Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit - Please Help!


  • This topic is locked This topic is locked
13 replies to this topic

#1 sjwilson

sjwilson

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 28 October 2009 - 10:23 PM

Hello, Two days ago I began having problems where I was unable to open Internet Explorer, or Malwarebytes, or Spybot, or ANYTHING related to scanning or fixing this PC. I have been reading quite a bit regarding the rootkit infection and scans performed from my thumb drive reveal that I have 'root kit activity' on my PC. I have been able to run Malwarebytes like I said from my memory stick, but nothing from my PC. java script:add_smilie(":(","smid_36")

Following your preparation guide, I was able to download and execute the DDS tool and the log I have attached below. RootRepeal was another story. The download went fine but upon execution I received a message "Error - invalid PE image found!" and then the PC rebooted.

I have not executed any other SW, as I have read in other post recommending that I don't until instructed.

Any help here would be most appreciated and Thanks in advance.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Steve at 21:54:33.70 on Wed 10/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.386 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DU Meter\DUMeter.exe
svchost.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steve\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089FD14D-132B-48FC-8861-0048AE113215} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [nwiz] nwiz.exe /install
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [DU Meter] c:\program files\du meter\DUMeter.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "h:\fixme\explorer.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-29 210216]
R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\drivers\NVTUNEP.SYS [2008-3-31 15968]
R2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\drivers\NVTVSND.SYS [2008-3-31 13776]
S2 0156431256778360mcinstcleanup;McAfee Application Installer Cleanup (0156431256778360);c:\windows\temp\015643~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\015643~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]

=============== Created Last 30 ================

2009-10-29 01:17:02 0 dcsha-r- C:\cmdcons
2009-10-28 01:49:25 98816 -c--a-w- c:\windows\sed.exe
2009-10-28 01:49:25 77312 -c--a-w- c:\windows\MBR.exe
2009-10-28 01:49:25 236544 -c--a-w- c:\windows\PEV.exe
2009-10-28 01:49:25 161792 -c--a-w- c:\windows\SWREG.exe
2009-10-28 01:41:52 0 dc----w- C:\Combo-Fix
2009-10-21 01:12:23 54156 -c-ha-w- c:\windows\QTFont.qfn
2009-10-21 01:12:23 1409 -c--a-w- c:\windows\QTFont.for
2009-10-20 05:18:48 0 dc----w- c:\program files\LoudSpeaker LAB 3 Demo
2009-10-03 04:55:14 195440 -c----w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-09-16 15:22:48 79816 -c--a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22:48 40552 -c--a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22:48 35272 -c--a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22:48 214664 -c--a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22:14 34248 -c--a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 -c--a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54:06 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53:50 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 -c--a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 -c----w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 -c----w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 -c--a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33:52 1193832 -c--a-w- c:\windows\system32\FM20.DLL
2009-08-07 00:23:46 274288 -c--a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23:46 215920 -c--a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:48 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44:46 2189184 -c----w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:08 2066048 -c----w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 20:07:42 403816 -c--a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07:42 322928 -c--a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07:42 230768 -c--a-w- c:\windows\system32\OGAEXEC.exe
2008-08-23 15:35:48 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 21:54:43.64 ===============



RootRepeal Log.txt
21:56:37: Error - invalid PE image found!
21:56:37: Error - invalid PE image found!

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:24 PM

Posted 28 October 2009 - 11:55 PM

Hi, sjwilson :(

Welcome.

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. (Please allow the application to finish. You will know as the last sentence in the report will be "Finished".)

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 sjwilson

sjwilson
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 29 October 2009 - 08:19 AM

Thanks for the reply JSntgRvr and thanks for looking into my issue. java script:add_smilie(":(","smid_10")

I ran Win32kDiag, here is the log. Should I expect something more than this? Other posts I have read with this log yielded more results so I actually ran it twice but got the same log.





Running from: C:\Documents and Settings\Steve\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Steve\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:24 PM

Posted 29 October 2009 - 09:05 AM

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 sjwilson

sjwilson
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 30 October 2009 - 06:09 PM

JSntgRvr, Sorry this took so long, after the first execution (~10hours) the system locked and I was unable to save (or do anything for that matter!) so I executed again. This time is did allow me to save the log. Here are the results:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-30 18:01:17
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Steve\LOCALS~1\Temp\pwroapod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF020878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF0208738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF020874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF02087CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF0208710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF0208724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF020879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF0208776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF0208762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF02087F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF02087E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF02087B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP F02087B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP F020878E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74FE 7 Bytes JMP F02087CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8314 5 Bytes JMP F02087E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA96 7 Bytes JMP F02087A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1324 5 Bytes JMP F0208714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15B0 5 Bytes JMP F0208728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE2 5 Bytes JMP F0208766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F8 7 Bytes JMP F0208750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AE 5 Bytes JMP F020873C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B8 5 Bytes JMP F020877A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB8 5 Bytes JMP F02087FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0000
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0090
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0F9B
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0075
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB0FAC
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0033
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB00AB
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB0F6F
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB0F37
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB00D0
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CB00EB
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CB004E
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CB0011
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CB0F8A
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CB0FC7
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CB0022
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CB0F52
.text C:\WINDOWS\Explorer.EXE[396] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CA0FAF
.text C:\WINDOWS\Explorer.EXE[396] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CA0F79
.text C:\WINDOWS\Explorer.EXE[396] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CA000A
.text C:\WINDOWS\Explorer.EXE[396] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\Explorer.EXE[396] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CA0036
.text C:\WINDOWS\Explorer.EXE[396] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\Explorer.EXE[396] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CA0025
.text C:\WINDOWS\Explorer.EXE[396] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CA0F9E
.text C:\WINDOWS\Explorer.EXE[396] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C90F90
.text C:\WINDOWS\Explorer.EXE[396] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C90FA1
.text C:\WINDOWS\Explorer.EXE[396] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C90FCD
.text C:\WINDOWS\Explorer.EXE[396] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\Explorer.EXE[396] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C90FB2
.text C:\WINDOWS\Explorer.EXE[396] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\Explorer.EXE[396] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00C80000
.text C:\WINDOWS\Explorer.EXE[396] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00C80011
.text C:\WINDOWS\Explorer.EXE[396] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00C8002C
.text C:\WINDOWS\Explorer.EXE[396] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00C80FDB
.text C:\WINDOWS\Explorer.EXE[396] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0096
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0FA1
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE006F
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0FB2
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0040
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0F6B
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE00A7
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00F0
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE00DF
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE010B
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F7C
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\services.exe[580] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE00CE
.text C:\WINDOWS\system32\services.exe[580] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FD0025
.text C:\WINDOWS\system32\services.exe[580] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FD0F9E
.text C:\WINDOWS\system32\services.exe[580] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\services.exe[580] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\services.exe[580] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FD0FAF
.text C:\WINDOWS\system32\services.exe[580] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\services.exe[580] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FD0047
.text C:\WINDOWS\system32\services.exe[580] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FD0036
.text C:\WINDOWS\system32\services.exe[580] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FC0FCD
.text C:\WINDOWS\system32\services.exe[580] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FC0058
.text C:\WINDOWS\system32\services.exe[580] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FC0029
.text C:\WINDOWS\system32\services.exe[580] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\services.exe[580] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FC0FDE
.text C:\WINDOWS\system32\services.exe[580] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FC0018
.text C:\WINDOWS\system32\services.exe[580] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F8D
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0082
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA004A
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00BA
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA00A9
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F43
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00DC
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA00F7
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0014
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F7C
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA002F
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\system32\lsass.exe[592] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA00CB
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FC3
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90040
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90014
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90F8D
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B90F9E
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D9, 88]
.text C:\WINDOWS\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B9002F
.text C:\WINDOWS\system32\lsass.exe[592] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80FA6
.text C:\WINDOWS\system32\lsass.exe[592] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80031
.text C:\WINDOWS\system32\lsass.exe[592] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80FD2
.text C:\WINDOWS\system32\lsass.exe[592] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\lsass.exe[592] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FC1
.text C:\WINDOWS\system32\lsass.exe[592] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B80FE3
.text C:\WINDOWS\system32\lsass.exe[592] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AC0F65
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AC0F80
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AC0058
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AC0047
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AC0011
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AC009C
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AC0075
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AC00C1
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AC0F28
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AC0F0D
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AC0036
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AC0FD4
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AC0F4A
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AC0FA5
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AC0F39
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AB0FD1
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AB0058
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AB0022
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AB0011
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AB0F9B
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AB003D
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AB0FB6
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AA0F90
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AA0FAB
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AA0FCD
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AA0FBC
.text C:\WINDOWS\system32\svchost.exe[784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AA0011
.text C:\WINDOWS\system32\svchost.exe[784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0065
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F70
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE004A
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F8D
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE009D
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F55
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F33
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F44
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00DD
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FA8
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0080
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE002F
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0014
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00C2
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0022
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0084
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0069
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD0058
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0047
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0F78
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0F89
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FB5
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0F9A
.text C:\WINDOWS\system32\svchost.exe[844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0FC6
.text C:\WINDOWS\system32\svchost.exe[844] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02450FE5
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02450F35
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02450F5A
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02450F6B
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02450F7C
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02450FA8
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0245004F
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02450F13
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02450085
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0245006A
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024500AA
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02450F8D
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02450FD4
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02450F24
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02450FB9
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0245000A
.text C:\WINDOWS\System32\svchost.exe[880] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02450EEC
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02440FB9
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02440F86
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02440FCA
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0244000A
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02440F97
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02440FE5
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02440FA8
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [64, 8A]
.text C:\WINDOWS\System32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02440025
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0243005F
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!system 77C293C7 5 Bytes JMP 02430FD4
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02430FEF
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02430000
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02430044
.text C:\WINDOWS\System32\svchost.exe[880] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0243001D
.text C:\WINDOWS\System32\svchost.exe[880] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01590000
.text C:\WINDOWS\System32\svchost.exe[880] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01580000
.text C:\WINDOWS\System32\svchost.exe[880] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01580FDB
.text C:\WINDOWS\System32\svchost.exe[880] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0158001B
.text C:\WINDOWS\System32\svchost.exe[880] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01580FCA
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650F84
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650F95
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650FB2
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650065
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0065004A
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006500A5
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650F5D
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006500D1
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006500B6
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00650F1D
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00650FC3
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00650094
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00650F38
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00640FDE
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640FBC
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0064002F
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640079
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00640054
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00640FCD
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630FD4
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630055
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0063003A
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00630FE5
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00630029
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660FE5
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0066004E
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660F59
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0066003D
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0066002C
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660FA5
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0066008B
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00660070
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006600C8
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006600B7
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00660F14
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00660F94
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00660FCA
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0066005F
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00660011
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00660000
.text C:\WINDOWS\System32\svchost.exe[972] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006600A6
.text C:\WINDOWS\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00650FC7
.text C:\WINDOWS\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00650F87
.text C:\WINDOWS\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00650022
.text C:\WINDOWS\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00650011
.text C:\WINDOWS\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0065004E
.text C:\WINDOWS\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00650000
.text C:\WINDOWS\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00650FB6
.text C:\WINDOWS\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [85, 88]
.text C:\WINDOWS\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00650033
.text C:\WINDOWS\System32\svchost.exe[972] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640FB0
.text C:\WINDOWS\System32\svchost.exe[972] msvcrt.dll!system 77C293C7 5 Bytes JMP 00640031
.text C:\WINDOWS\System32\svchost.exe[972] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640FC1
.text C:\WINDOWS\System32\svchost.exe[972] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640FEF
.text C:\WINDOWS\System32\svchost.exe[972] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640016
.text C:\WINDOWS\System32\svchost.exe[972] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640FD2
.text C:\WINDOWS\System32\svchost.exe[972] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0F41
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0036
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0025
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0014
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0F97
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0EFF
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C0051
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C0ECC
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C0EDD
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C0080
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0F72
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0FDE
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C0F30
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0FA8
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0FC3
.text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C0EEE
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0014
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0F72
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0FB9
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B0FD4
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0F8D
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009B002F
.text C:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0FA8
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0FC0
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0055
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A003A
.text C:\WINDOWS\system32\svchost.exe[1056] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A001D
.text C:\WINDOWS\system32\svchost.exe[1056] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90000
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B900AE
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90FB9
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90FCA
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B9007D
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B900DC
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B900BF
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B90112
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B900F7
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B9012D
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B9006C
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90011
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90F94
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90047
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90036
.text C:\WINDOWS\System32\svchost.exe[1248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B90F83
.text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930051
.text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009300B3
.text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930036
.text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930025
.text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930098
.text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930000
.text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930087
.text C:\WINDOWS\System32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0093006C
.text C:\WINDOWS\System32\svchost.exe[1248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920FB7
.text C:\WINDOWS\System32\svchost.exe[1248] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920042
.text C:\WINDOWS\System32\svchost.exe[1248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FD2
.text C:\WINDOWS\System32\svchost.exe[1248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\System32\svchost.exe[1248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920027
.text C:\WINDOWS\System32\svchost.exe[1248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920000
.text C:\WINDOWS\System32\svchost.exe[1248] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900FEF
.text C:\WINDOWS\System32\svchost.exe[1248] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00900FDE
.text C:\WINDOWS\System32\svchost.exe[1248] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900014
.text C:\WINDOWS\System32\svchost.exe[1248] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00900039
.text C:\WINDOWS\System32\svchost.exe[1248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80000
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F7B
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80FA0
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B8007A
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80069
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80047
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F43
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B8008B
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80EFC
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F17
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B800B0
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80058
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80011
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B80F6A
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80036
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\System32\svchost.exe[1832] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B80F28
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B70036
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70F9B
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70FDB
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B70011
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B70FB6
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70000
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B70058
.text C:\WINDOWS\System32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B70047
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B6001D
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60F9C
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60FAD
.text C:\WINDOWS\System32\svchost.exe[1832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60FDE
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02690000
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02690082
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02690F8D
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02690F9E
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02690FAF
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0269003D
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026900C4
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02690F7C
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02690F46
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026900D5
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02690F2B
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02690FC0
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02690011
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 026900A7
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02690FD1
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0269002C
.text C:\WINDOWS\system32\wuauclt.exe[2016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02690F57
.text C:\WINDOWS\system32\wuauclt.exe[2016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02670FA6
.text C:\WINDOWS\system32\wuauclt.exe[2016] msvcrt.dll!system 77C293C7 5 Bytes JMP 02670027
.text C:\WINDOWS\system32\wuauclt.exe[2016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02670FC1
.text C:\WINDOWS\system32\wuauclt.exe[2016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02670FEF
.text C:\WINDOWS\system32\wuauclt.exe[2016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02670016
.text C:\WINDOWS\system32\wuauclt.exe[2016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02670FDE
.text C:\WINDOWS\system32\wuauclt.exe[2016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0268002F
.text C:\WINDOWS\system32\wuauclt.exe[2016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02680F94
.text C:\WINDOWS\system32\wuauclt.exe[2016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02680FDE
.text C:\WINDOWS\system32\wuauclt.exe[2016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02680014
.text C:\WINDOWS\system32\wuauclt.exe[2016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02680FA5
.text C:\WINDOWS\system32\wuauclt.exe[2016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02680FEF
.text C:\WINDOWS\system32\wuauclt.exe[2016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02680051
.text C:\WINDOWS\system32\wuauclt.exe[2016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02680040
.text C:\WINDOWS\system32\wuauclt.exe[2016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02660FEF
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0090
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B007F
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0062
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FA5
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B003D
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F6D
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00B5
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F30
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F4B
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00DA
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FC0
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F8A
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FDB
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B002C
.text C:\WINDOWS\system32\wuauclt.exe[3292] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F5C
.text C:\WINDOWS\system32\wuauclt.exe[3292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0F81
.text C:\WINDOWS\system32\wuauclt.exe[3292] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A000C
.text C:\WINDOWS\system32\wuauclt.exe[3292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FB7
.text C:\WINDOWS\system32\wuauclt.exe[3292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FE3
.text C:\WINDOWS\system32\wuauclt.exe[3292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0F9C
.text C:\WINDOWS\system32\wuauclt.exe[3292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\system32\wuauclt.exe[3292] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B002C
.text C:\WINDOWS\system32\wuauclt.exe[3292] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0084
.text C:\WINDOWS\system32\wuauclt.exe[3292] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\wuauclt.exe[3292] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\wuauclt.exe[3292] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0069
.text C:\WINDOWS\system32\wuauclt.exe[3292] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3292] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0058
.text C:\WINDOWS\system32\wuauclt.exe[3292] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0047

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\UMDF\en-US 0 bytes
File C:\WINDOWS\system32\drivers\UMDF\en-US\ZuneDriver.dll.mui 6656 bytes executable
File C:\WINDOWS\system32\drivers\UMDF\es-ES 0 bytes
File C:\WINDOWS\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui 7168 bytes executable
File C:\WINDOWS\system32\drivers\UMDF\fr-FR 0 bytes
File C:\WINDOWS\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui 6656 bytes executable
File C:\WINDOWS\system32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf 0 bytes
File C:\WINDOWS\system32\drivers\UMDF\Msft_User_WpdMtpDr_01_00_00.Wdf 0 bytes
File C:\WINDOWS\system32\drivers\UMDF\wpdmtpdr.dll 671232 bytes executable
File C:\WINDOWS\system32\drivers\UMDF\ZuneDriver.dll 706048 bytes executable
File C:\WINDOWS\system32\DRVSTORE\usbaapl_4351B7DAFF62FD33510D77DFAE3CF8CC82517571\USBAAPL.CAT 12090 bytes
File C:\WINDOWS\system32\DRVSTORE\usbaapl_4351B7DAFF62FD33510D77DFAE3CF8CC82517571\usbaapl.inf 2488 bytes
File C:\WINDOWS\system32\DRVSTORE\usbaapl_4351B7DAFF62FD33510D77DFAE3CF8CC82517571\usbaapl.sys 30464 bytes executable
File C:\WINDOWS\system32\DRVSTORE\wlphonecv_8800C151E3BB9442F62327FF05F053BF5567B318\WLPhoneCV.cat 7983 bytes
File C:\WINDOWS\system32\DRVSTORE\wlphonecv_8800C151E3BB9442F62327FF05F053BF5567B318\wlphonecv.inf 35868 bytes
File C:\WINDOWS\system32\DRVSTORE\wlphonecv_B88DA7978559975500983DADC0107CF3AA89C14C\WLPhoneCV.cat 10621 bytes
File C:\WINDOWS\system32\DRVSTORE\wlphonecv_B88DA7978559975500983DADC0107CF3AA89C14C\wlphonecv.inf 35940 bytes
File C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx 3866528 bytes executable
File C:\WINDOWS\system32\Macromed\Flash\Flash10c.ocx 3979680 bytes
File C:\WINDOWS\system32\Macromed\Flash\flashplayer.xpt 856 bytes
File C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe 257440 bytes executable
File C:\WINDOWS\system32\Macromed\Flash\genuinst.exe 25088 bytes executable
File C:\WINDOWS\system32\Macromed\Flash\install.log 35677 bytes
File C:\WINDOWS\system32\Macromed\Flash\KB923789.inf 5412 bytes
File C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll 3883424 bytes
File C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe 0 bytes
File C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe 88589 bytes executable
File C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe 84661 bytes executable
File C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18 0 bytes

---- EOF - GMER 1.0.15 ----

Edited by sjwilson, 30 October 2009 - 06:11 PM.


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:24 PM

Posted 30 October 2009 - 06:55 PM

Hi, sjwilson :(

No sign of malware in those reports.

Please read and follow all these instructions very carefully.

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

=====================================================================


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 sjwilson

sjwilson
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 30 October 2009 - 11:16 PM

JSntgRvr, I'm encouraged to hear that you see no malware in the reports I have provided, yet I wonder why I have not been able to access IE, and any of my spyware/malware/virus SW. In an earlier scan I did see a note regarding Rootkit activity, hence my post.

I was able to download Malwarebytes and Combo-Fix and execute them. The results are as follows:

Malwarebytes' Anti-Malware 1.41
Database version: 3063
Windows 5.1.2600 Service Pack 3

10/30/2009 10:48:43 PM
mbam-log-2009-10-30 (22-48-43).txt

Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 522138
Time elapsed: 2 hour(s), 26 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{6796c015-03f8-49ff-9b99-016498de2e96}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.129 85.255.112.227 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



ComboFix 09-10-30.01 - Steve 10/30/2009 23:00.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.603 [GMT -5:00]
Running from: c:\documents and settings\Steve\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))
.

2009-10-31 04:05 . 2004-06-03 02:40 79360 -c--a-r- c:\windows\system32\drivers\nvatabus_2.sys
2009-10-29 22:50 . 2009-10-29 22:50 291328 -c--a-w- C:\gmer.exe
2009-10-28 01:41 . 2009-10-28 01:41 -------- dc----w- C:\Combo-Fix
2009-10-27 08:33 . 2009-10-27 08:33 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-21 01:53 . 2009-10-22 02:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-20 06:41 . 2009-10-20 06:41 -------- dc----w- c:\documents and settings\Steve\Application Data\CyberLink
2009-10-20 06:29 . 2009-10-20 06:29 -------- dc----w- c:\documents and settings\All Users\Application Data\Temp
2009-10-20 05:18 . 2009-10-20 05:44 -------- dc----w- c:\program files\LoudSpeaker LAB 3 Demo
2009-10-08 01:44 . 2009-10-08 03:16 -------- dc----w- c:\documents and settings\Erin\Application Data\W Photo Studio Viewer
2009-10-03 04:55 . 2009-10-01 15:29 195440 -c----w- c:\windows\system32\MpSigStub.exe
2009-10-03 03:00 . 2009-10-14 01:04 -------- dc----w- c:\documents and settings\Steve\Local Settings\Application Data\Temp
2009-10-03 02:59 . 2009-10-03 03:02 -------- dc----w- c:\documents and settings\Steve\Local Settings\Application Data\Google
2009-10-03 02:57 . 2009-10-03 02:58 -------- dc----w- c:\documents and settings\Steve\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 04:04 . 2008-11-19 03:41 -------- dc----w- c:\program files\SUPERAntiSpyware
2009-10-31 03:42 . 2008-04-08 22:08 -------- dc----w- c:\program files\McAfee
2009-10-31 01:20 . 2008-12-01 02:18 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 01:05 . 2008-01-26 06:37 74320 -c--a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-27 05:46 . 2008-02-02 17:17 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-24 04:29 . 2008-01-26 16:57 -------- dc----w- c:\program files\Common Files\Adobe
2009-10-22 19:42 . 2009-09-17 15:36 664 -c--a-w- c:\documents and settings\Erin\Local Settings\Application Data\d3d9caps.tmp
2009-10-22 02:55 . 2008-09-30 03:07 -------- dc----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-21 02:00 . 2008-03-28 03:20 -------- dc----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-21 02:00 . 2008-03-28 03:19 -------- dc----w- c:\program files\Yahoo!
2009-10-21 01:13 . 2008-01-26 15:42 -------- dc----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-10-20 16:03 . 2008-02-26 03:44 74320 -c--a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 06:51 . 2008-01-26 15:37 -------- dc----w- c:\program files\DU Meter
2009-10-20 06:38 . 2008-01-26 06:44 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-10-20 06:36 . 2008-01-26 15:42 -------- dc----w- c:\program files\CyberLink
2009-10-20 06:21 . 2009-07-11 01:24 -------- dc----w- c:\documents and settings\Steve\Application Data\Yahoo!
2009-10-20 01:29 . 2008-06-28 04:54 -------- dc----w- c:\program files\AudioWave20 (Demo)
2009-10-17 05:02 . 2008-02-02 17:17 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-10-17 02:28 . 2008-03-02 03:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-20 09:48 . 2008-01-26 15:51 -------- dc----w- c:\documents and settings\Steve\Application Data\Winamp
2009-09-20 02:13 . 2008-01-26 15:51 -------- dc----w- c:\program files\Winamp
2009-09-16 15:22 . 2008-04-08 22:08 79816 -c--a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2008-04-08 22:08 40552 -c--a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2008-04-08 22:08 35272 -c--a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2008-04-08 22:08 214664 -c--a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2008-04-08 22:08 34248 -c--a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 16:04 . 2009-09-11 16:04 -------- dc----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2009-09-11 14:18 . 2001-08-23 12:00 136192 -c--a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-12-01 02:18 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-12-01 02:18 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2001-08-23 12:00 58880 -c--a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2001-08-23 12:00 832512 -c----w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2008-01-26 06:31 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2001-08-23 12:00 17408 -c----w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2001-08-23 12:00 247326 -c--a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 -c--a-w- c:\windows\system32\FM20.DLL
2009-08-07 00:24 . 2008-01-26 06:31 327896 -c--a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2008-01-26 06:31 209632 -c--a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2008-01-26 06:31 35552 -c--a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2007-07-31 01:19 44768 -c--a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2008-01-26 06:13 53472 -c----w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2001-08-23 12:00 96480 -c--a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2008-01-26 06:31 575704 -c--a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-03-02 04:02 274288 -c--a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-03-02 04:02 215920 -c--a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2008-01-26 06:13 1929952 -c--a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2001-08-23 12:00 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2001-08-23 12:00 2189184 -c----w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2001-08-17 13:48 2066048 -c----w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 20:07 . 2009-08-03 20:07 403816 -c--a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 -c--a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 -c--a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-28_02.10.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-29 13:06 . 2009-10-31 03:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-26 06:16 . 2009-10-28 02:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-26 06:16 . 2009-10-31 03:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-26 06:16 . 2009-10-28 02:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-29 13:06 . 2009-10-31 03:42 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-01-26 06:16 . 2009-10-28 02:09 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-20 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2004-06-11 83968]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2006-11-27 1582616]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-07-28 323584]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-11-17 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-09 05:08 548352 -c--a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 4:11 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 74480]
R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\drivers\NVTUNEP.SYS [3/31/2008 5:16 PM 15968]
R2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\drivers\NVTVSND.SYS [3/31/2008 5:16 PM 13776]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/29/2008 8:58 PM 210216]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 7408]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-492894223-839522115-1003Core.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 02:58]

2009-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-492894223-839522115-1003UA.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-03 02:58]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-04-08 17:22]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-04-08 17:22]

2009-10-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 23:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\Root\LEGACY_NDISPROT\0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3064)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-31 23:07
ComboFix-quarantined-files.txt 2009-10-31 04:07
ComboFix2.txt 2009-10-29 01:24
ComboFix3.txt 2009-10-28 02:14

Pre-Run: 114,157,940,736 bytes free
Post-Run: 114,131,345,408 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 71152F71539F7E7B826AA74B5210E410

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:24 PM

Posted 31 October 2009 - 01:12 AM

  • Download this tool and save it to your desktop.
  • Go to Start -> Run, copy and paste the following command (Including the quotation marks) and click OK:
    "%Userprofile%\Desktop\Inherit.exe" "C:\Program Files\Internet Explorer\iexplore.exe"
  • When finished click OK.
  • Attempt to run Internet Explorer.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 sjwilson

sjwilson
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 31 October 2009 - 01:23 AM

JSntgRvr, THINGS ARE WORKING AGIAN! Sort of....... Thanks.

IE is now functioning but I still have issues as I cannot execute Spybot or Super Antispyware. I am still getting the dreaded "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item" message.

In addition, the root files, (i.e. spybotSD.exe) is right protected and will NOT allow me to change the attribute. I am unable to delete the old file and thus not able to reinstall the SW in the same location.

Is there any fix for this?

Thanks again for all of your input.

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:24 PM

Posted 31 October 2009 - 10:25 AM

JSntgRvr, THINGS ARE WORKING AGIAN! Sort of....... Thanks.

IE is now functioning but I still have issues as I cannot execute Spybot or Super Antispyware. I am still getting the dreaded "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item" message.

In addition, the root files, (i.e. spybotSD.exe) is right protected and will NOT allow me to change the attribute. I am unable to delete the old file and thus not able to reinstall the SW in the same location.

Is there any fix for this?

Thanks again for all of your input.

Right click on the shortcuts and post the path of the executable. Else, you can copy Inherit.exe to the folder where these executables are. Then Drag and drop these files into Inherit.exe and click OK.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:24 PM

Posted 02 November 2009 - 06:35 PM

What is the status?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 sjwilson

sjwilson
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 05 November 2009 - 11:33 PM

JSntgRvr,
Sorry for the delay, things are working again :( and inherit.exe has fixed my issues with other software that has not been working. I can't thank you and all of the other 'experts' here in the forums for all of your advice and direction in the fight against malware.

Do you have any suggestions for future defense against these sort of infections?


Thanks again.

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:24 PM

Posted 06 November 2009 - 12:55 AM

Hi, sjwilson

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now type or copy and paste "c:\documents and settings\Steve\Desktop\Combo-Fix.exe" /Uninstall in the runbox (including the quotation marks) and click OK. Note the space between the " and the /Uninstall, it needs to be there.
Create a Restore point (If the above process fails to do so):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
The following is a list of free tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - A useful tool which can search and annhilate bad files that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills bad files that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep bad files from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those bad files that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! Posted Image

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:24 PM

Posted 23 November 2009 - 04:33 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users