Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: PHP Deserialization Issue Left Unfixed in WordPress CMS

Featured Deal: This Free Course Lets You Achieve Digital Transformation for Your Company

Remains of TDSS Rootkit Infection and Multiple Bad Image Errors

Started by Techless85 , Aug 22 2009 11:59 AM

This topic is locked

16 replies to this topic

#1 Techless85

Members
10 posts
OFFLINE

Local time:09:42 AM

Posted 22 August 2009 - 11:59 AM

Hello.

I originally posted this in the Operating Systems Forum and was told by Blade Zephon I would be better served by reposting here. He said it sounded like the remains of the TDSS rootkit infection.

I recently was infected with a browser hijacker that would redirect me whenever I used a search engine. I also had a virus that would pretend to run anti-virus software and show false positives. At a friend's suggestion, I downloaded and ran Malewarebytes and Advanced System Care. These two programs seem to have solved the malware problem.

However, now when I turn my computer on or click on a program, I get Bad Image Errors. They do not stop the computer or program from running, so this is more of an annoyance than a critical problem in my mind (hopefully its not something worse than that). Any help is appreciated!

Update: when I ran DDS, I was swarmed by these Bad Image Errors. I had to click through what felt like a couple hundred before the log reports for DDS showed up.

Here's the DDS Log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Bfadley St. Pierre at 12:29:18.53 on Sat 08/22/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1175 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bfadley St. Pierre\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080622
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080622
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bfadle~1.pie\applic~1\mozilla\firefox\profiles\0i56e6sc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-22 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-22 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-22 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-22 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-22 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-22 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-22 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-22 40552]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-6-22 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-6-22 7424]
S2 mdnlvijx;mdnlvijx;c:\windows\system32\drivers\buhrphcm.sys --> c:\windows\system32\drivers\buhrphcm.sys [?]
S3 OEM002Srv;Creative OEM002 RunApp Service;c:\windows\system32\OEM02Srv.exe [2008-6-22 24576]

=============== Created Last 30 ================

2009-08-19 12:13 <DIR> --d----- c:\program files\IObit
2009-08-19 12:13 <DIR> --d----- c:\docume~1\bfadle~1.pie\applic~1\IObit
2009-08-17 00:54 2,092 a------- c:\windows\wininit.ini
2009-08-16 23:33 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-16 23:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-16 18:57 61,440 a------- c:\windows\system32\drivers\jxji.sys
2009-08-15 12:59 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-14 23:34 <DIR> --d----- c:\docume~1\bfadle~1.pie\applic~1\Malwarebytes
2009-08-14 22:43 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 22:43 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-14 22:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-14 22:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-14 19:08 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-14 19:07 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-14 19:07 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-14 19:07 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-14 19:07 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-14 19:07 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-14 19:07 <DIR> --d----- C:\6156464c810dbbf6fd60
2009-08-14 19:07 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-14 19:07 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-14 01:16 20,480 -------- c:\windows\system32\SKYNETrhphhbjw.dll
2009-08-14 01:16 70,656 -------- c:\windows\system32\drivers\SKYNETmsptxjbv.sys
2009-08-14 01:16 44,544 -------- c:\windows\system32\SKYNETcgswapja.dll
2009-08-11 22:03 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 22:03 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-22 08:47 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-08-21 10:48 56,680 a------- c:\windows\system32\rpcnet.dll
2009-08-16 23:57 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 04:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 04:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 04:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 04:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 04:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 07:18 92,928 a------- c:\windows\system32\drivers\ksecdd.sys
2009-06-24 07:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 10:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-06-02 06:12 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2008-07-20 12:37 1,844 a------- c:\docume~1\bfadle~1.pie\applic~1\install.dat
2008-06-22 16:01 76 ---shr-- c:\windows\CT4CET.bin
2008-09-05 10:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 12:37:52.32 ===============

Attached Files

Attach.txt 15.25KB 4 downloads
ark.txt.txt 3.74KB 10 downloads

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 thcbytes

Malware Response Team
14,790 posts
OFFLINE

Gender:Male
Local time:08:42 AM

Posted 03 September 2009 - 06:51 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Techless85

Topic Starter

Members
10 posts
OFFLINE

Local time:09:42 AM

Posted 10 September 2009 - 08:57 PM

Thanks for replying thcbytes. Sorry for my late response. I was on vacation all last week and thus was not anywhere near my computer. Anyway, the problem with the "Bad Image" errors persists. Once again, there were many of them when I ran DDS. Any help is appreciated.

I've pasted and attached the new DDS logs:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Bfadley St. Pierre at 21:46:51.85 on Thu 09/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1361 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bfadley St. Pierre\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080622
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080622
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bfadle~1.pie\applic~1\mozilla\firefox\profiles\0i56e6sc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-22 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-22 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-22 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-22 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-22 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-22 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-22 40552]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-6-22 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-6-22 7424]
S2 0217451252595900mcinstcleanup;McAfee Application Installer Cleanup (0217451252595900);c:\windows\temp\021745~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\021745~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 mdnlvijx;mdnlvijx;c:\windows\system32\drivers\buhrphcm.sys --> c:\windows\system32\drivers\buhrphcm.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-22 34248]
S3 OEM002Srv;Creative OEM002 RunApp Service;c:\windows\system32\OEM02Srv.exe [2008-6-22 24576]

=============== Created Last 30 ================

2009-09-09 07:54 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-08-22 12:25 4,194,380 a------- c:\windows\pfirewall.log.old
2009-08-19 12:13 <DIR> --d----- c:\program files\IObit
2009-08-19 12:13 <DIR> --d----- c:\docume~1\bfadle~1.pie\applic~1\IObit
2009-08-17 00:54 2,092 a------- c:\windows\wininit.ini
2009-08-16 23:33 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-16 23:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-16 18:57 61,440 a------- c:\windows\system32\drivers\jxji.sys
2009-08-15 12:59 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-14 23:34 <DIR> --d----- c:\docume~1\bfadle~1.pie\applic~1\Malwarebytes
2009-08-14 22:43 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 22:43 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-14 22:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-14 22:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-14 19:08 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-14 19:07 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-14 19:07 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-14 19:07 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-14 19:07 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-14 19:07 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-14 19:07 <DIR> --d----- C:\6156464c810dbbf6fd60
2009-08-14 19:07 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-14 19:07 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-11 22:03 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 22:03 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-09-10 18:11 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-09-10 18:11 56,680 a------- c:\windows\system32\rpcnet.dll
2009-08-16 23:57 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-16 12:32 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 04:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 04:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 04:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 04:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 04:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 07:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-22 02:44 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2008-07-20 12:37 1,844 a------- c:\docume~1\bfadle~1.pie\applic~1\install.dat
2008-06-22 16:01 76 ---shr-- c:\windows\CT4CET.bin
2008-09-05 10:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 21:51:53.92 ===============

Attached Files

Attach.txt 13.63KB 4 downloads

#4 syler

Malware Response Team
8,150 posts
OFFLINE

Gender:Male
Location:Warrington, UK
Local time:02:42 PM

Posted 12 September 2009 - 09:27 PM

Hi Techless85,

My name is Syler, and I will be helping you to solve your Malware issues.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.

Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case µTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

#5 Techless85

Topic Starter

Members
10 posts
OFFLINE

Local time:09:42 AM

Posted 13 September 2009 - 09:53 AM

Hi Syler, thanks for replying. After reading the information you provided, I have a few questions.

How severe is my infection and how at risk am I if I choose not to reformat?

If I reformat, what will my risk be if I choose to save all my documents in the My Documents Folder? Surely the virus can't be housed there, can it? What do I generally need to reformat my computer? Just the Operations Disc, the XP Office Disc, and the manual?

Thanks again!

#6 syler

Malware Response Team
8,150 posts
OFFLINE

Gender:Male
Location:Warrington, UK
Local time:02:42 PM

Posted 13 September 2009 - 10:35 PM

You are at the same risk as everyone else who has a rootkit infection, I can not really grade your risk, it is just down to whether you think you could trust your machine
again after having an infection that has had full control of your machine. If you put alot of personal data on your machine and do financial transactions on it, then you
would definitely be best to reformat.

If you were going to back up everything from your My Documents Folder, I would recommend that you go through the files individually, as I can not guarantee that no
malware has been placed in this folder.

If you want to reformat you will need any XP CD's you have, you may also need a drivers disk if one came with it, although most of the time drivers can be downloaded
from the net, but you would be best checking before you started.

Let me no what you decide to do, or if you have any other questions.

Thanks

#7 Techless85

Topic Starter

Members
10 posts
OFFLINE

Local time:09:42 AM

Posted 15 September 2009 - 10:38 AM

After thinking about it for a bit, I believe a reformat would be best.

When looking through My Documents, should I just be looking for anything that I didn't put there? Should I set my settings to view hidden files and check those as well?

What should I do to prevent immediate reinfection once I reformat. Thanks for the help thusfar. You've been great.

#8 syler

Malware Response Team
8,150 posts
OFFLINE

Gender:Male
Location:Warrington, UK
Local time:02:42 PM

Posted 16 September 2009 - 12:10 AM

If you have not chosen to hide any files in the My Documents folder or subfolders then their is no real need to check for them, if you do you will find that
their are some legitimate hidden files in these folders. I would suggest that you just go through these folders and just back up anything that you know is
yours and you want to keep.

To stop any chance of reinfection you should make sure that you stay disconnected from the internet, until you have an Anti Virus installed and all your
Windows patches are up to date, This may or may not be possible depending on what windows disk you have.

If you have an original Windows XP disk you can follow this guide to make a windows XP disk with SP3 on it, so you will have the latest Service Pack
as soon as you reinstall. If however you have an OEM disk, you will need to connect to the internet to install up to SP3 once you have reinstalled,
just make sure you have an Anti Virus installed.

Let me no if you have any other questions.

#9 Techless85

Topic Starter

Members
10 posts
OFFLINE

Local time:09:42 AM

Posted 16 September 2009 - 07:40 PM

Ok, so I have reformatted my computer using the Dell PC Restore function I found in my manual. This function restores the computer to factory defaults. I am happy to say that the symptoms of my problem (the Bad Image errors) are nowhere to be found. I've updated McAfee and installed XP Service Pack 3. Am I all set or should I do another scan with DDS and post another log?

#10 syler

Malware Response Team
8,150 posts
OFFLINE

Gender:Male
Location:Warrington, UK
Local time:02:42 PM

Posted 16 September 2009 - 11:17 PM

Im not sure that the Dell Restore function is the same as reformatting, if it just replaces the system files, like a repair install
then this will not have got rid of the malware. Plase post a new DDS log.

#11 Techless85

Topic Starter

Members
10 posts
OFFLINE

Local time:09:42 AM

Posted 17 September 2009 - 08:45 PM

Here's the new DDS Log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Bradley St. Pierre at 21:42:15.98 on Thu 09/17/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1535 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\Bradley St. Pierre\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080622
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080622
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-22 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-22 358224]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-22 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-22 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-22 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-22 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-22 40488]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-6-22 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-6-22 7424]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-22 33832]

=============== Created Last 30 ================

2009-09-17 20:18 69 a------- C:\buildbu.bat
2009-09-16 22:41 <DIR> --d----- c:\program files\DivX
2009-09-16 22:41 <DIR> --d----- c:\program files\common files\DivX Shared
2009-09-16 22:14 <DIR> --d----- C:\Temp
2009-09-16 22:11 <DIR> --d----- c:\windows\LoJackInstaller
2009-09-16 22:07 <DIR> --d----- c:\docume~1\bradle~1.pie\applic~1\Absolute
2009-09-16 22:04 <DIR> --dsh--- c:\documents and settings\bradley st. pierre\IECompatCache
2009-09-16 22:00 <DIR> --dsh--- c:\documents and settings\bradley st. pierre\PrivacIE
2009-09-16 21:59 <DIR> --dsh--- c:\documents and settings\bradley st. pierre\IETldCache
2009-09-16 21:58 <DIR> --d----- c:\windows\ie8updates
2009-09-16 21:55 <DIR> -cd-h--- c:\windows\ie8
2009-09-16 21:53 100,352 -------- c:\windows\system32\dllcache\iecompat.dll
2009-09-16 21:53 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-09-16 21:53 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-09-16 21:53 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-16 21:53 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-09-16 21:53 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-09-16 21:26 <DIR> --d----- c:\windows\system32\scripting
2009-09-16 21:26 <DIR> --d----- c:\windows\l2schemas
2009-09-16 21:26 <DIR> --d----- c:\windows\system32\en
2009-09-16 21:26 <DIR> --d----- c:\windows\system32\bits
2009-09-16 21:24 <DIR> --d----- c:\windows\ServicePackFiles
2009-09-16 21:22 <DIR> --d----- c:\windows\network diagnostic
2009-09-16 21:19 <DIR> --d----- c:\windows\EHome
2009-09-16 21:10 685,056 -------- c:\windows\system32\drivers\hsfcxts2.sys
2009-09-16 21:05 <DIR> --ds---- c:\documents and settings\bradley st. pierre\UserData
2009-09-16 20:52 4,128 a------- C:\INFCACHE.1
2009-09-16 20:41 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-09-16 20:41 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-09-16 20:41 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-09-16 20:34 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-09-16 20:34 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-09-16 20:32 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-09-16 20:32 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-09-16 20:31 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-16 20:31 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-09-16 20:25 <DIR> --d----- c:\windows\system32\PreInstall
2009-09-16 20:19 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-09-16 20:04 1,844 a------- c:\docume~1\bradle~1.pie\applic~1\install.dat
2009-09-16 20:04 <DIR> --d----- c:\documents and settings\Bradley St. Pierre
2009-09-16 20:01 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-09-16 20:00 8,192 a------- c:\windows\REGLOCS.OLD
2009-09-16 19:59 17,408 a------- c:\windows\system32\rpcnetp.exe

==================== Find3M ====================

2009-09-16 22:11 51,200 a------- c:\windows\system32\rpcnet.exe
2009-09-16 21:28 77,803 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 00:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 00:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-29 00:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-29 00:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-22 02:44 726,528 -------- c:\windows\system32\dllcache\jscript.dll
2008-06-22 16:01 76 ---shr-- c:\windows\CT4CET.bin

============= FINISH: 21:42:51.25 ===============

Attached Files

Attach.txt 6.36KB 2 downloads

#12 syler

Malware Response Team
8,150 posts
OFFLINE

Gender:Male
Location:Warrington, UK
Local time:02:42 PM

Posted 18 September 2009 - 03:57 AM

Techless85,

The Dell PC Restore has not formatted your machine, so you may still be in the same situation.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply .

Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

We need to scan for Rootkits with GMER

Please download GMER from one of the following locations, and save it to your desktop:
- Main Mirror
  This version will download a randomly named file (Recommended)
- Zip Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
Disconnect from the Internet and close all running programs, as this process may crash your computer.
Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
Double click on Gmer to run it.
Allow the gmer.sys driver to load if asked.
You may see a rootkit warning window, If you do, click No.
Click on and wait for the scan to finish.
If you see a rootkit warning window, click OK.
Push and save the logfile to your desktop.
Copy and Paste the contents of that file in your next post.

Please post back here with the following logs:

MBAM log
Gmer log

Thanks

#13 Techless85

Topic Starter

Members
10 posts
OFFLINE

Local time:09:42 AM

Posted 20 September 2009 - 02:14 PM

Here's the logs you requested.

Malewarebytes:

Malwarebytes' Anti-Malware 1.41
Database version: 2831
Windows 5.1.2600 Service Pack 3

9/20/2009 2:15:02 PM
mbam-log-2009-09-20 (14-15-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 138239
Time elapsed: 25 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER:

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-20 15:10:38
Windows 5.1.2600 Service Pack 3
Running: uy0e85gs.exe; Driver: C:\DOCUME~1\BRADLE~1.PIE\LOCALS~1\Temp\pwldqpob.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA8D579AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA8D57A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8D57958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA8D5796C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA8D57A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA8D57A81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA8D57AEF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA8D57AD9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA8D579EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA8D57B1B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA8D57A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA8D57930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA8D57944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA8D579BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA8D57B57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA8D57AC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA8D57AAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA8D57A6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA8D57B43]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA8D57B2F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA8D57996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA8D57982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA8D57A97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA8D57A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA8D57B05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA8D57A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA8D579D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A8D579D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A8D579AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP A8D579EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP A8D57A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP A8D579C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP A8D57934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP A8D57948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP A8D57986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 2 Bytes JMP A8D57970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx + 3 805D1145 4 Bytes [78, 28, 90, 90] {JS 0x2a; NOP ; NOP }
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP A8D5795C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP A8D5799A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP A8D57A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219E8 7 Bytes JMP A8D57AB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D36 7 Bytes JMP A8D57A9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622060 7 Bytes JMP A8D57B09 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228FE 7 Bytes JMP A8D57AC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D2 7 Bytes JMP A8D57A6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B0 5 Bytes JMP A8D57A45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C40 7 Bytes JMP A8D57A59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E10 7 Bytes JMP A8D57A85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 7 Bytes JMP A8D57AF3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425A 7 Bytes JMP A8D57ADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP A8D57A31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EA8 7 Bytes JMP A8D57B5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80625168 5 Bytes JMP A8D57B33 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585C 5 Bytes JMP A8D57B47 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625976 5 Bytes JMP A8D57B1F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[132] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C170 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[132] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1F0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 030D0FEF
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 030D0F68
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 030D0F8D
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 030D0F9E
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 030D005B
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 030D0FCD
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 030D0084
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 030D0F3C
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 030D009F
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 030D0F06
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 030D00B0
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 030D004A
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!CreateFileW 7C810800 3 Bytes JMP 030D0014
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!CreateFileW + 4 7C810804 1 Byte [86]
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!CreatePipe 7C81D83F 3 Bytes JMP 030D0F57
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!CreatePipe + 4 7C81D843 1 Byte [86]
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 030D0FDE
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 030D002F
.text C:\WINDOWS\Explorer.EXE[140] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 030D0F21
.text C:\WINDOWS\Explorer.EXE[140] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 030C0FDB
.text C:\WINDOWS\Explorer.EXE[140] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 030C0073
.text C:\WINDOWS\Explorer.EXE[140] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 030C002C
.text C:\WINDOWS\Explorer.EXE[140] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 030C001B
.text C:\WINDOWS\Explorer.EXE[140] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 030C0FB6
.text C:\WINDOWS\Explorer.EXE[140] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 030C0000
.text C:\WINDOWS\Explorer.EXE[140] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 030C0058
.text C:\WINDOWS\Explorer.EXE[140] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 030C0047
.text C:\WINDOWS\Explorer.EXE[140] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 030B0038
.text C:\WINDOWS\Explorer.EXE[140] msvcrt.dll!system 77C293C7 5 Bytes JMP 030B0FAD
.text C:\WINDOWS\Explorer.EXE[140] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 030B0FE3
.text C:\WINDOWS\Explorer.EXE[140] msvcrt.dll!_open 77C2F566 5 Bytes JMP 030B0000
.text C:\WINDOWS\Explorer.EXE[140] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 030B0FC8
.text C:\WINDOWS\Explorer.EXE[140] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 030B0011
.text C:\WINDOWS\Explorer.EXE[140] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 03090000
.text C:\WINDOWS\Explorer.EXE[140] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 03090011
.text C:\WINDOWS\Explorer.EXE[140] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 03090022
.text C:\WINDOWS\Explorer.EXE[140] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 03090FC7
.text C:\WINDOWS\Explorer.EXE[140] WS2_32.dll!socket 71AB4211 5 Bytes JMP 030A0FE5
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007009A
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070073
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F77
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F48
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700EB
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070F37
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000700B5
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700D0
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060091
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060076
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060065
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0005004B
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 0005003A
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FD4
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050029
.text C:\WINDOWS\system32\services.exe[904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F41
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F52
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F79
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0025
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0078
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F30
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0EFA
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F15
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00A4
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0051
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0089
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0FB9
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC005B
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0F94
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0F9A
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0FAB
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FCD
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FBC
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\system32\lsass.exe[916] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0256000A
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02560F94
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02560093
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02560082
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02560FB9
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02560FD4
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025600AE
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02560F66
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02560F15
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02560F3A
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025600C9
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02560065
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02560025
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02560F83
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02560036
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02560FE5
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02560F4B
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02550FD4
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02550065
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02550025
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02550014
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02550FA8
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02550FEF
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0255004A
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02550FC3
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02540FCD
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 02540058
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02540022
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02540000
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02540033
.text C:\WINDOWS\system32\svchost.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02540011
.text C:\WINDOWS\system32\svchost.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02530FEF
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0F72
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0F83
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE005D
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0FA8
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0F3C
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0F57
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE009F
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F10
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE0EEB
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0025
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0082
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0014
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0F21
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CD0FB9
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CD0F79
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CD0FD4
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CD000A
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CD0036
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CD0F9E
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ED, 88]
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CD0025
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CC0FA1
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CC002C
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CC001B
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CC0FC6
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EB0065
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EB0F7A
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EB0F97
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EB004A
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EB0FB9
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EB00A7
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EB0080
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EB00D3
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EB0F3A
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EB0F1F
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EB0FA8
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EB0F55
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EB00C2
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EA0FB9
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EA004A
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EA0FCA
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EA0F8D
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EA002F
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EA0FA8
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E90051
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E90FBC
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E90FD7
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E9002C
.text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90011
.text C:\WINDOWS\system32\svchost.exe[1144] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 035C0000
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 035C0F58
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 035C0F69
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 035C0F7A
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 035C0F97
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 035C0FC3
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 035C0F2A
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 035C0072
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 035C0F0F
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 035C00A8
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 035C00B9
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 035C0FA8
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 035C001B
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 035C0F47
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 035C0FD4
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 035C0FE5
.text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 035C008D
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 035B002C
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 035B0FA5
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 035B0011
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 035B0000
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 035B0062
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 035B0FE5
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 035B0FC0
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [7B, 8B] {JNP 0xffffffffffffff8d}
.text C:\WINDOWS\System32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 035B003D
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 035A0044
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!system 77C293C7 5 Bytes JMP 035A0FB9
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 035A0FDE
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_open 77C2F566 5 Bytes JMP 035A0FEF
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 035A0033
.text C:\WINDOWS\System32\svchost.exe[1184] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 035A0018
.text C:\WINDOWS\System32\svchost.exe[1184] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03590000
.text C:\WINDOWS\System32\svchost.exe[1184] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 0357000A
.text C:\WINDOWS\System32\svchost.exe[1184] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 03570FEF
.text C:\WINDOWS\System32\svchost.exe[1184] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 03570025
.text C:\WINDOWS\System32\svchost.exe[1184] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 03570040
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008F0FEF
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008F006C
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008F005B
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008F0F8D
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008F0F9E
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008F0FC3
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008F0F46
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008F0098
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008F00D5
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008F00BA
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008F00E6
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008F0040
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008F000A
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008F007D
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008F0FD4
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008F0025
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008F00A9
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008E001B
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008E0062
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008E0FCA
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008E0051
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008E0FE5
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008E0FAF
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AE, 88]
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008E002C
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008D0053
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!system 77C293C7 5 Bytes JMP 008D002E
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008D0FD2
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008D001D
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008D000C
.text C:\WINDOWS\system32\svchost.exe[1304] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008C0FE5
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B400BD
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40098
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40087
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40076
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B4004A
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B40F7F
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B40F9C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B40F46
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B400E9
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B40104
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B4005B
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B40FDE
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B40FAD
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B40039
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B4001E
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B400D8
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B30FD4
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B30040
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B30025
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B30F83
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B30F9E
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D3, 88]
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B30FAF
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B20040
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B20FAB
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B2001B
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B20FC6
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B20FD7
.text C:\WINDOWS\system32\svchost.exe[1332] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0FAD
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE00A2
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0091
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0080
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE00DA
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE00B3
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE0F48
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F63
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE0F2D
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F88
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0051
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE00EB
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A3002F
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A30F97
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A30FD4
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A3005E
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A30FB2
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C3, 88]
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A30FC3
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20F9A
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20025
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20FC6
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20FB5
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A20FE3
.text C:\WINDOWS\system32\svchost.exe[1732] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1732] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1732] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\system32\svchost.exe[1732] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[1732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A1000A
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F57
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0056
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F7C
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0025
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0078
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0067
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A009A
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F0B
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00AB
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F3C
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\svchost.exe[3824] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0089
.text C:\WINDOWS\System32\svchost.exe[3824] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[3824] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0029005B
.text C:\WINDOWS\System32\svchost.exe[3824] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290025
.text C:\WINDOWS\System32\svchost.exe[3824] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029000A
.text C:\WINDOWS\System32\svchost.exe[3824] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0029004A
.text C:\WINDOWS\System32\svchost.exe[3824] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\System32\svchost.exe[3824] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FA8
.text C:\WINDOWS\System32\svchost.exe[3824] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\System32\svchost.exe[3824] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FB9
.text C:\WINDOWS\System32\svchost.exe[3824] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0FBC
.text C:\WINDOWS\System32\svchost.exe[3824] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FCD
.text C:\WINDOWS\System32\svchost.exe[3824] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0033
.text C:\WINDOWS\System32\svchost.exe[3824] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[3824] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FDE
.text C:\WINDOWS\System32\svchost.exe[3824] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FEF
.text C:\WINDOWS\System32\svchost.exe[3824] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AB0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A7229D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000189.exe:BAK 22528 bytes executable

---- EOF - GMER 1.0.15 ----

#14 syler

Malware Response Team
8,150 posts
OFFLINE

Gender:Male
Location:Warrington, UK
Local time:02:42 PM

Posted 21 September 2009 - 01:12 AM

Hi,

It looks like somewhere along the way the rootkit has gone lets just clean up some bits and do a final check, let me no in your next reply how the computer is running.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
Click the Download button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Reamove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Next

You have an outdated version of Adobe Reader, these have vulnerabilities that can be exploited by malware, to get in to your machine. Please follow these
steps to remove older versions of Adobe Reader and download the latest version.

Go to Start >> Settings >> Control Panel, double-click on Add/Remove Programs and remove any older versions of Adobe Reader.

Download the latest version of Adobe Acrobat Reader
Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
Close your Internet browser and open it again.

Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

Please post back here with the following logs:

Kaspersky report
New DDS log

Thanks

#15 Techless85

Topic Starter

Members
10 posts
OFFLINE

Local time:09:42 AM

Posted 22 September 2009 - 10:25 PM

Here's the logs you requested. Thanks!

DDS:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Bradley St. Pierre at 23:22:10.71 on Tue 09/22/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1310 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Comical\Comical.exe
C:\Documents and Settings\Bradley St. Pierre\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080622
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080622
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Aim6]
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /Get1noarp
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bradle~1.pie\applic~1\mozilla\firefox\profiles\l0kcjdg2.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-22 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-22 358224]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-22 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-20 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-22 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-22 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-22 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-22 40488]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-6-22 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-6-22 7424]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-10 14336]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-22 33832]

=============== Created Last 30 ================

2009-09-22 21:08 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-22 21:08 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-20 15:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2009-09-20 15:32 <DIR> --d----- c:\program files\Viewpoint
2009-09-20 15:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-09-20 15:32 <DIR> --d----- c:\program files\common files\AOL
2009-09-20 15:32 <DIR> --d----- c:\program files\AIM6
2009-09-20 15:31 361 a---h--- C:\IPH.PH
2009-09-20 13:48 <DIR> --d----- c:\docume~1\bradle~1.pie\applic~1\Malwarebytes
2009-09-20 13:48 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-20 13:48 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-20 13:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-20 13:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 11:39 <DIR> --d----- c:\program files\common files\xing shared
2009-09-20 11:39 <DIR> --d----- c:\program files\common files\Real
2009-09-17 23:39 <DIR> --d----- c:\program files\Comical
2009-09-17 23:13 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-09-17 23:13 12,160 a------- c:\windows\system32\dllcache\mouhid.sys
2009-09-17 23:13 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-09-17 23:13 10,368 a------- c:\windows\system32\dllcache\hidusb.sys
2009-09-17 22:37 <DIR> --d----- c:\program files\uTorrent
2009-09-17 22:36 <DIR> --d----- c:\docume~1\bradle~1.pie\applic~1\uTorrent
2009-09-16 22:41 <DIR> --d----- c:\program files\DivX
2009-09-16 22:41 <DIR> --d----- c:\program files\common files\DivX Shared
2009-09-16 22:14 <DIR> --d----- C:\Temp
2009-09-16 22:11 <DIR> --d----- c:\windows\LoJackInstaller
2009-09-16 22:07 <DIR> --d----- c:\docume~1\bradle~1.pie\applic~1\Absolute
2009-09-16 22:04 <DIR> --dsh--- c:\documents and settings\bradley st. pierre\IECompatCache
2009-09-16 22:00 <DIR> --dsh--- c:\documents and settings\bradley st. pierre\PrivacIE
2009-09-16 21:59 <DIR> --dsh--- c:\documents and settings\bradley st. pierre\IETldCache
2009-09-16 21:58 <DIR> --d----- c:\windows\ie8updates
2009-09-16 21:55 <DIR> -cd-h--- c:\windows\ie8
2009-09-16 21:53 100,352 -------- c:\windows\system32\dllcache\iecompat.dll
2009-09-16 21:53 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-09-16 21:53 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-09-16 21:53 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-16 21:53 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-09-16 21:53 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-09-16 21:26 <DIR> --d----- c:\windows\system32\scripting
2009-09-16 21:26 <DIR> --d----- c:\windows\l2schemas
2009-09-16 21:26 <DIR> --d----- c:\windows\system32\en
2009-09-16 21:26 <DIR> --d----- c:\windows\system32\bits
2009-09-16 21:24 <DIR> --d----- c:\windows\ServicePackFiles
2009-09-16 21:22 <DIR> --d----- c:\windows\network diagnostic
2009-09-16 21:19 <DIR> --d----- c:\windows\EHome
2009-09-16 21:10 685,056 -------- c:\windows\system32\drivers\hsfcxts2.sys
2009-09-16 21:05 <DIR> --dsh--- c:\documents and settings\bradley st. pierre\UserData
2009-09-16 20:52 4,128 a------- C:\INFCACHE.1
2009-09-16 20:41 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-09-16 20:41 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-09-16 20:41 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-09-16 20:34 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-09-16 20:34 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-09-16 20:32 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-09-16 20:32 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-09-16 20:31 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-16 20:31 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-09-16 20:25 <DIR> --d----- c:\windows\system32\PreInstall
2009-09-16 20:19 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-09-16 20:04 1,844 a------- c:\docume~1\bradle~1.pie\applic~1\install.dat
2009-09-16 20:04 <DIR> --d----- c:\documents and settings\Bradley St. Pierre
2009-09-16 20:01 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-09-16 20:00 8,192 a------- c:\windows\REGLOCS.OLD
2009-09-16 19:59 17,408 a------- c:\windows\system32\rpcnetp.exe

==================== Find3M ====================

2009-09-22 21:18 51,200 a------- c:\windows\system32\rpcnet.dll
2009-09-20 11:39 499,712 a------- c:\windows\system32\msvcp71.dll
2009-09-20 11:39 348,160 a------- c:\windows\system32\msvcr71.dll
2009-09-16 22:11 51,200 a------- c:\windows\system32\rpcnet.exe
2009-09-16 21:28 77,803 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 00:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 00:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-29 00:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-29 00:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 20:15 90,112 a------- c:\windows\system32\dpl100.dll
2009-07-13 20:15 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-07-13 20:15 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-07-13 20:15 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-07-13 20:15 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-07-13 20:15 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-07-13 20:15 685,056 a------- c:\windows\system32\DivX.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 04:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 04:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 04:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 04:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 04:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2008-06-22 16:01 76 ---shr-- c:\windows\CT4CET.bin

============= FINISH: 23:22:41.04 ===============

Kaspersky:

Tuesday, September 22, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, September 23, 2009 03:38:34
Records in database: 2870449

Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Objects scanned 59913
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 01:08:21

No threats found. Scanned area is clean.
Selected area has been scanned.