Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirection Virus and Tracking Cookies


  • This topic is locked This topic is locked
27 replies to this topic

#1 Phandral

Phandral

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 27 November 2009 - 04:37 PM

Hey all,

About a month ago I found myself in some dubious part of the internet, the likes of which my mother warned me about which promptly proceeding to upload a program to my comp. I quickly closed the prompt, the browser, and several pop-ups.

The ever-vigilant WinPatrol was quick on the job, alerting me to what new startup programs were storming in at the floodgates. However, in my haste to block off all the newly registered “programs” I accidentally clicked yes to one, and after seeing how the extent of the damage was ostensibly limited to “merely” redirecting my Google searches on Firefox, I very, VERY stupidly left it unattended…until now.

Today I was working on my comp while playing both a DVD and a movie file on my second monitor when suddenly everything froze on me. I tried to restart the computer several times, and each time it froze on the “Welcome” screen. When I tried to run it from Safe Mode, I got the good ‘ol BSOD which mentioned there was a “Page fault in non-paged area” each time. As a last resort, I restarted Windows with the “Last Known Good Configuration” selection, which finally brought me back to a place where I could type this message, but not without some performance hiccups like ZoneAlarm suddenly being overzealous on what programs it’s firewall will allow to connect to the internet and intermittently blocking some dubious IP addresses.

I’m using Windows XP, Service Pack 3.

So far, I’ve run SUPERAntiSpyware which tells me I have the following viruses milling around:
  • Adware.Tracking Cookie (14)
  • Trojan.Agent/Gen (2)
  • Trojan.Agent/Gen-FakeAlert (2)
And MBAM which also says I have a Trojan.Agent.

Here’s the HiJack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:41 PM, on 11/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080919
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080919
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080919
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [HydraVisionDesktopManager] "C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Let me know if there’s something that can be done. The crazier, the BETTER!

Thanks so much!

BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:17 AM

Posted 05 December 2009 - 07:20 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Phandral

Phandral
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 08 December 2009 - 12:07 AM

Thanks for getting back to me, Sempai! Here are there results:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Ian Foster at 0:01:18.21 on Tue 12/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2306 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Documents and Settings\Ian Foster\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080919
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080919
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [HydraVisionDesktopManager] "c:\program files\ati technologies\ati hydravision\HydraDM.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [FRYMXINS] "c:\program files\ati technologies\fire gl 3d studio max\atiimxgl"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [OneTouch Monitor] c:\program files\visioneer onetouch\OneTouchMon.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Open Client to monitor &1 - c:\windows\web\AOpenClient.htm
IE: Open Client to monitor &2 - c:\windows\web\AOpenClient.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ianfos~1\applic~1\mozilla\firefox\profiles\g4gvyt7c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-9-18 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-21 353672]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-9-18 358224]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-9-18 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-8 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-9-18 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-9-18 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-9-18 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-9-18 40488]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2009-11-7 25832]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-9-18 33832]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-13 50048]

=============== Created Last 30 ================

2009-12-03 02:07:16 0 d-----w- c:\program files\Seagate
2009-12-03 02:07:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate
2009-12-03 02:06:21 0 d-sh--w- c:\windows\ftpcache
2009-11-27 03:51:41 68096 ----a-w- c:\windows\essledv.exe
2009-11-27 02:12:06 79744 ----a-w- c:\windows\system32\drivers\rarqee.sys
2009-11-19 00:42:20 23552 ----a-w- c:\windows\system32\tdlcmd.dll
2009-11-16 03:41:08 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-16 03:41:08 22328 ----a-w- c:\docume~1\ianfos~1\applic~1\PnkBstrK.sys
2009-11-16 03:40:55 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-16 03:40:54 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-16 03:40:53 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-11-12 03:45:35 22016 ----a-w- c:\windows\system32\tdlwsp.dll

==================== Find3M ====================

2003-07-28 10:16:52 36864 ----a-w- c:\windows\inf\i386\Vizmicro.dll
2003-07-28 10:16:26 172032 ----a-w- c:\windows\inf\i386\viceo.dll
2003-07-28 10:01:10 36207 ----a-w- c:\windows\inf\i386\9320FW.bin
2003-07-28 10:01:10 274432 ----a-w- c:\windows\inf\i386\9320LLD.dll
2003-07-28 10:01:10 155648 ----a-w- c:\windows\inf\i386\rtscan.dll
2001-08-03 22:29:18 13824 ----a-w- c:\windows\inf\i386\Usbscan.sys

============= FINISH: 0:02:55.07 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:17 PM

Posted 09 December 2009 - 08:21 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Can you run RootRepeal for me

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#5 Phandral

Phandral
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 11 December 2009 - 12:57 AM

Thanks for getting back to me, mOle!

However, I tried to run Root Repeal following your instructions, but every time it I start it, it says its "initializing" and my computer freezes. Am I doing something wrong?

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:17 PM

Posted 11 December 2009 - 08:00 AM

It's not your fault, phandral. Either RootRepeal is being stopped by malware or your PC isn't configured correctly - this could be an indirect result of malware damage or an unrelated problem with your PC

We'll try Gmer, a similar program.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#7 Phandral

Phandral
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 13 December 2009 - 12:42 AM

Oh man, trying to run gmer has been a pain and a half. First I tried to run it and it crashed in the middle of the scan. Then, I tried to get my computer to start in safe mode twice and both times I got a BSoD telling me about a "page fault in non paged area". I finally was able to scan again in normal mode all the way to the end and I saved a log on the desktop as gmer.log as you prescribed, but then when I pressed "copy" to copy the report to the clipboard, my computer froze on me. The following is what I cut and pasted in the log. I hope this information is still useful even though it didn't come from gmer's clipboard.

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-13 00:17:28
Windows 5.1.2600 Service Pack 3
Running: 0hlmuzfv.exe; Driver: C:\DOCUME~1\IANFOS~1\LOCALS~1\Temp\pxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA581EFC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA581BC80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xA5836170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA581F580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA581F670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA581C210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xA58369F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xA58367A0]
SSDT spof.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spof.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA5836F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA5836F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA581C070]
SSDT spof.sys ZwOpenKey [0xB9EA70C0]
SSDT spof.sys ZwQueryKey [0xB9EC610A]
SSDT spof.sys ZwQueryValueKey [0xB9EC5F8A]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xA58376F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA5837150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA581EBE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xA5837540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA581C440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xA58364E0]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA57BF0B0]

INT 0x73 ? 8B010BF8
INT 0x83 ? 8B010BF8
INT 0xA4 ? 8AE85BF8

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA57029E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA57029BC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA5702994]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA5702980]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA57029FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA57029D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A57029D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP A57029EC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP A5702A02 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP A57029C0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP A5702984 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP A5702998 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? spof.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\drivers\nvgts.sys entry point in ".rsrc" section [0xB9DCD000]
? srescan.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9099000, 0x1A51EA, 0xE8000020]
.text USBPORT.SYS!DllUnload B90508AC 5 Bytes JMP 8AE851D8
.text ahe3yen9.SYS B8EF6386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ahe3yen9.SYS B8EF63AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ahe3yen9.SYS B8EF63C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ahe3yen9.SYS B8EF63C9 1 Byte [30]
.text ahe3yen9.SYS B8EF63C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA2EB7400, 0x87EE2, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA2F5B620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA2F5B620]
.protect˙˙˙˙hardlockunknown last code section [0xA2F5B400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA2F5B400, 0x5126, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C170 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[320] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1F0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D6003E
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60F49
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60F5A
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60F6B
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60F97
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F07
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D6004F
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D60EEC
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D60085
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D60EDB
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60F7C
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60FDE
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D60F2E
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D60FB2
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60FCD
.text C:\WINDOWS\system32\svchost.exe[604] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D60074
.text C:\WINDOWS\system32\svchost.exe[604] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00960FBC
.text C:\WINDOWS\system32\svchost.exe[604] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00960F46
.text C:\WINDOWS\system32\svchost.exe[604] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00960FCD
.text C:\WINDOWS\system32\svchost.exe[604] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00960FDE
.text C:\WINDOWS\system32\svchost.exe[604] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00960F61
.text C:\WINDOWS\system32\svchost.exe[604] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00960FEF
.text C:\WINDOWS\system32\svchost.exe[604] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00960F7C
.text C:\WINDOWS\system32\svchost.exe[604] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B6, 88] {MOV DH, 0x88}
.text C:\WINDOWS\system32\svchost.exe[604] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00960FA1
.text C:\WINDOWS\system32\svchost.exe[604] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00950FA5
.text C:\WINDOWS\system32\svchost.exe[604] msvcrt.dll!system 77C293C7 5 Bytes JMP 0095003A
.text C:\WINDOWS\system32\svchost.exe[604] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00950029
.text C:\WINDOWS\system32\svchost.exe[604] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0095000C
.text C:\WINDOWS\system32\svchost.exe[604] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00950FCA
.text C:\WINDOWS\system32\svchost.exe[604] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00950FEF
.text C:\WINDOWS\system32\svchost.exe[604] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\svchost.exe[604] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00970011
.text C:\WINDOWS\system32\svchost.exe[604] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 0097002C
.text C:\WINDOWS\system32\svchost.exe[604] WININET.dll!InternetOpenUrlW 780BAF69 3 Bytes JMP 00970FDB
.text C:\WINDOWS\system32\svchost.exe[604] WININET.dll!InternetOpenUrlW + 4 780BAF6D 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[604] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0094000A
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0076
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0F81
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE005B
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE004A
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0FA8
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE00BF
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE00AE
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00FC
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE00EB
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE010D
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE002F
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0087
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE00DA
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060014
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0006002F
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060F8D
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[840] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050038
.text C:\WINDOWS\system32\services.exe[840] msvcrt.dll!system 77C293C7 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[840] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[840] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[840] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FB7
.text C:\WINDOWS\system32\services.exe[840] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[840] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[840] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[840] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[840] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 0007001E
.text C:\WINDOWS\system32\services.exe[840] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010E0089
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010E006E
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010E0F94
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010E0051
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010E0036
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010E0F5C
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010E0F79
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010E0F30
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010E0F41
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010E0F15
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010E0FAF
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010E0FE5
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010E00A4
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateNamedPipeW 7C82F0DD 3 Bytes JMP 010E0025
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateNamedPipeW + 4 7C82F0E1 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010E0FCA
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010E00BF
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E60FB2
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E60F7C
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E60FC3
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E60FDE
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E60039
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E60F97
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [06, 89]
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E60028
.text C:\WINDOWS\system32\lsass.exe[852] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DD0FCA
.text C:\WINDOWS\system32\lsass.exe[852] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DD0055
.text C:\WINDOWS\system32\lsass.exe[852] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DD003A
.text C:\WINDOWS\system32\lsass.exe[852] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DD000C
.text C:\WINDOWS\system32\lsass.exe[852] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DD0FE5
.text C:\WINDOWS\system32\lsass.exe[852] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DD0029
.text C:\WINDOWS\system32\lsass.exe[852] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\lsass.exe[852] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[852] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\lsass.exe[852] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[852] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00FF0FAF
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F5000A
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F50F74
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50069
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50F8F
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50FAC
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50047
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F5008B
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F5007A
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F500A6
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F50F17
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F50EF2
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F50058
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F5001B
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F50F4F
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F50036
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F50F28
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F3006F
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F30025
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30054
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F30FB2
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [13, 89]
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30FC3
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F20FB4
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F20049
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F20FE3
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F20038
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20011
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00F40040
.text C:\WINDOWS\system32\svchost.exe[1064] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0F66
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0051
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F77
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0F94
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0F3A
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0076
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0F07
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F18
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE00BB
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F4B
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F29
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EB0F79
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EB0F94
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EB0036
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EB0FAF
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA004C
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0027
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA0FD2
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA000C
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0FB7
.text C:\WINDOWS\system32\svchost.exe[1132] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00FD0022
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00FD003D
.text C:\WINDOWS\system32\svchost.exe[1132] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 035E0FEF
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 035E0F92
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 035E0091
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 035E0076
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 035E0065
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 035E0FC3
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 035E0F5F
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 035E0F70
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 035E0F18
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 035E0F33
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 035E0F07
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 035E0054
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 035E0FDE
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 035E0F81
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 035E002F
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 035E001E
.text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 035E0F4E
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 035C0FDB
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 035C0FAF
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 035C0022
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 035C0011
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 035C006C
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 035C0000
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 035C0051
.text C:\WINDOWS\System32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 035C0FCA
.text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 035B0FC1
.text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!system 77C293C7 5 Bytes JMP 035B004C
.text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 035B0027
.text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_open 77C2F566 5 Bytes JMP 035B000C
.text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 035B0FD2
.text C:\WINDOWS\System32\svchost.exe[1232] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 035B0FE3
.text C:\WINDOWS\System32\svchost.exe[1232] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 035D0000
.text C:\WINDOWS\System32\svchost.exe[1232] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 035D001B
.text C:\WINDOWS\System32\svchost.exe[1232] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 035D0FE5
.text C:\WINDOWS\System32\svchost.exe[1232] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 035D0FD4
.text C:\WINDOWS\System32\svchost.exe[1232] WS2_32.dll!socket 71AB4211 5 Bytes JMP 035A0FE5
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B10F4E
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B10F5F
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B10F86
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10F97
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B10039
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10F16
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B1005E
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B10083
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B10EEA
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B10ECF
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B10FA8
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B10F33
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B10FCD
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B10FDE
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B10EFB
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF0FD1
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF0F9E
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF002C
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF001B
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF0FAF
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF000A
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AF0FC0
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CF, 88]
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF003D
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AE0047
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AE0FBC
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AE002C
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AE0FD7
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AE0011
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00B00011
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00B00FDB
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00B0002C
.text C:\WINDOWS\system32\svchost.exe[1388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AD000A
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0FE5
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D007D
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D006C
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0F88
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0FA5
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D002C
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D00B5
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D00A4
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D00EB
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0F52
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D0106
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0047
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0000
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D0F6D
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D001B
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0FD4
.text C:\WINDOWS\system32\wuauclt.exe[1540] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D00DA
.text C:\WINDOWS\system32\wuauclt.exe[1540] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0031
.text C:\WINDOWS\system32\wuauclt.exe[1540] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0FA6
.text C:\WINDOWS\system32\wuauclt.exe[1540] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FC1
.text C:\WINDOWS\system32\wuauclt.exe[1540] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1540] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C000C
.text C:\WINDOWS\system32\wuauclt.exe[1540] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FDE
.text C:\WINDOWS\system32\wuauclt.exe[1540] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FC3
.text C:\WINDOWS\system32\wuauclt.exe[1540] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0F6B
.text C:\WINDOWS\system32\wuauclt.exe[1540] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0014
.text C:\WINDOWS\system32\wuauclt.exe[1540] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0FDE
.text C:\WINDOWS\system32\wuauclt.exe[1540] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0F86
.text C:\WINDOWS\system32\wuauclt.exe[1540] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1540] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0F97
.text C:\WINDOWS\system32\wuauclt.exe[1540] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\WINDOWS\system32\wuauclt.exe[1540] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0FB2
.text C:\WINDOWS\system32\wuauclt.exe[1540] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00940FEF
.text C:\WINDOWS\system32\wuauclt.exe[1540] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00940FD4
.text C:\WINDOWS\system32\wuauclt.exe[1540] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00940000
.text C:\WINDOWS\system32\wuauclt.exe[1540] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00940011
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D500A9
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D50098
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D50087
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50076
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50047
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D500D7
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D500BA
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D500FC
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D50F63
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D50F48
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D50FCA
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D5001B
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D50F8F
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D50FE5
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D50036
.text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D50F74
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CF0FC3
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CF0043
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CF0F86
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CF0F97
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EF, 88]
.text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CF0FB2
.text C:\WINDOWS\system32\svchost.exe[1572] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0FC1
.text C:\WINDOWS\system32\svchost.exe[1572] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE0042
.text C:\WINDOWS\system32\svchost.exe[1572] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE000C
.text C:\WINDOWS\system32\svchost.exe[1572] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1572] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE0031
.text C:\WINDOWS\system32\svchost.exe[1572] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE0FDE
.text C:\WINDOWS\system32\svchost.exe[1572] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1572] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\svchost.exe[1572] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00D00FB9
.text C:\WINDOWS\system32\svchost.exe[1572] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00D00F9E
.text C:\WINDOWS\system32\svchost.exe[1572] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CD0000
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01650FE5
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01650F6D
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01650F7E
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01650058
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01650FA5
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01650047
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01650F4B
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01650F5C
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 016500DA
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 016500C9
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01650F26
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01650FB6
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01650000
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0165007D
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0165002C
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01650011
.text C:\WINDOWS\Explorer.EXE[1932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 016500AE
.text C:\WINDOWS\Explorer.EXE[1932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01630022
.text C:\WINDOWS\Explorer.EXE[1932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01630058
.text C:\WINDOWS\Explorer.EXE[1932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01630FD1
.text C:\WINDOWS\Explorer.EXE[1932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01630011
.text C:\WINDOWS\Explorer.EXE[1932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01630047
.text C:\WINDOWS\Explorer.EXE[1932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01630000
.text C:\WINDOWS\Explorer.EXE[1932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01630FA5
.text C:\WINDOWS\Explorer.EXE[1932] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [83, 89]
.text C:\WINDOWS\Explorer.EXE[1932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01630FB6
.text C:\WINDOWS\Explorer.EXE[1932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0162005C
.text C:\WINDOWS\Explorer.EXE[1932] msvcrt.dll!system 77C293C7 5 Bytes JMP 01620FDB
.text C:\WINDOWS\Explorer.EXE[1932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0162003A
.text C:\WINDOWS\Explorer.EXE[1932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01620000
.text C:\WINDOWS\Explorer.EXE[1932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0162004B
.text C:\WINDOWS\Explorer.EXE[1932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01620029
.text C:\WINDOWS\Explorer.EXE[1932] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 0164000A
.text C:\WINDOWS\Explorer.EXE[1932] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 0164001B
.text C:\WINDOWS\Explorer.EXE[1932] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01640FE5
.text C:\WINDOWS\Explorer.EXE[1932] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 01640040
.text C:\WINDOWS\Explorer.EXE[1932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 015C0FEF
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AC0F6B
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AC0F7C
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AC0F97
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AC0FB2
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AC0FD4
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AC0085
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AC0F33
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AC00BB
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AC00A0
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AC00CC
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AC0FC3
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AC0F50
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AC0036
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AC0025
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AC0F22
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AA0FD4
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AA0076
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AA0025
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AA000A
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AA0065
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AA004A
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AA0FC3
.text C:\WINDOWS\system32\svchost.exe[2128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A90FAB
.text C:\WINDOWS\system32\svchost.exe[2128] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A9002C
.text C:\WINDOWS\system32\svchost.exe[2128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A9001B
.text C:\WINDOWS\system32\svchost.exe[2128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A90FE3
.text C:\WINDOWS\system32\svchost.exe[2128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A90FC6
.text C:\WINDOWS\system32\svchost.exe[2128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[2128] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[2128] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00AB001B
.text C:\WINDOWS\system32\svchost.exe[2128] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00AB0FE5
.text C:\WINDOWS\system32\svchost.exe[2128] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00AB0FC0

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA8042] spof.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA813E] spof.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA80C0] spof.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA8800] spof.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA86D6] spof.sys
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\ahe3yen9.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [A5823B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [A5823930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [A5824260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [A5821E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [A5821E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [A5823B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [A5823930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [A5824260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [A5823B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [A5821E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [A5824260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [A5823930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [A5824260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [A5823930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [A5823B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [A5821E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [A5823B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [A5823930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [A5824260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [A5824260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [A5823930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [A5821E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [A5823B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [A5823B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [A5821E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [A5824260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [A5823930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B00C1F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \FatCdrom 89A26500
Device \FileSystem\Udfs \UdfsCdRom 899E41F8
Device \FileSystem\Udfs \UdfsDisk 899E41F8
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\sptd \Device\02487740 spof.sys
Device \Driver\PCI_PNP6490 \Device\00000051 spof.sys
Device \Driver\usbohci \Device\USBPDO-0 8AFA51F8
Device \Driver\usbehci \Device\USBPDO-1 8AFAA1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B00E1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8B00E1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8B00E1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8B00E1F8
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B0841F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B0841F8
Device \Driver\Cdrom \Device\CdRom0 8AE1E1F8
Device \Driver\Cdrom \Device\CdRom1 8AE1E1F8
Device \Driver\atapi \Device\Ide\IdePort0 [B9DD8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9DD8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume3 8B0841F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AC971F8
Device \Driver\NetBT \Device\NetbiosSmb 8AC971F8
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbohci \Device\USBFDO-0 8AFA51F8
Device \Driver\usbehci \Device\USBFDO-1 8AFAA1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8984F1F8
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8984F1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{F74F3D49-DF61-4D96-BBDE-B334007C6F54} 8AC971F8
Device \Driver\Ftdisk \Device\FtControl 8B0841F8
Device \Driver\ahe3yen9 \Device\Scsi\ahe3yen91Port5Path0Target0Lun0 8AE0C1F8
Device \Driver\ahe3yen9 \Device\Scsi\ahe3yen91 8AE0C1F8
Device \FileSystem\Fastfat \Fat 89A26500

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 8910D1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD3 0x7B 0x94 0x0D ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x19 0x8D 0x0C 0xB2 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0F 0x8D 0x28 0x5E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD3 0x7B 0x94 0x0D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x19 0x8D 0x0C 0xB2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0F 0x8D 0x28 0x5E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD3 0x7B 0x94 0x0D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x19 0x8D 0x0C 0xB2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0F 0x8D 0x28 0x5E ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\nvgts.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  gmer.log   161.43KB   1 downloads


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:17 PM

Posted 13 December 2009 - 06:49 AM

There's modification on one of your drivers so we need to replace this file.

First, let's try the easier way

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 Phandral

Phandral
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 15 December 2009 - 08:41 PM

Hey m0le,

I can't download ComboFix because "an issue with the program has not been resolved." What happens now?

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:17 PM

Posted 16 December 2009 - 07:51 AM

Combofix is down while being fixed so we need to take the long way round.

First we need to see if you have a backup file which we can use

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    nvgts*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#11 Phandral

Phandral
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 19 December 2009 - 02:26 AM

Here's what I got:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 02:14 on 19/12/2009 by Ian Foster (Administrator - Elevation successful)

========== filefind ==========

Searching for "nvgts*"
C:\drivers\storage\R178505\nvgts.sys --a--- 102400 bytes [04:45 19/09/2008] [14:44 11/02/2008] A0B3F3A5049931657164F0FFCF0B208E
C:\WINDOWS\system32\drivers\nvgts.sys --a--- 102400 bytes [04:45 19/09/2008] [14:44 11/02/2008] A0B3F3A5049931657164F0FFCF0B208E
C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\nvgts.sys --a--c 102400 bytes [08:50 19/09/2008] [14:44 11/02/2008] A0B3F3A5049931657164F0FFCF0B208E

-=End Of File=-

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:17 PM

Posted 19 December 2009 - 07:19 AM

Okay, thanks for the log. However, Combofix is up again and it should do this automatically so let's try it now.

Please download ComboFix from HERE

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 Phandral

Phandral
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 19 December 2009 - 09:10 PM

Hey m0le, the following are the results of the ComboFix log. However, it should be noted that :
  • When I first launched ComboFix and rebooted my comp the first time, the program asked me if it should download "Microsoft Windows Recovery Console". My computer is always connected to the internet, but for some reason wasn't being acknowledged by ComboFix. Because it doesn't give you an option to abort ComboFix and manually download MWRC, I hit "ok" and ComboFix did its thing and automatically rebooted the computer again afterward. Is it too late to install MWRC now?
  • While ComboFix was creating the log file after I rebooted the computer, it said I should make sure all programs no other programs were running, but my anti-virus programs automatically launch during startup and I don't recall being prompted to deactivate them entirely before launch. Would that have affected the log at that point?
  • Winpatrol alerted me to a change in the HOSTS file, which I assume was related to something ComboFix had done. I accepted it, but I wanted to make sure that was the right move to make.
  • There was apparently a change to IE's homepage, though I rarely use it and I had to reset Firefox as my primary browser.
Without further ado:

ComboFix 09-12-18.03 - Ian Foster 12/19/2009 19:57:54.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2838 [GMT -5:00]
Running from: c:\documents and settings\Ian Foster\Desktop\KittyFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\IANFOS~1\LOCALS~1\Temp\1.wmv
c:\documents and settings\Ian Foster\Desktop\AV Care.lnk
c:\documents and settings\Ian Foster\Start Menu\Programs\AV Care
c:\documents and settings\Ian Foster\Start Menu\Programs\AV Care\AV Care.lnk
c:\program files\AV Care
c:\program files\AV Care\avc.ico
c:\program files\AV Care\AVCare.ini
c:\program files\AV Care\PP.exe
c:\program files\AV Care\Uninstall.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\essledv.exe
c:\windows\system32\_id.dat
c:\windows\system32\tdlcmd.dll
c:\windows\system32\tdlwsp.dll
c:\windows\system32\xactengine3_0.dll
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-12-13 11:39 . 2008-05-21 16:26 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2009-12-13 11:38 . 2009-12-13 12:13 -------- d-----w- C:\Netgear
2009-12-03 02:07 . 2009-12-03 02:07 -------- d-----w- c:\program files\Seagate
2009-12-03 02:07 . 2009-12-03 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2009-12-03 02:06 . 2009-12-03 02:13 -------- d-----w- c:\documents and settings\Ian Foster\Local Settings\Application Data\Downloaded Installations
2009-12-03 02:06 . 2009-12-03 02:06 -------- d-sh--w- c:\windows\ftpcache
2009-12-03 02:04 . 2009-12-03 02:04 -------- d-----w- c:\documents and settings\Ian Foster\Application Data\Leadertech
2009-11-27 02:12 . 2009-11-27 02:12 79744 ----a-w- c:\windows\system32\drivers\rarqee.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 01:23 . 2009-12-20 01:23 25600 ----a-w- c:\windows\system32\tdlcmd.dll
2009-12-20 01:21 . 2009-10-25 18:04 -------- d-----w- c:\documents and settings\Ian Foster\Application Data\Skype
2009-12-19 03:35 . 2009-02-22 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-17 07:25 . 2008-09-28 21:16 -------- d-----w- c:\documents and settings\Ian Foster\Application Data\uTorrent
2009-12-15 14:34 . 2009-04-24 12:52 24324110 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-12-13 05:25 . 2008-09-19 02:07 109696 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-11 05:36 . 2009-12-11 05:47 2916352 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2009-12-07 00:45 . 2009-05-11 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2009-12-03 14:30 . 2009-06-24 00:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-03 02:16 . 2008-09-19 01:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-30 08:05 . 2008-12-20 14:38 -------- d-----w- c:\program files\Steam
2009-11-27 03:44 . 2009-11-27 03:49 2053632 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2009-11-27 03:44 . 2009-11-27 03:49 13824 ----a-w- c:\windows\Internet Logs\xDB1A.tmp
2009-11-27 03:42 . 2009-11-27 03:44 2053632 ----a-w- c:\windows\Internet Logs\xDB19.tmp
2009-11-27 02:14 . 2009-11-27 03:42 2688512 ----a-w- c:\windows\Internet Logs\xDB17.tmp
2009-11-27 02:14 . 2009-11-27 03:42 2053632 ----a-w- c:\windows\Internet Logs\xDB18.tmp
2009-11-27 02:11 . 2009-11-27 03:49 2053120 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2009-11-24 01:44 . 2009-05-11 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJ
2009-11-16 03:41 . 2009-11-16 03:41 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-16 03:41 . 2009-11-16 03:41 22328 ----a-w- c:\documents and settings\Ian Foster\Application Data\PnkBstrK.sys
2009-11-16 03:41 . 2009-11-16 03:40 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-16 03:40 . 2009-11-16 03:40 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-16 03:40 . 2009-11-16 03:40 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-11-15 03:22 . 2008-11-29 10:30 -------- d-----w- c:\program files\SystemRequirementsLab
2009-11-15 03:21 . 2008-11-29 10:30 -------- d-----w- c:\documents and settings\Ian Foster\Application Data\SystemRequirementsLab
2009-11-08 03:52 . 2009-11-08 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-04 06:18 . 2008-04-25 21:42 500120 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-31 08:07 . 2009-10-31 08:07 -------- d-----w- c:\documents and settings\Ian Foster\Application Data\runic games
2009-10-27 04:05 . 2009-10-25 18:05 -------- d-----w- c:\documents and settings\Ian Foster\Application Data\skypePM
2009-10-25 18:05 . 2009-10-25 18:05 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-25 18:04 . 2009-10-25 18:04 -------- d-----r- c:\program files\Skype
2009-10-25 18:04 . 2009-10-25 18:04 -------- d-----w- c:\program files\Common Files\Skype
2009-10-25 18:04 . 2009-10-25 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-25 04:53 . 2008-11-17 05:09 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-18 22:41 . 2009-10-18 22:41 0 ----a-w- c:\documents and settings\Ian Foster\22B.tmp
2009-10-18 22:41 . 2009-10-18 22:41 88576 ----a-w- c:\documents and settings\Ian Foster\22A.tmp
2009-10-18 22:41 . 2009-10-18 22:41 48 ----a-w- c:\documents and settings\Ian Foster\229.tmp
2009-10-17 19:11 . 2009-10-17 19:12 1935872 ----a-w- c:\windows\Internet Logs\xDB16.tmp
2009-10-05 04:06 . 2009-10-05 04:07 371712 ----a-w- c:\windows\Internet Logs\xDB15.tmp
2009-09-28 05:48 . 2009-09-28 13:11 2754048 ----a-w- c:\windows\Internet Logs\xDB13.tmp
2009-09-28 05:48 . 2009-09-28 13:11 1896448 ----a-w- c:\windows\Internet Logs\xDB14.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-11-10 818288]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2007-07-25 368640]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-03 2001648]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FRYMXINS"="c:\program files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" [X]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-15 16855552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-11 13541376]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-01-03 184864]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-09-19 333120]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-19 185872]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-09-23 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2003-08-18 98304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-13 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-19 02:02 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Capcom\\Bionic Commando Rearmed\\bcr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\prince of persia the sands of time\\PrinceOfPersia.EXE"=
"c:\\Program Files\\Steam\\steamapps\\common\\beyond good and evil\\CheckApplication.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\ghostbusters\\ghost_w32.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv\\RGSC\\RGSCLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien shooter 2 - reloaded\\AlienShooter.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\freedom force vs. the 3rd reich demo\\ffvt3rd.exe"=
"c:\\Program Files\\Capcom\\STREETFIGHTERIV\\StreetFighterIV.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of juarez - bound in blood sp demo\\CoJBiBDemo_x86.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trine demo\\trine_launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\batman arkham asylum\\Binaries\\BmLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\batman arkham asylum\\Batman_Revoker.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\resident evil 5\\Launcher.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dragon age orgins character creator\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 10:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 10:01 AM 74480]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/8/2008 9:46 AM 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 10:01 AM 7408]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [11/7/2009 12:36 PM 25832]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 5:48 PM 50048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/19/2009 1:48 AM 721904]
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080919
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open Client to monitor &1 - c:\windows\web\AOpenClient.htm
IE: Open Client to monitor &2 - c:\windows\web\AOpenClient.htm
FF - ProfilePath - c:\documents and settings\Ian Foster\Application Data\Mozilla\Firefox\Profiles\g4gvyt7c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Aim6 - (no file)
AddRemove-AV Care - c:\program files\AV Care\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-19 20:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvgts.sys >>UNKNOWN [0x8AF41F61]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ccf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9eee852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-551867005-3965569692-2027172801-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:59,71,c6,40,6a,bb,ca,65,32,7a,dd,5f,10,ef,74,9c,0b,e6,89,05,13,cc,bd,
ba,2c,15,a6,80,db,71,04,bc,80,1f,c2,09,25,9e,f1,2b,48,38,80,b2,00,81,30,9a,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-551867005-3965569692-2027172801-1005\Software\SecuROM\License information*]
"datasecu"=hex:31,34,3b,41,fd,d1,19,d0,a7,06,d0,d9,12,f6,78,88,61,fc,d6,65,ca,
3c,f6,ce,9f,83,9c,45,3b,7b,df,94,19,44,5c,30,50,ae,c3,89,19,b9,8e,b9,e0,37,\
"rkeysecu"=hex:7d,40,10,cb,c7,39,e0,67,0a,69,a8,47,07,da,5b,5c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(5948)
c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDMH.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\progra~1\mcafee\msc\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-12-19 20:33:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-20 01:33

Pre-Run: 222,371,987,456 bytes free
Post-Run: 230,532,853,760 bytes free

- - End Of File - - 854815BA19FCC42743FF66BFFACE7DF1

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:17 PM

Posted 20 December 2009 - 06:30 AM

Is it too late to install MWRC now?


Yes, but don't worry.

While ComboFix was creating the log file after I rebooted the computer, it said I should make sure all programs no other programs were running, but my anti-virus programs automatically launch during startup and I don't recall being prompted to deactivate them entirely before launch. Would that have affected the log at that point?


No, it hasn't affected the scan


Winpatrol alerted me to a change in the HOSTS file, which I assume was related to something ComboFix had done. I accepted it, but I wanted to make sure that was the right move to make.


Yes it was. Perfectly normal

There was apparently a change to IE's homepage, though I rarely use it and I had to reset Firefox as my primary browser.


Combofix resets it. No problem.


Combofix has also seen off the rootkit, so let's run MBAM and ESET to make sure we've got everything.

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.


Finally, the ESET online scan

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Thanks :(
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:17 PM

Posted 23 December 2009 - 08:58 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users