0F35669 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80620AB6 7 Bytes JMP B0F3563F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806212FC 7 Bytes JMP B0F355FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8062296E 7 Bytes JMP B0F35629 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80622BD8 7 Bytes JMP B0F35613 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806234C4 5 Bytes JMP B0F3556F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 806237E8 7 Bytes JMP B0F35691 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 80623D0E 5 Bytes JMP B0F3567D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80623E28 5 Bytes JMP B0F35655 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E7000A
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E70F9E
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E70FAF
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E70089
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E70062
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E70047
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E70F77
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E700BF
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E70F66
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E700FF
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00E70110
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00E70FC0
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00E70FEF
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00E700A4
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00E70036
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00E7001B
.text C:\Program Files\Messenger\msmsgs.exe[692] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00E700E4
.text C:\Program Files\Messenger\msmsgs.exe[692] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E5007A
.text C:\Program Files\Messenger\msmsgs.exe[692] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E50FEF
.text C:\Program Files\Messenger\msmsgs.exe[692] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E5003A
.text C:\Program Files\Messenger\msmsgs.exe[692] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E5000C
.text C:\Program Files\Messenger\msmsgs.exe[692] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E5005F
.text C:\Program Files\Messenger\msmsgs.exe[692] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E5001D
.text C:\Program Files\Messenger\msmsgs.exe[692] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00E60FAF
.text C:\Program Files\Messenger\msmsgs.exe[692] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00E60F57
.text C:\Program Files\Messenger\msmsgs.exe[692] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00E60000
.text C:\Program Files\Messenger\msmsgs.exe[692] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00E60FCA
.text C:\Program Files\Messenger\msmsgs.exe[692] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00E60F72
.text C:\Program Files\Messenger\msmsgs.exe[692] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00E60FEF
.text C:\Program Files\Messenger\msmsgs.exe[692] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00E60F83
.text C:\Program Files\Messenger\msmsgs.exe[692] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00E60F9E
.text C:\Program Files\Messenger\msmsgs.exe[692] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E30FEF
.text C:\Program Files\Messenger\msmsgs.exe[692] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00E4001B
.text C:\Program Files\Messenger\msmsgs.exe[692] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00E40000
.text C:\Program Files\Messenger\msmsgs.exe[692] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00E40038
.text C:\Program Files\Messenger\msmsgs.exe[692] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070089
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070078
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0007005D
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 000700B5
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0007009A
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000700D0
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070F37
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 000700E1
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00070F79
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[796] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070F52
.text C:\WINDOWS\system32\services.exe[796] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00060FCD
.text C:\WINDOWS\system32\services.exe[796] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00060F86
.text C:\WINDOWS\system32\services.exe[796] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[796] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00060014
.text C:\WINDOWS\system32\services.exe[796] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00060F97
.text C:\WINDOWS\system32\services.exe[796] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[796] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00060039
.text C:\WINDOWS\system32\services.exe[796] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00060FB2
.text C:\WINDOWS\system32\services.exe[796] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050F7F
.text C:\WINDOWS\system32\services.exe[796] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050F90
.text C:\WINDOWS\system32\services.exe[796] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FAB
.text C:\WINDOWS\system32\services.exe[796] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[796] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[796] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FC6
.text C:\WINDOWS\system32\services.exe[796] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F30F6D
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F30062
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F30051
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F30040
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F30014
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F30F35
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F3007D
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F30EF8
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F30F13
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00F30EE7
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00F30025
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00F30F5C
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00F30FA8
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00F30FB9
.text C:\WINDOWS\system32\lsass.exe[808] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00F30F24
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00F20FB9
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00F2004A
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00F20FD4
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00F20F8D
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00F20FA8
.text C:\WINDOWS\system32\lsass.exe[808] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00F20025
.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10038
.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F10FB7
.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10FE3
.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10FD2
.text C:\WINDOWS\system32\lsass.exe[808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10011
.text C:\WINDOWS\system32\lsass.exe[808] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00D70084
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00D70F8F
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00D70FAC
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00D70069
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00D70047
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00D700BA
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00D7009F
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D70F43
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D700DC
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00D70F32
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00D70058
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00D70F74
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00D70036
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00D70025
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00D700CB
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00D60058
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00D60FCA
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00D6003D
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00D6002C
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00D60FA5
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D5004A
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D50FB5
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D50FC6
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D5001B
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CF0098
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CF0087
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CF0FAF
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CF0062
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CF0047
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CF0F7C
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CF00C4
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CF0101
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CF00F0
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00CF011C
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00CF0FC0
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00CF001B
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00CF00B3
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00CF0036
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00CF00DF
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00CE0FCA
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00CE0073
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00CE0062
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00CE0047
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0FA6
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD0027
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0FC8
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD000C
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD0FB7
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD0FE3
.text C:\WINDOWS\system32\svchost.exe[1132] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007E0F49
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007E0F64
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007E0F75
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007E0F86
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007E001E
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007E0F1D
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007E0059
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007E008A
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007E0EF1
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 007E009B
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 007E0F97
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 007E0FD4
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 007E0F38
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 007E0FA8
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 007E0FC3
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 007E0F0C
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 007D002F
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 007D006F
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 007D001E
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 007D0FDE
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 007D0FB2
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 007D0054
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 007D0FC3
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007C0FB9
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 007C0044
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007C0FEF
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007C0FD4
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007C0029
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 007B0011
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 007B0FDB
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 007B002E
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007A0FE5
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 023D0FEF
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 023D009D
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 023D0F9E
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 023D0FAF
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 023D0062
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 023D0036
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 023D0F72
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 023D00BA
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 023D0F2B
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 023D0F46
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 023D00DF
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 023D0051
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 023D000A
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 023D0F83
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 023D0025
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 023D0FD4
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 023D0F57
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 023C0FB9
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 023C0F68
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 023C000A
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 023C0FD4
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 023C0F83
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 023C0FE5
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 023C0F9E
.text C:\WINDOWS\System32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 023C0025
.text C:\WINDOWS\System32\svchost.exe[1228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 023B0042
.text C:\WINDOWS\System32\svchost.exe[1228] msvcrt.dll!system 77C293C7 5 Bytes JMP 023B0FB7
.text C:\WINDOWS\System32\svchost.exe[1228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 023B000C
.text C:\WINDOWS\System32\svchost.exe[1228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 023B0FEF
.text C:\WINDOWS\System32\svchost.exe[1228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 023B001D
.text C:\WINDOWS\System32\svchost.exe[1228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 023B0FD2
.text C:\WINDOWS\System32\svchost.exe[1228] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 020B0000
.text C:\WINDOWS\System32\svchost.exe[1228] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 023A0000
.text C:\WINDOWS\System32\svchost.exe[1228] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 023A0FEF
.text C:\WINDOWS\System32\svchost.exe[1228] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 023A0FCA
.text C:\WINDOWS\System32\svchost.exe[1228] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 023A0FAD
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0093002F
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00930F3A
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00930F4B
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00930F68
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00930F94
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetStartupInfoW 7C801E50 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00930054
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00930F0E
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00930EE7
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00930080
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00930ED6
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00930F83
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00930F1F
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00930FAF
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00930065
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00920FE5
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0092008E
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExA 77DD7832 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00920036
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0092007D
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00920062
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00920047
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00910F90
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!system 77C293C7 5 Bytes JMP 0091001B
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00910FBC
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00910FAB
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1292] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00720000
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0072009A
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00720FA5
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0072007F
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00720062
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0072003D
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00720F77
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00720F88
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007200F5
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007200E4
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 0072011A
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00720FC0
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00720FE5
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 007200BF
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0072002C
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0072001B
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00720F5C
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00710FAF
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0071002C
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00710FCA
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00710000
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00710F6F
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00710FEF
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00710F8A
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00710011
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00700FA8
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!system 77C293C7 5 Bytes JMP 00700FCD
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0070002C
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00700000
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0070003D
.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00700011
.text C:\WINDOWS\system32\svchost.exe[1452] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006F0000
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01580FEF
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01580076
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01580F77
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01580051
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01580F94
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01580FAF
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01580F41
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01580087
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 015800C9
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01580F30
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01580F1F
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01580036
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0158000A
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01580F5C
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01580025
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01580FCA
.text C:\WINDOWS\Explorer.EXE[2016] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 015800A4
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00BE001B
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00BE0F80
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00BE0000
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00BE003D
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00BE0F9B
.text C:\WINDOWS\Explorer.EXE[2016] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00BE002C
.text C:\WINDOWS\Explorer.EXE[2016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0FA1
.text C:\WINDOWS\Explorer.EXE[2016] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0FB2
.text C:\WINDOWS\Explorer.EXE[2016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FCD
.text C:\WINDOWS\Explorer.EXE[2016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\Explorer.EXE[2016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0022
.text C:\WINDOWS\Explorer.EXE[2016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00BB001B
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00BB0000
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00BB0FD9
.text C:\WINDOWS\Explorer.EXE[2016] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00BB0FC8
.text C:\WINDOWS\Explorer.EXE[2016] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00AC000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2548] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2548] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0093
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0082
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0051
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F63
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A00B5
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A0F26
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F37
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001A00DA
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001A0025
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001A00A4
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001A0040
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\system32\dllhost.exe[2856] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001A0F52
.text C:\WINDOWS\system32\dllhost.exe[2856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00280F7F
.text C:\WINDOWS\system32\dllhost.exe[2856] msvcrt.dll!system 77C293C7 5 Bytes JMP 00280F90
.text C:\WINDOWS\system32\dllhost.exe[2856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00280FC6
.text C:\WINDOWS\system32\dllhost.exe[2856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00280FEF
.text C:\WINDOWS\system32\dllhost.exe[2856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00280FAB
.text C:\WINDOWS\system32\dllhost.exe[2856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00280000
.text C:\WINDOWS\system32\dllhost.exe[2856] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00290036
.text C:\WINDOWS\system32\dllhost.exe[2856] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00290065
.text C:\WINDOWS\system32\dllhost.exe[2856] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0029001B
.text C:\WINDOWS\system32\dllhost.exe[2856] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00290FE5
.text C:\WINDOWS\system32\dllhost.exe[2856] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00290F9E
.text C:\WINDOWS\system32\dllhost.exe[2856] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00290000
.text C:\WINDOWS\system32\dllhost.exe[2856] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00290FAF
.text C:\WINDOWS\system32\dllhost.exe[2856] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00290FCA
.text C:\WINDOWS\system32\dllhost.exe[2856] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0079000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00260000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00260093
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00260082
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00260FA8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00260FC3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00260FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00260F61
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00260F72
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002600DF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00260F46
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 002600F0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00260FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0026001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00260F83
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00260051
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0026002C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 002600C4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0034003D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] msvcrt.dll!system 77C293C7 5 Bytes JMP 0034002C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00340FC6
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00340000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00340011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00340FD7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00350FB2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00350F8D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00350FC3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00350FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00350054
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00350FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00350039
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0035001E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00370000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00370FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00370FBE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00370011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 014A0FEF
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008E0FEF
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008E0F63
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008E0F74
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008E0058
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008E0047
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008E0025
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008E0084
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008E0073
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008E00D5
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008E00C4
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008E0F21
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 008E0036
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 008E0FD4
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 008E0F52
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 008E0014
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 008E0FB9
.text C:\WINDOWS\system32\svchost.exe[3508] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008E009F
.text C:\WINDOWS\system32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 008D0036
.text C:\WINDOWS\system32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 008D0F9B
.text C:\WINDOWS\system32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 008D001B
.text C:\WINDOWS\system32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 008D0058
.text C:\WINDOWS\system32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 008D0000
.text C:\WINDOWS\system32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 008D0047
.text C:\WINDOWS\system32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 008D0FC0
.text C:\WINDOWS\system32\svchost.exe[3508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008C0FAD
.text C:\WINDOWS\system32\svchost.exe[3508] msvcrt.dll!system 77C293C7 5 Bytes JMP 008C0038
.text C:\WINDOWS\system32\svchost.exe[3508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008C001D
.text C:\WINDOWS\system32\svchost.exe[3508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008C0FE3
.text C:\WINDOWS\system32\svchost.exe[3508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008C0FC8
.text C:\WINDOWS\system32\svchost.exe[3508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008C0000
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0F94
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0089
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B006C
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0051
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B00DC
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B00CB
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0F5E
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B0F79
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001B0F43
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001B0014
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001B00A4
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[4332] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001B00F7
.text C:\WINDOWS\system32\wuauclt.exe[4332] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290FB2
.text C:\WINDOWS\system32\wuauclt.exe[4332] msvcrt.dll!system 77C293C7 5 Bytes JMP 0029003D
.text C:\WINDOWS\system32\wuauclt.exe[4332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FDE
.text C:\WINDOWS\system32\wuauclt.exe[4332] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\wuauclt.exe[4332] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FC3
.text C:\WINDOWS\system32\wuauclt.exe[4332] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0029000C
.text C:\WINDOWS\system32\wuauclt.exe[4332] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 002A002C
.text C:\WINDOWS\system32\wuauclt.exe[4332] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 002A005F
.text C:\WINDOWS\system32\wuauclt.exe[4332] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 002A0011
.text C:\WINDOWS\system32\wuauclt.exe[4332] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\system32\wuauclt.exe[4332] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 002A004E
.text C:\WINDOWS\system32\wuauclt.exe[4332] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[4332] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 002A003D
.text C:\WINDOWS\system32\wuauclt.exe[4332] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 002A0FC0

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 8ACC1920
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 8ACC1A18
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 8ACC1A18
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 8ACC1920
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 8ACC1920
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 8ACC1A18
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 8ACC1A18
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 8ACC1920
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 8ACC1A18
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 8ACC1920
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 8ACC1A18
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] 8ACC1920
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] 8ACC1A18
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 8ACC1A18
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 8ACC1920

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Ip 8A640D70

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Tcp 8A640D70

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Udp 8A640D70

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\RawIp 8A640D70

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\IPMULTICAST 8A640D70

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

Kaspersky Scan Results:
No Threats found

There was no report to save.

Edited by MileHighV, 20 August 2009 - 08:38 PM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,829 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:31 PM

Posted 21 August 2009 - 05:36 AM

Hello MileHighV,

First of all, I promised to get back to Flash Disinfector. I saw evidence in your logs that it had run succesfully. If you would like to use it on a regular basis, you will have to let McAfee allow the application. If you have questions about that, please let me know!


UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually using Add/Remove programs.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


Remove all entries in the Trusted, Restricted, and Enhanced Security Configuration Zones:
  • Download DelDomains.inf by right-clicking the download link below, and choosing the option labelled "Save Target As…". Save it to your Desktop.
    Download DelDomains.inf
  • Locate DelDomains.inf on your Desktop, right-click it and select the "Install" option. NOTE: You will not see any on-screen action.
  • This will remove all entries in the Trusted, Restricted, and Enhanced Security Configuration Zones.
NOTE once you do this: Any previous restricted zone hacks (SpywareBlaster, IE-SPYAD, etc) will need to be reapplyed.


Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
  • Click start > run and type combofix /u, press enter. This will remove Combofix from your computer.
  • Delete Dr. Web (this is a random named file), RootRepeal and GMER (this is a random named file).
UPDATE XP
--------------
Your Microsoft Windows installation is out of date. Using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.[/color]


In your next reply, please include the following
  • A new DDS log
  • Please let me know how your computer is running now


Reason for edit: Java version change ~htv8

Edited by htv8, 21 August 2009 - 06:59 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users