Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 Trojan TDSS


  • This topic is locked This topic is locked
10 replies to this topic

#1 dlupin

dlupin

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 07 August 2009 - 12:07 PM

Adaware detects Win32.Trojan.TDSS but can not rmove even after reboot;

Spybot S&D and Malaware are disbled and do not start;

Mc Afee detects Generic Rootkit.d! rootkit and sais it has gotten rid of it but when scanning again it finds again.

sometimes random pages open in firefox.


here is the DSS log:


DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Owner at 17:59:11.14 on 07/08/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1022.448 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\Creative\Software Update 3\SoftAuto.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner.YOUR-447023AE6B\Desktop\dds.scr
C:\Program Files\Internet Explorer\Iexplore.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [CTZDetec.exe] "c:\program files\creative\creative media lite\CTZDetec.exe"
uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_own~1.you\applic~1\mozilla\firefox\profiles\2a1afzmc.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-29 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-28 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-25 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-28 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-28 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-28 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-28 40552]
S2 gupdate1ca016f88d82146;Google Update Service (gupdate1ca016f88d82146);c:\program files\google\update\GoogleUpdate.exe [2009-7-10 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-28 34248]

=============== Created Last 30 ================

2009-08-06 22:42 1,215,667 a------- c:\windows\system32\xa.tmp
2009-07-19 18:00 647,872 -------- c:\windows\system32\Mscomct2.ocx
2009-07-19 18:00 44,032 -------- c:\windows\system32\CTSVCCDA.EXE
2009-07-19 18:00 25,088 -------- c:\windows\system32\CTSVCCTL.EXE
2009-07-15 22:23 <DIR> --d----- c:\program files\Jufsoft
2009-07-12 17:52 25 a------- c:\windows\cdplayer.ini
2009-07-12 17:24 <DIR> --d----- c:\program files\common files\xing shared
2009-07-09 13:25 <DIR> --ds---- c:\documents and settings\hp_owner.your-447023ae6b\UserData

==================== Find3M ====================

2009-07-18 17:20 3,062,272 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 17:20 1,506,304 a------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-07 15:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-29 15:13 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-29 15:13 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-28 15:38 1,834 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_EC641AA-ABU t3145.uk_YC_0Pavi_QCZB540_E53GBheBLU4_47_IAMETHYST-M_SMSI_V1.0_B3.34_T050831_WXH2_L409_M1023_J250_7AMD_8Athlon 64_92.19_#081022_N10EC8139_Z11C1048C_G10DE0161_OLITE-ON DVDRW SOHW-1633S.MRK
2009-06-28 15:35 160 a------- c:\docume~1\hp_own~1.you\applic~1\wklnhst.dat
2009-06-22 12:38 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2009-06-16 15:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:55 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 15:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 15:55 82,432 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 20:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 20:27 1,290,752 a------- c:\windows\system32\dllcache\quartz.dll
2006-05-19 16:00 32 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 18:00:17.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 PM

Posted 07 August 2009 - 12:11 PM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Then please post back here with the following Gmer log.

Thanks

Edited by syler, 07 August 2009 - 12:14 PM.

unite.jpg


#3 dlupin

dlupin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 07 August 2009 - 12:42 PM

GMER 1.0.15.15020 [h00lbky9.exe] - http://www.gmer.net
Rootkit scan 2009-08-07 18:39:42
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF3B2B4EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF3B2B581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF3B2B498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF3B2B4AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF3B2B595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF3B2B5C1]
Code 8654A200 ZwEnumerateKey
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF3B2B619]
Code 86689F70 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF3B2B52A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF3B2B65E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF3B2B56D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF3B2B470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF3B2B484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF3B2B4FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF3B2B69A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF3B2B603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF3B2B5ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF3B2B5AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF3B2B686]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF3B2B672]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF3B2B4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF3B2B4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF3B2B5D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF3B2B559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF3B2B648]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF3B2B540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF3B2B514]
Code 865441AE IofCallDriver
Code 86648A76 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
Code 863E6345 ZwSaveKey
Code 8645B915 ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE00A 5 Bytes JMP 865441B3
.text ntkrnlpa.exe!IofCompleteRequest 804EE09A 5 Bytes JMP 86648A7B
.text ntkrnlpa.exe!ZwSaveKey 804FE48C 5 Bytes JMP 863E634A
.text ntkrnlpa.exe!ZwSaveKeyEx 804FE4A0 5 Bytes JMP 8645B91A
.text ntkrnlpa.exe!ZwYieldExecution 805018BC 7 Bytes JMP F3B2B518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056D44A 5 Bytes JMP F3B2B4EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A6286 7 Bytes JMP F3B2B52E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A709C 5 Bytes JMP F3B2B544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805AAC4A 5 Bytes JMP 86689F74
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805AC81A 7 Bytes JMP F3B2B502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805BFEAA 5 Bytes JMP F3B2B474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C0136 5 Bytes JMP F3B2B488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C2968 5 Bytes JMP F3B2B4C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C5F64 7 Bytes JMP F3B2B4B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C601A 5 Bytes JMP F3B2B49C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C653C 5 Bytes JMP F3B2B4DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C77F8 5 Bytes JMP F3B2B55D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80616FEA 7 Bytes JMP F3B2B5F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80617338 5 Bytes JMP F3B2B676 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806175F0 7 Bytes JMP F3B2B5DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 806178B8 7 Bytes JMP F3B2B64C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806180FE 7 Bytes JMP F3B2B607 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80618956 7 Bytes JMP F3B2B5AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80618F30 5 Bytes JMP F3B2B585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 806193C0 7 Bytes JMP F3B2B599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80619590 7 Bytes JMP F3B2B5C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80619770 5 Bytes JMP 8654A204
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 806199DA 7 Bytes JMP F3B2B61D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061A2C6 5 Bytes JMP F3B2B571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8061A5EA 7 Bytes JMP F3B2B69E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061AB10 5 Bytes JMP F3B2B68A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061AC2A 5 Bytes JMP F3B2B662 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[156] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00C3000A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[156] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00C4000A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[176] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00BD000A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[176] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00BE000A
.text C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe[216] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 010E000A
.text C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe[216] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 010F000A
.text C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe[240] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00C0000A
.text C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe[240] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00C1000A
.text C:\Program Files\Creative\Software Update 3\SoftAuto.exe[268] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00C2000A
.text C:\Program Files\Creative\Software Update 3\SoftAuto.exe[268] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00C3000A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[344] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00BB000A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[344] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CE008B
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CE0070
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CE0F96
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CE005F
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CE0033
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CE00B2
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CE0F6A
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CE0F2D
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CE0F3E
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00CE0F1C
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00CE004E
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00CE0011
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00CE0F7B
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00CE0022
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00CE0FDB
.text C:\WINDOWS\system32\svchost.exe[476] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00CE0F59
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00C00FCA
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00C00F9E
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00C00011
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00C00FE5
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00C00065
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\system32\svchost.exe[476] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00C00040
.text C:\WINDOWS\system32\svchost.exe[476] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF004E
.text C:\WINDOWS\system32\svchost.exe[476] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0033
.text C:\WINDOWS\system32\svchost.exe[476] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0FC3
.text C:\WINDOWS\system32\svchost.exe[476] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[476] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0018
.text C:\WINDOWS\system32\svchost.exe[476] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\svchost.exe[476] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[476] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[476] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[476] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00BE0014
.text C:\WINDOWS\system32\svchost.exe[476] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00BE003B
.text C:\WINDOWS\system32\CTsvcCDA.exe[516] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0091000A
.text C:\WINDOWS\system32\CTsvcCDA.exe[516] ntdll.dll!LdrUnloadDll 7C916C83 3 Bytes JMP 0092000A
.text C:\WINDOWS\system32\CTsvcCDA.exe[516] ntdll.dll!LdrUnloadDll + 4 7C916C87 1 Byte [84]
.text C:\WINDOWS\system32\winlogon.exe[556] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\winlogon.exe[556] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 007C000A
.text C:\WINDOWS\system32\services.exe[600] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0095000A
.text C:\WINDOWS\system32\services.exe[600] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0096000A
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01620FE5
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 016200AB
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01620090
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0162007F
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01620FB6
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01620051
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01620F80
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01620F91
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01620F54
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 016200ED
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01620F39
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01620062
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0162000A
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 016200BC
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01620040
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0162001B
.text C:\WINDOWS\system32\services.exe[600] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 01620F6F
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 0161002C
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0161007D
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 01610FDB
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 01610011
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0161006C
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 01610000
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 01610047
.text C:\WINDOWS\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 01610FC0
.text C:\WINDOWS\system32\services.exe[600] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01600FA3
.text C:\WINDOWS\system32\services.exe[600] msvcrt.dll!system 77C293C7 5 Bytes JMP 01600FBE
.text C:\WINDOWS\system32\services.exe[600] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0160001D
.text C:\WINDOWS\system32\services.exe[600] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01600FEF
.text C:\WINDOWS\system32\services.exe[600] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0160002E
.text C:\WINDOWS\system32\services.exe[600] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0160000C
.text C:\WINDOWS\system32\services.exe[600] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[600] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 015F0000
.text C:\WINDOWS\system32\services.exe[600] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 015F0FE5
.text C:\WINDOWS\system32\services.exe[600] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 015F001B
.text C:\WINDOWS\system32\services.exe[600] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 015F0FD4
.text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!LdrLoadDll 7C915CBB 3 Bytes JMP 0092000A
.text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!LdrLoadDll + 4 7C915CBF 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0096000A
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01280FEF
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01280F55
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01280F70
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01280F81
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01280F9E
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01280025
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01280076
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01280065
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01280EE7
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01280F02
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01280ED6
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0128004A
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 01280FD4
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01280F44
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0128000A
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01280FB9
.text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 01280F13
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00FF003D
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00FF002C
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00FF0F8A
.text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00FF0FAF
.text C:\WINDOWS\system32\lsass.exe[612] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0042
.text C:\WINDOWS\system32\lsass.exe[612] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0FAD
.text C:\WINDOWS\system32\lsass.exe[612] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0027
.text C:\WINDOWS\system32\lsass.exe[612] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[612] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0FC8
.text C:\WINDOWS\system32\lsass.exe[612] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0FE3
.text C:\WINDOWS\system32\lsass.exe[612] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\lsass.exe[612] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\lsass.exe[612] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\lsass.exe[612] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\lsass.exe[612] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01470FE5
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01470F50
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01470F61
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01470F72
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01470F83
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01470FAF
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0147007D
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01470F2B
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01470EF5
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01470098
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01470EE4
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01470F9E
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 01470000
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01470056
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01470FC0
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01470011
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 01470F1A
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 01460025
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0146005B
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0146000A
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 01460FDE
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 01460F9E
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 01460FEF
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 01460FAF
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 01460036
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01450075
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!system 77C293C7 5 Bytes JMP 01450064
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01450038
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01450000
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01450053
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0145001D
.text C:\WINDOWS\system32\svchost.exe[760] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\system32\svchost.exe[760] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 0144001B
.text C:\WINDOWS\system32\svchost.exe[760] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 01440000
.text C:\WINDOWS\system32\svchost.exe[760] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 0144002C
.text C:\WINDOWS\system32\svchost.exe[760] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 01440FD9
.text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[768] ntdll.dll!LdrLoadDll 7C915CBB 3 Bytes JMP 0092000A
.text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[768] ntdll.dll!LdrLoadDll + 4 7C915CBF 1 Byte [84]
.text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[768] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!VirtualProtectEx 7C801A5D 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FF0F61
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FF0060
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FF0043
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FF0F86
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FF0FA8
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FF0087
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FF0F3F
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FF0EFF
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FF0098
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00FF00B3
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00FF0F97
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00FF0F50
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00FF0F1A
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00FE0033
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00FE0FA2
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00FE0022
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00FE005F
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00FE0FC7
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00FE0044
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0FAF
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0FCA
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD0044
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD000C
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD001D
.text C:\WINDOWS\system32\svchost.exe[900] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\svchost.exe[900] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[900] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\svchost.exe[900] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00FC0011
.text C:\WINDOWS\system32\svchost.exe[900] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00FC0022
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02770FEF
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02770F52
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02770F6D
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02770F8A
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02770047
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02770FC0
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0277007F
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02770F37
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 027700A1
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02770090
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 027700B2
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02770FA5
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02770000
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02770062
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0277002C
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02770011
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 02770F1C
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 02240FCA
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 02240F79
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0224001B
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 02240FE5
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 02240F8A
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 02240000
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 02240FA5
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0224002C
.text C:\WINDOWS\System32\svchost.exe[996] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02230FD4
.text C:\WINDOWS\System32\svchost.exe[996] msvcrt.dll!system 77C293C7 5 Bytes JMP 0223005F
.text C:\WINDOWS\System32\svchost.exe[996] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02230029
.text C:\WINDOWS\System32\svchost.exe[996] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02230FEF
.text C:\WINDOWS\System32\svchost.exe[996] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0223003A
.text C:\WINDOWS\System32\svchost.exe[996] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0223000C
.text C:\WINDOWS\System32\svchost.exe[996] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02210FE5
.text C:\WINDOWS\System32\svchost.exe[996] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 0222001B
.text C:\WINDOWS\System32\svchost.exe[996] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 02220000
.text C:\WINDOWS\System32\svchost.exe[996] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 0222002C
.text C:\WINDOWS\System32\svchost.exe[996] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 02220FDB
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F3005D
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F30F72
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F30F83
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F30040
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F30025
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F3009D
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F30F4B
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F30F1F
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F300B8
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00F30EFA
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00F30F9E
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00F30078
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00F30FB9
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00F30F3A
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00F20025
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00F20F9E
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00F20FD4
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00F2005B
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00F20040
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00F20FAF
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10056
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F1003B
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10FD2
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10FC1
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FE3
.text C:\WINDOWS\system32\svchost.exe[1064] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00EE000A
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00F00011
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00F00022
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00F00033
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C80091
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C80F9C
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C80076
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C8005B
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C8002F
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C80F70
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C80F81
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C80F44
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C800DD
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00C80F33
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00C80040
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00C80FDE
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00C800AC
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00C8001E
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00C80FC3
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00C80F5F
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00C7001B
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00C70F6F
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00C70FCA
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00C70F8A
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00C70FA5
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00C7002C
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C6002F
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60FA4
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FB5
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C6000A
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60FD2
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00C50014
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00C50025
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00C5004C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1304] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00CE000A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1304] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\spoolsv.exe[1380] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\spoolsv.exe[1380] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00BB000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1608] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0095000A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1608] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0096000A
.text C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02100FEF
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02100F75
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02100F90
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02100FA1
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02100FB2
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02100FC3
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 021000A7
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02100096
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 021000B8
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02100F1F
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 02100F0E
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0210004A
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0210000A
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02100085
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 0210002F
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02100FD4
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 02100F3A
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 01A80040
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 01A80F94
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 01A80FEF
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 01A80025
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 01A80051
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 01A8000A
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 01A80FB9
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 01A80FCA
.text C:\WINDOWS\Explorer.EXE[1640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01A50F7F
.text C:\WINDOWS\Explorer.EXE[1640] msvcrt.dll!system 77C293C7 5 Bytes JMP 01A50F9A
.text C:\WINDOWS\Explorer.EXE[1640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01A50FAB
.text C:\WINDOWS\Explorer.EXE[1640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01A50FE3
.text C:\WINDOWS\Explorer.EXE[1640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01A5000A
.text C:\WINDOWS\Explorer.EXE[1640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01A50FD2
.text C:\WINDOWS\Explorer.EXE[1640] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 01980FDB
.text C:\WINDOWS\Explorer.EXE[1640] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 01980000
.text C:\WINDOWS\Explorer.EXE[1640] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 01980011
.text C:\WINDOWS\Explorer.EXE[1640] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 01980022
.text C:\WINDOWS\Explorer.EXE[1640] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01930FEF
.text C:\Program Files\McAfee\SiteAdvisor\McSACore.exe[1712] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00BF000A
.text C:\Program Files\McAfee\SiteAdvisor\McSACore.exe[1712] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00C0000A
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[1748] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00B8000A
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[1748] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00B9000A
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[1760] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A1000A
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[1760] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00A2000A
.text C:\Documents and Settings\HP_Owner.YOUR-447023AE6B\Desktop\h00lbky9.exe[1788] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00C5000A
.text C:\Documents and Settings\HP_Owner.YOUR-447023AE6B\Desktop\h00lbky9.exe[1788] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00C6000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1872] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00BD000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1872] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00BE000A
.text C:\windows\system\hpsysdrv.exe[1884] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00BA000A
.text C:\windows\system\hpsysdrv.exe[1884] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00BB000A
.text C:\WINDOWS\AGRSMMSG.exe[1912] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00C2000A
.text C:\WINDOWS\AGRSMMSG.exe[1912] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\hphmon06.exe[1928] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00D0000A
.text C:\WINDOWS\system32\hphmon06.exe[1928] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00D1000A
.text C:\HP\KBD\KBD.EXE[1936] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00B7000A
.text C:\HP\KBD\KBD.EXE[1936] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00B8000A
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00BD000A
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00BE000A
.text C:\WINDOWS\ALCXMNTR.EXE[1960] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00C2000A
.text C:\WINDOWS\ALCXMNTR.EXE[1960] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\rundll32.exe[1980] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\rundll32.exe[1980] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00BB000A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[2044] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00C5000A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[2044] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00C6000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2104] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0097000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2104] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0098000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2104] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2104] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2136] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0094000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2136] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0095000A
.text C:\Program Files\McAfee\MSK\MskSrver.exe[2272] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0091000A
.text C:\Program Files\McAfee\MSK\MskSrver.exe[2272] ntdll.dll!LdrUnloadDll 7C916C83 3 Bytes JMP 0092000A
.text C:\Program Files\McAfee\MSK\MskSrver.exe[2272] ntdll.dll!LdrUnloadDll + 4 7C916C87 1 Byte [84]
.text C:\WINDOWS\system32\nvsvc32.exe[2368] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\nvsvc32.exe[2368] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0094000A
.text C:\WINDOWS\system32\HPZipm12.exe[2396] ntdll.dll!LdrLoadDll 7C915CBB 3 Bytes JMP 0092000A
.text C:\WINDOWS\system32\HPZipm12.exe[2396] ntdll.dll!LdrLoadDll + 4 7C915CBF 1 Byte [84]
.text C:\WINDOWS\system32\HPZipm12.exe[2396] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00D10087
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00D10076
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00D10065
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00D1004A
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00D1001E
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00D10F75
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00D100BD
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D10F49
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D10F5A
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00D100FD
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00D10039
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00D10FDE
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00D100A2
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00D10FB2
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00D10FC3
.text C:\WINDOWS\system32\svchost.exe[2464] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00D100D8
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00D00FDB
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00D00070
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00D00022
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00D00011
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00D0005F
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00D0004E
.text C:\WINDOWS\system32\svchost.exe[2464] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00D0003D
.text C:\WINDOWS\system32\svchost.exe[2464] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0FA6
.text C:\WINDOWS\system32\svchost.exe[2464] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0031
.text C:\WINDOWS\system32\svchost.exe[2464] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF0FD2
.text C:\WINDOWS\system32\svchost.exe[2464] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[2464] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF0FC1
.text C:\WINDOWS\system32\svchost.exe[2464] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[2464] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CD0FE5
.text C:\WINDOWS\system32\svchost.exe[2464] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\svchost.exe[2464] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[2464] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00CE0FB7
.text C:\WINDOWS\system32\svchost.exe[2464] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00CE0FA6
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00D3000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00D6000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 002A0000
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 002A0F8F
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 002A0084
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 002A0069
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 002A0FAC
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 002A003D
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 002A00B5
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 002A0F6D
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002A0F30
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 002A0F41
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 002A0F15
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 002A004E
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 002A0FDB
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 002A0F7E
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 002A002C
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 002A0011
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 002A0F52
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00380F7A
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00380F95
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00380FB7
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00380FE3
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00380FA6
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00380FD2
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00390FD4
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00390F8D
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00390025
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 0039000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00390F9E
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00390FEF
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00390FAF
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00390040
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 003B0FD4
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] WININET.dll!HttpAddRequestHeadersA 771C40A2 5 Bytes JMP 00E1000C
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 003B0FEF
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 003B0FB7
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] WININET.dll!HttpAddRequestHeadersW 771CEEDC 5 Bytes JMP 00EC000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 003B0FA6
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00AE0000
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] WS2_32.dll!connect 71AB406A 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] WS2_32.dll!send 71AB428A 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\Iexplore.exe[2492] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 100129A0
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[2900] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A1000A
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[2900] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2968] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2968] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00D7000A
.text C:\Program Files\iPod\bin\iPodService.exe[2980] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0096000A
.text C:\Program Files\iPod\bin\iPodService.exe[2980] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0097000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3172] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3172] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00A6000A
.text C:\WINDOWS\System32\alg.exe[3680] ntdll.dll!LdrLoadDll 7C915CBB 3 Bytes JMP 0092000A
.text C:\WINDOWS\System32\alg.exe[3680] ntdll.dll!LdrLoadDll + 4 7C915CBF 1 Byte [84]
.text C:\WINDOWS\System32\alg.exe[3680] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 0093000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACtwaqwkblcy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [760] 0x01330000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACoultunapfm.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACoultunapfm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACoultunapfm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACcpaibhxceb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACxtqrqjdaeo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACiyyufyfela.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACkmypdmbfny.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACtwaqwkblcy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACqoqhtapacc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACqaicqwqbqb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACoultunapfm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACoultunapfm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACcpaibhxceb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACxtqrqjdaeo.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACiyyufyfela.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACkmypdmbfny.db
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACtwaqwkblcy.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACqoqhtapacc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACqaicqwqbqb.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\HP_Owner\Desktop\spart\young_neil\.name 46 bytes
File C:\Documents and Settings\HP_Owner\Desktop\spart\young_neil\.subcache 48 bytes
File C:\Documents and Settings\HP_Owner\Desktop\spart\young_neil\D3217D9D3992366227A5B8F07E0D1D4FB2576A4E 0 bytes
File C:\Documents and Settings\HP_Owner\Desktop\spart\young_neil\Data.dat 342 bytes
File C:\Documents and Settings\HP_Owner\My Documents\@\New Folder\51\CD Burning 0 bytes
File C:\Documents and Settings\HP_Owner\My Documents\@\New Folder\51\Credentials 0 bytes
File C:\Documents and Settings\HP_Owner\My Documents\@\New Folder\51\Internet Explorer 0 bytes
File C:\Documents and Settings\HP_Owner\My Documents\@\New Folder\51\Media Player 0 bytes
File C:\Documents and Settings\HP_Owner\My Documents\@\New Folder\51\Portable Devices 0 bytes
File C:\Documents and Settings\HP_Owner\My Documents\@\New Folder\51\Wallpaper1.bmp 3932214 bytes
File C:\Documents and Settings\HP_Owner\My Documents\@\New Folder\51\Windows 0 bytes
File C:\Documents and Settings\HP_Owner\My Documents\@\New Folder\51\Windows Live 0 bytes
File C:\Documents and Settings\HP_Owner\My Documents\@\New Folder\51\Windows Media 0 bytes
File C:\Documents and Settings\HP_Owner.YOUR-447023AE6B\Local Settings\Application Data\Spotify\Storage\6a\Desktop.ini 122 bytes
File C:\Documents and Settings\HP_Owner.YOUR-447023AE6B\Local Settings\Application Data\Spotify\Storage\6a\HP's Recommended Web Sites 0 bytes
File C:\Documents and Settings\HP_Owner.YOUR-447023AE6B\Local Settings\Application Data\Spotify\Storage\6a\Links 0 bytes
File C:\Documents and Settings\HP_Owner.YOUR-447023AE6B\Local Settings\Application Data\Spotify\Storage\6a\MSN.com.url 119 bytes
File C:\Documents and Settings\HP_Owner.YOUR-447023AE6B\Local Settings\Application Data\Spotify\Storage\6a\Radio Station Guide.url 197 bytes
File C:\Documents and Settings\HP_Owner.YOUR-447023AE6B\Local Settings\Temp\UACe126.tmp 343040 bytes executable

---- EOF - GMER 1.0.15 ----

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 PM

Posted 07 August 2009 - 12:49 PM

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    Link 1
    Link 2
    Link 3

    Posted Image


    Posted Image
    --------------------------------------------------------------------

    Double click on Combo-Fix.exe & follow the prompts.[list]When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt .

Edited by syler, 07 August 2009 - 12:50 PM.

unite.jpg


#5 dlupin

dlupin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 07 August 2009 - 01:35 PM

ComboFix 09-08-07.01 - HP_Owner 07/08/2009 19:21.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1022.589 [GMT 1:00]
Running from: c:\documents and settings\HP_Owner.YOUR-447023AE6B\Desktop\Combo-fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-3055788755-2675296867-2606149894-1008
c:\windows\Installer\1500dee.msi
c:\windows\Installer\1500e05.msp
c:\windows\Installer\1b17b.msi
c:\windows\Installer\1b181.msi
c:\windows\Installer\1b1b9.msi
c:\windows\Installer\22950c.msi
c:\windows\Installer\65e5a.msi
c:\windows\Installer\b3df3.msi
c:\windows\Installer\b3df9.msi
c:\windows\run.log
c:\windows\system32\drivers\UACoultunapfm.sys
c:\windows\system32\UACcpaibhxceb.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACiyyufyfela.dat
c:\windows\system32\UACkmypdmbfny.db
c:\windows\system32\UACqaicqwqbqb.dll
c:\windows\system32\UACqoqhtapacc.dll
c:\windows\system32\UACtwaqwkblcy.dll
c:\windows\system32\UACxtqrqjdaeo.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))
.

2009-08-07 16:15 . 2009-08-07 16:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thunderbird
2009-08-07 16:15 . 2009-08-07 16:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thunderbird
2009-08-07 15:54 . 2009-08-07 15:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-19 17:00 . 1999-12-13 08:01 44032 ------w- c:\windows\system32\CTSVCCDA.EXE
2009-07-19 17:00 . 1999-11-18 08:00 25088 ------w- c:\windows\system32\CTSVCCTL.EXE
2009-07-15 21:23 . 2009-07-15 21:23 -------- d-----w- c:\program files\Jufsoft
2009-07-12 16:24 . 2009-07-12 16:24 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-12 16:14 . 2009-07-12 16:14 -------- d-----w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Local Settings\Application Data\IsolatedStorage
2009-07-12 16:13 . 2009-07-12 16:13 -------- d-----w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Local Settings\Application Data\HP
2009-07-12 16:13 . 2009-07-12 16:13 147 ----a-w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Local Settings\Application Data\fusioncache.dat
2009-07-10 17:12 . 2009-07-10 17:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-07-10 15:03 . 2009-07-10 15:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-07-10 15:02 . 2009-07-10 15:14 -------- d-----w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Local Settings\Application Data\Google
2009-07-10 14:59 . 2009-07-10 14:59 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater
2009-07-10 14:58 . 2009-07-10 15:03 -------- d-----w- c:\program files\Google
2009-07-09 12:25 . 2009-07-09 12:25 -------- d-s---w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-09 13:10 . 2005-01-02 05:43 -------- d-----w- c:\program files\Easy Internet signup
2009-08-07 17:29 . 2009-06-25 14:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-07 16:52 . 2009-06-25 15:08 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-07 15:29 . 2009-07-01 17:18 -------- d-----w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Application Data\ZipGenius
2009-08-07 11:59 . 2009-06-25 15:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-07 11:58 . 2009-06-25 15:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-06 22:12 . 2009-06-28 16:33 -------- d-----w- c:\program files\McAfee
2009-08-06 21:43 . 2009-08-06 21:42 1215667 ----a-w- c:\windows\system32\xa.tmp
2009-07-19 16:54 . 2009-06-25 15:24 -------- d--h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{F40E9D30-5DFC-4B21-BFDB-A5CDEE6440A6}
2009-07-15 21:50 . 2009-06-25 15:07 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-12 16:23 . 2005-01-02 05:32 -------- d-----w- c:\program files\Common Files\Real
2009-07-07 14:19 . 2009-07-07 14:20 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-07 14:19 . 2005-01-02 05:12 -------- d-----w- c:\program files\Java
2009-07-07 14:18 . 2009-07-07 14:18 152576 ----a-w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-07-05 13:30 . 2009-07-05 13:30 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-04 18:05 . 2009-06-28 15:54 41008 ----a-w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 18:05 . 2009-07-04 18:05 -------- d-----w- c:\program files\Microsoft
2009-07-04 18:05 . 2009-07-04 18:04 -------- d-----w- c:\program files\Windows Live
2009-07-04 18:04 . 2009-07-04 18:04 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-04 17:58 . 2009-07-04 17:58 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-03 14:40 . 2009-07-03 14:40 -------- d-----w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Application Data\AdobeUM
2009-07-03 14:19 . 2009-07-03 14:13 -------- d-----w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Application Data\Spotify
2009-07-01 21:35 . 2009-07-01 21:35 -------- d-----w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Application Data\Malwarebytes
2009-07-01 17:18 . 2009-06-25 15:12 -------- d-----w- c:\program files\ZipGenius 6
2009-07-01 16:22 . 2009-07-01 16:22 -------- d-----w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Application Data\DivX
2009-07-01 14:32 . 2009-06-25 15:10 -------- d-----w- c:\program files\DivX
2009-07-01 14:31 . 2009-06-25 15:10 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-29 14:13 . 2009-07-01 22:04 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-29 14:13 . 2009-06-29 13:06 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-29 13:21 . 2009-06-29 13:21 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-06-29 13:05 . 2009-06-29 13:05 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-29 13:05 . 2009-06-25 15:02 -------- d-----w- c:\program files\Lavasoft
2009-06-29 13:05 . 2009-06-25 15:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-06-28 16:33 . 2009-06-28 16:33 -------- d-----w- c:\program files\McAfee.com
2009-06-28 15:56 . 2005-01-02 05:53 -------- d-----w- c:\program files\Symantec
2009-06-28 15:14 . 2009-06-28 15:14 -------- d-----w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Application Data\Talkback
2009-06-28 15:11 . 2009-06-28 15:11 -------- d-----w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Application Data\Thunderbird
2009-06-28 15:08 . 2005-01-02 05:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-06-28 15:00 . 2009-06-25 14:52 -------- d-----w- c:\program files\Smart Panel
2009-06-28 14:55 . 2009-06-28 14:55 -------- d-----w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Application Data\Template
2009-06-28 14:44 . 2009-06-28 14:43 -------- d-----w- c:\program files\Microsoft Works
2009-06-28 14:38 . 2009-06-28 14:38 1834 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_EC641AA-ABU t3145.uk_YC_0Pavi_QCZB540_E53GBheBLU4_47_IAMETHYST-M_SMSI_V1.0_B3.34_T050831_WXH2_L409_M1023_J250_7AMD_8Athlon 64_92.19_#081022_N10EC8139_Z11C1048C_G10DE0161_OLITE-ON DVDRW SOHW-1633S.MRK
2009-06-28 14:35 . 2009-06-28 14:55 160 ----a-w- c:\documents and settings\HP_Owner.YOUR-447023AE6B\Application Data\wklnhst.dat
2009-06-26 16:18 . 2004-08-04 11:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2008-10-22 05:07 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 23:28 . 2009-06-25 23:28 -------- d-----w- c:\program files\MSXML 4.0
2009-06-25 17:03 . 2009-06-25 17:03 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\AdobeUM
2009-06-25 17:02 . 2009-06-25 17:02 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-25 16:21 . 2009-06-25 16:15 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Spotify
2009-06-25 15:54 . 2009-06-25 15:54 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-25 15:24 . 2009-06-25 15:15 -------- d-----w- c:\program files\Creative
2009-06-25 15:23 . 2009-06-25 15:23 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\DivX
2009-06-25 15:19 . 2009-06-25 15:18 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Creative
2009-06-25 15:12 . 2009-06-25 15:12 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\ZipGenius
2009-06-25 15:08 . 2009-06-25 15:08 0 ----a-w- c:\windows\nsreg.dat
2009-06-25 15:08 . 2009-06-25 15:08 23712 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-25 15:07 . 2009-06-25 15:07 -------- d-----w- c:\program files\Spotify
2009-06-25 15:07 . 2009-06-25 15:07 -------- d-----w- c:\program files\GetData
2009-06-25 15:06 . 2009-06-25 15:06 -------- d-----w- c:\program files\Apple Software Update
2009-06-25 15:06 . 2009-06-25 15:06 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Apple
2009-06-25 15:06 . 2009-06-25 15:06 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-06-25 15:05 . 2009-06-25 15:05 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-06-25 15:05 . 2009-06-25 15:05 -------- d-----w- c:\program files\Citrix
2009-06-25 14:57 . 2009-06-25 15:04 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-06-25 14:57 . 2009-06-25 14:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2009-06-25 14:56 . 2009-06-25 14:56 131 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\fusioncache.dat
2009-06-25 14:54 . 2009-06-25 14:37 -------- d-----w- c:\program files\epson
2009-06-25 14:54 . 2009-06-25 14:54 -------- d-----w- c:\program files\Common Files\McAfee
2009-06-25 14:38 . 2009-06-25 14:38 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Talkback
2009-06-25 14:36 . 2009-06-25 14:36 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Thunderbird
2009-06-16 14:55 . 2008-10-22 05:11 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2008-10-22 05:07 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:27 . 2008-10-22 05:10 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 22:25 . 2009-06-28 16:33 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-05-13 22:25 . 2009-06-28 16:33 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-05-13 22:25 . 2009-06-28 16:33 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-05-13 22:25 . 2009-05-13 22:25 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-05-13 22:24 . 2009-06-28 15:25 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-19 15:00 . 2009-06-25 21:16 32 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-10 39408]
"CTZDetec.exe"="c:\program files\Creative\Creative Media Lite\CTZDetec.exe" [2008-04-24 368640]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-07 148888]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-05-01 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-04-09 1176808]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-12 198160]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-02-24 1495040]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 258048]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [29/06/2009 14:06 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [28/06/2009 17:36 210216]
S2 gupdate1ca016f88d82146;Google Update Service (gupdate1ca016f88d82146);c:\program files\Google\Update\GoogleUpdate.exe [10/07/2009 16:02 133104]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
FF - ProfilePath - c:\docume~1\HP_OWN~1.YOU\APPLIC~1\Mozilla\Firefox\Profiles\2a1afzmc.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-07 19:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-08-07 19:31
ComboFix-quarantined-files.txt 2009-08-07 18:31

Pre-Run: 200,680,357,888 bytes free
Post-Run: 200,706,015,232 bytes free

220 --- E O F --- 2009-08-06 19:08

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 PM

Posted 07 August 2009 - 01:56 PM

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 15.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Reamove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u15-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Next

Update Adobe reader
  • Click Start > Control Panel > Add/Remove Programs
  • Remove any older versions of Adobe Reader.
  • Click here to download the latest version of Adobe Acrobat Reader.
  • Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
  • Close your Internet browser and open it again.
Next

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000000
    :Files
    c:\windows\system32\xa.tmp
    :Commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Next

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click the Start scanning button then accept the License Agreement.
  • You will be prompted to install an ActiveX control, allow this.
  • Once the ActiveX installs, Click Full System Scan.
  • Once the download completes, the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Then please post back here with the following:
  • OTM results
  • F-Secure report
  • New DDS log
Thanks

unite.jpg


#7 dlupin

dlupin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 07 August 2009 - 03:03 PM

I cant open the add/remove programs window

or nothing appears in it

sorry now it did

#8 dlupin

dlupin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 07 August 2009 - 04:48 PM

All processes killed
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus\\"DisableMonitoring"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall\\"DisableMonitoring"|dword:00000000 /E : value set successfully!
========== FILES ==========
c:\windows\system32\xa.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 37853635 bytes

User: All Users

User: Default User
->Temp folder emptied: 18090 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: HP_Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 32485300 bytes

User: HP_Owner.YOUR-447023AE6B
->Temp folder emptied: 38059 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 13431812 bytes
->FireFox cache emptied: 39081577 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 65716 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1053297 bytes
%systemroot%\System32 .tmp files removed: 1162769 bytes
Windows Temp folder emptied: 3072 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 119.52 mb


OTM by OldTimer - Version 3.0.0.5 log created on 08072009_211550

Files moved on Reboot...

Registry entries deleted on Reboot...



*********************************************************************************************************************************
********************************************************************************************************************************


Scanning Report
Friday, August 7, 2009 21:33:07 - 22:42:19

Computer name: YOUR-447023AE6B
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\
5 malware found
TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Revsci (spyware)

* System (Disinfected)

TrackingCookie.Zanox (spyware)

* System (Disinfected)

TrackingCookie.Atwola (spyware)

* System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 44239
* System: 3426
* Not scanned: 10

Actions:

* Disinfected: 5
* Renamed: 0
* Deleted: 0
* Not cleaned: 0
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\TEMP\MCMSC_ZIWLLTRIQDGBH8N
* C:\WINDOWS\TEMP\SQLITE_UERDFVPHHKDKLEW
* C:\WINDOWS\TEMP\SQLITE_SENOH5EVUFHAGNO
* C:\WINDOWS\TEMP\SQLITE_ZQ8RWTOUCXFWRZF
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics

Copyright 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

**********************************************************************************************************************************
**********************************************************************************************************************************



DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Owner at 22:46:41.32 on 07/08/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1022.549 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\Creative\Software Update 3\SoftAuto.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner.YOUR-447023AE6B\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [CTZDetec.exe] "c:\program files\creative\creative media lite\CTZDetec.exe"
uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_own~1.you\applic~1\mozilla\firefox\profiles\2a1afzmc.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-29 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-28 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-25 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-28 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-28 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-28 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-28 40552]
S2 gupdate1ca016f88d82146;Google Update Service (gupdate1ca016f88d82146);c:\program files\google\update\GoogleUpdate.exe [2009-7-10 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-28 34248]

=============== Created Last 30 ================

2009-08-07 21:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\F-Secure
2009-08-07 21:15 <DIR> --d----- C:\_OTM
2009-08-07 21:07 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-07 19:31 <DIR> --ds---- c:\windows\Cookies
2009-08-07 19:30 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-08-07 19:07 217,088 a------- c:\windows\PEV.exe
2009-08-07 19:07 161,792 a------- c:\windows\SWREG.exe
2009-08-07 19:07 98,816 a------- c:\windows\sed.exe
2009-07-19 18:00 647,872 -------- c:\windows\system32\Mscomct2.ocx
2009-07-19 18:00 44,032 -------- c:\windows\system32\CTSVCCDA.EXE
2009-07-19 18:00 25,088 -------- c:\windows\system32\CTSVCCTL.EXE
2009-07-15 22:23 <DIR> --d----- c:\program files\Jufsoft
2009-07-12 17:52 25 a------- c:\windows\cdplayer.ini
2009-07-12 17:24 <DIR> --d----- c:\program files\common files\xing shared
2009-07-09 13:25 <DIR> --ds---- c:\documents and settings\hp_owner.your-447023ae6b\UserData

==================== Find3M ====================

2009-08-07 21:06 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-18 17:20 3,062,272 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 17:20 3,062,272 a------- c:\windows\system32\dllcache\cache\mshtml.dll
2009-07-18 17:20 1,506,304 a------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-29 15:13 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-29 15:13 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-28 15:38 1,834 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_EC641AA-ABU t3145.uk_YC_0Pavi_QCZB540_E53GBheBLU4_47_IAMETHYST-M_SMSI_V1.0_B3.34_T050831_WXH2_L409_M1023_J250_7AMD_8Athlon 64_92.19_#081022_N10EC8139_Z11C1048C_G10DE0161_OLITE-ON DVDRW SOHW-1633S.MRK
2009-06-28 15:35 160 a------- c:\docume~1\hp_own~1.you\applic~1\wklnhst.dat
2009-06-22 12:38 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2009-06-16 15:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:55 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 15:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 15:55 82,432 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 20:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 20:27 1,290,752 a------- c:\windows\system32\dllcache\quartz.dll
2006-05-19 16:00 32 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 22:47:48.12 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 28/06/2009 15:36:43
System Uptime: 08/07/2009 21:16:32 (721 hours ago)

Motherboard: MSI | | AMETHYST-M
Processor: AMD Athlon™ 64 Processor 3700+ | Socket 939 | 2188/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 228 GiB total, 186.828 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 0.349 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP33: 07/08/2009 19:07:28 - Software Distribution Service 3.0
RP34: 07/08/2009 21:04:40 - Removed J2SE Runtime Environment 5.0
RP35: 07/08/2009 21:05:40 - Removed Java™ 6 Update 13
RP36: 07/08/2009 21:06:53 - Installed Java™ 6 Update 15
RP37: 07/08/2009 21:10:24 - Removed Adobe Reader 6.0.1
RP38: 07/08/2009 21:11:09 - Removed Adobe Acrobat - Reader 6.0.2 Update

==== Installed Programs ======================

Ad-Aware
Agere Systems PCI Soft Modem
AiO_Scan
AiOSoftware
AutoUpdate
BufferChm
CameraDrivers
Choice Guard
Copy
CP_AtenaShokunin1Config
cp_dwSharkTaleAlbums1
cp_dwSharkTaleCards1
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CP_PLSBusinessFlyers
Creative Media Lite
Creative Software Update
Creative ZEN Stone Plus User's Guide
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Destinations
Director
DivX Codec
DivX Version Checker
DivX Web Player
DocProc
DocumentViewer
Easy Internet Sign-up
EPSON Copy Utility 3
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
Fax
Google Earth
Google Update Helper
Google Updater
Help and Support Additions
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Deskjet Printer Preload
HP Help and Support 4.0
HP Image Zone 4.8.6
HP Image Zone Plus 4.8.6
HP Photosmart Cameras 4.5
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HPIZplus450
HpSdpAppCoreApp
HPSystemDiagnostics
InstantShare
InterVideo WinDVD Player
iTunes
Java™ 6 Update 15
KBD
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mozilla Firefox (3.0.11)
Mozilla Thunderbird (2.0.0.22)
MSVCRT
MSXML 4.0 SP2 (KB954430)
NVIDIA Drivers
PanoStandAlone
PC-Doctor for Windows
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series
PrintScreen
PS2
PSPrinters06
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QFolder
QuickProjects
QuickTime
Readme
RealPlayer
Recover My Files
Scan
ScannerCopy
ScanToWeb
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Segoe UI
SkinsHP1
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spotify
Spybot - Search & Destroy
TrayApp
Unload
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
ZipGenius 6 (6.0.3.1140)

==== Event Viewer Messages From Past Week ========

07/08/2009 21:15:57, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
07/08/2009 21:15:57, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
07/08/2009 21:15:57, error: Service Control Manager [7031] - The McAfee SystemGuards service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
07/08/2009 21:15:57, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
07/08/2009 21:15:57, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
07/08/2009 21:15:56, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
07/08/2009 21:15:56, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
07/08/2009 21:15:56, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
07/08/2009 21:15:56, error: Service Control Manager [7034] - The CT Device Query service service terminated unexpectedly. It has done this 1 time(s).
07/08/2009 21:15:56, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
07/08/2009 21:15:56, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
07/08/2009 21:15:56, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
07/08/2009 21:15:56, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
07/08/2009 21:15:56, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
07/08/2009 21:05:05, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
07/08/2009 21:02:51, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
07/08/2009 19:29:05, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
07/08/2009 19:25:41, error: Service Control Manager [7034] - The McAfee Anti-Spam Service service terminated unexpectedly. It has done this 1 time(s).
07/08/2009 19:06:56, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
07/08/2009 17:50:04, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate1ca016f88d82146) service to connect.
07/08/2009 17:50:04, error: Service Control Manager [7000] - The Google Update Service (gupdate1ca016f88d82146) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
07/08/2009 17:47:54, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
07/08/2009 17:47:42, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
07/08/2009 17:47:41, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
07/08/2009 17:47:19, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
07/08/2009 17:37:14, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 PM

Posted 07 August 2009 - 05:09 PM

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Posted Image

Next

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Congratulations! You now appear clean! :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates is always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing :)
Syler

unite.jpg


#10 dlupin

dlupin
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 07 August 2009 - 05:17 PM

thank you

bye

#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:32 PM

Posted 07 August 2009 - 05:20 PM

You're welcome :thumbup2:

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users