Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Browser Hijack - hijack.shell?


  • This topic is locked This topic is locked
22 replies to this topic

#1 Kurtlib

Kurtlib

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 29 November 2009 - 10:10 PM

I am getting a redirection to advertising websites when using IE7 or Firefox. The problem started after doing some browsing and McAfee notified me that something was trying to change a registry setting - I told McAfee not to allow the change. I then ran Malwarebytes - the first time thru, it said that it detected 2 problems and removed them. The second time it came back and said there was registry data infection HIKEY_LOCAL_MACHINE|SOFTWARE|Microsofte\Wndows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good (Explorer.exe) -> Quarantined and deleted successfully. However, without my doing anything, the computer just rebooted all by itself at that point. After that, I started getting all of the browser redirection - Hijacked, I guess.

I greatly appreciate any help that you can provide.

Please note that I cannot get RootRepeal to run - I start it up, select report and scan, make the selections, it then says it's Initializing but nothing seems to happen - just hangs and does not respond?

Here is DDS.txt


DDS (Ver_09-11-29.01) - NTFSx86
Run by Liberatore Family at 21:33:35.15 on Sun 11/29/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2330 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
D:\@Liberatore Data Files\KL_Software\HijackThis\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Outlook Express\msimn.exe
D:\@Liberatore Data Files\KL_Software\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [BHR] c:\program files\zamaan's software\browser hijack retaliator 4.5\BHR.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250364440790
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://berklee.webex.com/client/T27L/nbr/ieatgpc.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\roxio\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\libera~1\applic~1\mozilla\firefox\profiles\5esza3lw.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\pace anti-piracy\ilok\NPPaceILok.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2007-7-8 16384]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-4-1 214664]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2007-7-8 16400]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-4-1 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-4-1 144704]
R3 DIGIFW;Service for Mbox 2 Pro Driver (WDM);c:\windows\system32\drivers\digifw.sys [2007-7-8 167952]
R3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [2009-4-9 52008]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-4-1 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-4-1 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-4-1 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-4-1 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-4-1 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-9-9 309744]
S2 SessionLauncher;SessionLauncher;c:\docume~1\libera~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\libera~1\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 cpuz128;cpuz128;c:\program files\pc wizard 2008\pcwiz32.sys [2008-2-9 7808]
S3 DGFWBOOT;Bootloader Service for Mbox 2 Pro Driver (WDM);c:\windows\system32\drivers\dgfwboot.sys [2007-7-8 24080]
S3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [2009-10-15 16384]
S3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [2009-10-15 16640]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-9-9 1120752]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [2007-4-7 406784]
S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2007-4-7 10912]
S3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [2007-4-7 19904]
UnknownUnknown SASDIFSV;SASDIFSV; [x]

=============== Created Last 30 ================

2009-11-30 01:31:03 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-30 01:07:21 244024 ----a-w- c:\windows\system32\MSFLXGRD.OCX
2009-11-30 01:07:21 203976 ----a-w- c:\windows\system32\richtx32.ocx
2009-11-30 01:07:20 0 d-----w- c:\program files\Zamaan's Software
2009-11-10 00:58:43 0 d-----w- c:\docume~1\libera~1\applic~1\NetMedia Providers
2009-11-10 00:50:41 0 d-----w- c:\program files\Sony
2009-11-07 13:14:42 23155 ----a-w- c:\windows\hpqins15.dat

==================== Find3M ====================

2009-11-29 23:39:27 105344 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2009-10-21 04:08:54 3598336 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-01-23 23:31:07 604 ---ha-w- c:\program files\STLL Notifier
2009-01-18 17:15:18 604 ---ha-w- c:\program files\WSTLL Notifier
2008-04-08 21:41:39 0 ---ha-w- c:\program files\common files\MSN
2007-04-10 21:20:00 295 ----a-w- c:\program files\INSTALL.LOG

============= FINISH: 21:34:59.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:00 PM

Posted 12 December 2009 - 01:36 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 Kurtlib

Kurtlib
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 13 December 2009 - 03:30 PM

mOle - thanks for the reply - I await your instructions. FYI - in the interim, I had 2 PC security firms take a look at my computer and they did not come up with anything. At present, the only way for me to boot the PC is from the XP disk in Recovery Console mode. I have not turned off the PC and I'm not sure that I can get it re-booted at this point - if I recall correctly, there seemed to be a missing Windows DLL at startup - not sure if this has anything to do with my other issues -- it took about a week for this second symptom to crop up.
Thanks, Kurt

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:00 PM

Posted 13 December 2009 - 03:40 PM

Okay, let's take this slow and see if we can identify the malware.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
Posted Image
m0le is a proud member of UNITE

#5 Kurtlib

Kurtlib
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 13 December 2009 - 05:41 PM

Running from: C:\Documents and Settings\Liberatore Family\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Liberatore Family\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:00 PM

Posted 13 December 2009 - 06:28 PM

Okay, that's a good sign.

Run RKIll next

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Now we will use Combofix. Read the instructions carefully, this is a powerful tool

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#7 Kurtlib

Kurtlib
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 14 December 2009 - 08:11 PM

Rkill ran fine

Downloaded Combofix and renamed it - when I executed it, I get a message stating that Combo Fix is offline

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:00 PM

Posted 15 December 2009 - 03:21 PM

Without Combofix we need to find the rootkit that's affecting the system.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#9 Kurtlib

Kurtlib
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 15 December 2009 - 09:07 PM

Downloaded GMER from 1st location, disconnected from Internet and turned off all antivirus, double-clicked, a number of lines of messages came up without any warning. Ran scan - it probably ran for about 1 hour. I checked periodically and did not see any messages. When I finally returned to computer, there was a blue screen with the message
STOP: c0000145 {Application Error}
The application failed to initialize properly (0cx0000005). Click on OK to terminate the application.

There is no OK to click on - computer seems to be frozen so I did not do anything further. Referring back to my earlier post, not sure I can even reboot. I have the Windows XP reinstallation CD that came with the computer but that's about it.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:00 PM

Posted 16 December 2009 - 08:20 AM

At this stage it doesn't sound like we have much choice so please reboot.

Let me know if you have problems. :(
Posted Image
m0le is a proud member of UNITE

#11 Kurtlib

Kurtlib
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 17 December 2009 - 06:32 PM

I ran gmer a number of times - it keeps crashing after about 30 minutes or so, probably some place during the c:\program files scan. This is the log that I am able to pull prior to crash


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-16 18:50:37
Windows 5.1.2600 Service Pack 3
Running: 645bse7l.exe; Driver: C:\DOCUME~1\LIBERA~1\LOCALS~1\Temp\pftoapog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA0F887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA0F8BFE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB6CC178A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB6CC1738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB6CC174C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB6CC17CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB6CC1710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB6CC1724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB6CC179E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB6CC1776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB6CC1762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB6CC17F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB6CC17E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB6CC17B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B6CC17B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB946A360, 0x24517E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[496] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[496] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070078
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F70
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700B8
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F3A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700D3
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700EE
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000700A7
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070039
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F55
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0006002F
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0006006C
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060014
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FB4
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050049
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FD9
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0005002E
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D8006C
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D8005B
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D8004A
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80F97
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D8002F
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D80F37
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D8007D
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D800AB
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D8009A
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D800BC
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D80FA8
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D80F52
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D80FB9
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D80FCA
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D80F26
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D7000A
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D70051
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D70FC3
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D70FD4
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D70036
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D70FE5
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D70F9E
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F7, 88]
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D7001B
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D60FA8
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D60033
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D60018
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D60FC3
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D60FDE
.text C:\WINDOWS\system32\lsass.exe[788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F90
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F8007B
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F8005E
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80FA1
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F80FB2
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F800CE
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F800BD
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F80104
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F80F75
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F80F46
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80039
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F800A0
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F80FC3
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80014
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F800E9
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F70047
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F70095
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F7002C
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70084
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F7000A
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F70069
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70058
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F60FA1
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F60022
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F60FC6
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F60011
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F60FD7
.text C:\WINDOWS\system32\svchost.exe[1016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D6007B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60056
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60F7C
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60F8D
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60FB9
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F33
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60F4E
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600B1
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D60F18
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D600C2
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60FA8
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D60F6B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D60025
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60FDE
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D60096
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50FC0
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50051
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D5001B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D50FE5
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50F94
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D50FAF
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F5, 88]
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50036
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40F9E
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40033
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40FDE
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40FCD
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40018
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0316000A
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03160091
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03160080
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03160FA8
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03160FB9
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03160040
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 031600D8
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 031600C7
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03160104
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 031600F3
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03160115
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03160051
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03160FEF
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 031600B6
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03160FCA
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03160025
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03160F75
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0265000A
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02650F83
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02650FB9
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02650FD4
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02650F94
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02650FEF
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02650036
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0265001B
.text C:\WINDOWS\System32\svchost.exe[1140] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0264000A
.text C:\WINDOWS\System32\svchost.exe[1140] msvcrt.dll!system 77C293C7 5 Bytes JMP 02640F75
.text C:\WINDOWS\System32\svchost.exe[1140] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02640FB5
.text C:\WINDOWS\System32\svchost.exe[1140] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02640FE3
.text C:\WINDOWS\System32\svchost.exe[1140] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02640F9A
.text C:\WINDOWS\System32\svchost.exe[1140] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02640FD2
.text C:\WINDOWS\System32\svchost.exe[1140] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02630FEF
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02620000
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02620FEF
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02620025
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02620FD4
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007D0FE5
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007D0F8B
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007D0F9C
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007D0076
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007D0065
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007D0FD4
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007D0F55
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007D0F70
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007D0F04
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007D0F29
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007D00B8
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007D0FC3
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007D0091
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007D0036
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007D001B
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007D0F44
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007C0FB9
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007C0036
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007C0FCA
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007C0FE5
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007C0025
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007C000A
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007C0F83
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9C, 88]
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007C0F94
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007B0F8B
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!system 77C293C7 5 Bytes JMP 007B0016
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007B0FC1
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007B0FA6
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007B0FD2
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007A000A
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10F4B
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A10040
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10F66
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A1002F
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10FA8
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A10F30
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10082
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A10F1F
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A100AE
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A10F04
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10F83
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A10065
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10FC3
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A1009D
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A00FA8
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A00F7C
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A00F8D
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A0002F
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A0001E
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009F0042
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!system 77C293C7 5 Bytes JMP 009F0FB7
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009F0FD2
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009F0027
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00710FEF
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00710F50
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00710F6B
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00710F7C
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00710F97
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0071002F
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0071007D
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0071006C
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00710F06
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0071009F
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007100BA
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00710FA8
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00710FD4
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00710F35
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00710014
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00710FC3
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0071008E
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00700040
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00700FB2
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00700025
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00700014
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00700FC3
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00700FEF
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00700FD4
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [90, 88]
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0070005B
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006F0064
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 006F0053
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006F002E
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006F000C
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006F0FD9
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006F001D
.text C:\WINDOWS\System32\svchost.exe[1328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01780000
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01780093
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01780082
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01780FA8
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01780FB9
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01780040
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 017800BF
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01780F79
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 017800F5
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 017800E4
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01780F41
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01780065
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01780FEF
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 017800A4
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01780FDE
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0178002F
.text C:\WINDOWS\Explorer.EXE[1528] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01780F5C
.text C:\WINDOWS\Explorer.EXE[1528] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0176002C
.text C:\WINDOWS\Explorer.EXE[1528] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0176007A
.text C:\WINDOWS\Explorer.EXE[1528] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0176001B
.text C:\WINDOWS\Explorer.EXE[1528] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0176000A
.text C:\WINDOWS\Explorer.EXE[1528] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01760069
.text C:\WINDOWS\Explorer.EXE[1528] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01760FEF
.text C:\WINDOWS\Explorer.EXE[1528] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01760058
.text C:\WINDOWS\Explorer.EXE[1528] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0176003D
.text C:\WINDOWS\Explorer.EXE[1528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30044
.text C:\WINDOWS\Explorer.EXE[1528] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30033
.text C:\WINDOWS\Explorer.EXE[1528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30FDE
.text C:\WINDOWS\Explorer.EXE[1528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D3000C
.text C:\WINDOWS\Explorer.EXE[1528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FB9
.text C:\WINDOWS\Explorer.EXE[1528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\Explorer.EXE[1528] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00CC0000
.text C:\WINDOWS\Explorer.EXE[1528] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\Explorer.EXE[1528] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00CC002F
.text C:\WINDOWS\Explorer.EXE[1528] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00CC0040
.text C:\WINDOWS\Explorer.EXE[1528] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F66
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F81
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE005B
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE009D
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0080
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F26
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00BF
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00D0
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F55
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00AE
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FC0
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660062
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660011
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FE5
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660047
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00660036
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FA5
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650051
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!system 77C293C7 5 Bytes JMP 00650040
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650FD7
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FC6
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650011
.text C:\WINDOWS\system32\svchost.exe[1632] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\svchost.exe[1632] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1632] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0063002F
.text C:\WINDOWS\system32\svchost.exe[1632] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00630FDE
.text C:\WINDOWS\system32\svchost.exe[1632] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640000
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00710FEF
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00710F44
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00710F55
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0071002F
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00710F72
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00710FA8
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00710EFB
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00710F0C
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00710094
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0071006F
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00710EE0
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00710F8D
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0071000A
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00710F33
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00710FB9
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00710FD4
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0071005E
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0070002C
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00700076
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0070001B
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00700FDB
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00700FB9
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00700000
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00700051
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00700FCA
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006F0020
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!system 77C293C7 5 Bytes JMP 006F0F95
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006F0FC1
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006F0FB0
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006F0FD2
.text C:\WINDOWS\System32\svchost.exe[1780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B70F79
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B70F8A
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B7006E
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B70FA5
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B7002C
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B70F4B
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B70F68
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B700A4
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B70F0B
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B700BF
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B70047
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B70FE5
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B70089
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B7001B
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B70FCA
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B70F30
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B60014
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B60F8D
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B60FC3
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B60FD4
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B6004A
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B6002F
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B60FA8
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B50050
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B50FCF
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B5002E
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B5000C
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B5003F
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B5001D
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F7C
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F8D
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0065
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0098
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F50
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F10
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F2B
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA00C4
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA004A
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F6B
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA00B3
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B9004A
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90F8D
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B90F9E
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D9, 88]
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B90FC3
.text C:\WINDOWS\system32\svchost.exe[2200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B8005F
.text C:\WINDOWS\system32\svchost.exe[2200] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80044
.text C:\WINDOWS\system32\svchost.exe[2200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\system32\svchost.exe[2200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[2200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80029
.text C:\WINDOWS\system32\svchost.exe[2200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B8000C
.text C:\WINDOWS\system32\svchost.exe[2200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B9006E
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B9005D
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90F79
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B9002C
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B900B0
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90F68
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B90F3C
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B900CB
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B900F0
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90F94
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90093
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90FB9
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90FCA
.text C:\WINDOWS\system32\svchost.exe[2292] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B90F57
.text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B8002F
.text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B8007D
.text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80014
.text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80FDE
.text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B8006C
.text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B8005B
.text C:\WINDOWS\system32\svchost.exe[2292] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B8004A
.text C:\WINDOWS\system32\svchost.exe[2292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70FC8
.text C:\WINDOWS\system32\svchost.exe[2292] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70049
.text C:\WINDOWS\system32\svchost.exe[2292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B7001D
.text C:\WINDOWS\system32\svchost.exe[2292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[2292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70038
.text C:\WINDOWS\system32\svchost.exe[2292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70FE3
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02860FEF
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02860047
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02860F5C
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02860F79
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02860036
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0286001B
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02860073
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02860062
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0286009F
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0286008E
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02860EEB
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02860F94
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0286000A
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02860F37
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02860FAF
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02860FD4
.text C:\WINDOWS\system32\wuauclt.exe[2468] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02860F06
.text C:\WINDOWS\system32\wuauclt.exe[2468] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02840FAD
.text C:\WINDOWS\system32\wuauclt.exe[2468] msvcrt.dll!system 77C293C7 5 Bytes JMP 02840038
.text C:\WINDOWS\system32\wuauclt.exe[2468] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0284000C
.text C:\WINDOWS\system32\wuauclt.exe[2468] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02840FEF
.text C:\WINDOWS\system32\wuauclt.exe[2468] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0284001D
.text C:\WINDOWS\system32\wuauclt.exe[2468] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02840FD2
.text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02850047
.text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0285007D
.text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0285002C
.text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02850011
.text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02850FB6
.text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02850000
.text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02850FD1
.text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A5, 8A]
.text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02850062
.text C:\WINDOWS\system32\wuauclt.exe[2468] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02830FE5
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00ED0FE5
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00ED0F80
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00ED0075
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00ED0064
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00ED0FA5
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00ED0036
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00ED00AB
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00ED0090
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00ED00CD
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00ED0F34
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00ED0F0F
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00ED0047
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00ED0F65
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00ED0025
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00ED0FCA
.text C:\WINDOWS\system32\dllhost.exe[2924] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00ED00BC
.text C:\WINDOWS\system32\dllhost.exe[2924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EB0F97
.text C:\WINDOWS\system32\dllhost.exe[2924] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EB0022
.text C:\WINDOWS\system32\dllhost.exe[2924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EB0FC6
.text C:\WINDOWS\system32\dllhost.exe[2924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\dllhost.exe[2924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EB0011
.text C:\WINDOWS\system32\dllhost.exe[2924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EB0FE3
.text C:\WINDOWS\system32\dllhost.exe[2924] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EC0FCA
.text C:\WINDOWS\system32\dllhost.exe[2924] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\system32\dllhost.exe[2924] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EC0011
.text C:\WINDOWS\system32\dllhost.exe[2924] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\dllhost.exe[2924] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EC005B
.text C:\WINDOWS\system32\dllhost.exe[2924] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\dllhost.exe[2924] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EC0040
.text C:\WINDOWS\system32\dllhost.exe[2924] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EC0FAF
.text C:\WINDOWS\system32\dllhost.exe[2924] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0067
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0056
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B002F
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F72
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FB2
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00BA
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0093
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00DC
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F43
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00ED
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0F97
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0082
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3860] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00CB
.text C:\WINDOWS\system32\wuauclt.exe[3860] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3860] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3860] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A003A
.text C:\WINDOWS\system32\wuauclt.exe[3860] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A000C
.text C:\WINDOWS\system32\wuauclt.exe[3860] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A004B
.text C:\WINDOWS\system32\wuauclt.exe[3860] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0029
.text C:\WINDOWS\system32\wuauclt.exe[3860] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3860] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0062
.text C:\WINDOWS\system32\wuauclt.exe[3860] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3860] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\wuauclt.exe[3860] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0047
.text C:\WINDOWS\system32\wuauclt.exe[3860] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3860] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0036
.text C:\WINDOWS\system32\wuauclt.exe[3860] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0025

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B3E62D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:00 PM

Posted 17 December 2009 - 07:55 PM

There seems to be something terminating rootkit scanners and doing a good job of covering their trail.

Combofix is available to us now so let's use it.

Please download ComboFix from here

  • IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
    [list]
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 Kurtlib

Kurtlib
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 18 December 2009 - 07:02 PM

Ran comfix - it installed recovery console and then scanned. Scan completed, got a few messages about deleting files - deleted a few and then got a blue screen with Windows shutting down messages along with a dump. Message IRQL_NOT_LESS_OR_EQUAL some additional text and then Technical Information ***STOP: 0x000000A (0x00000016, 0x000000C, 0x0000000, 0x80502EAA).

I rebooted and tried running comfix again - completed scans, no messages this time about deleting files and here is comfix.txt

ComboFix 09-12-18.01 - Liberatore Family 12/18/2009 18:43:40.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2667 [GMT -5:00]
Running from: c:\documents and settings\Liberatore Family\Desktop\comfix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Liberatore Family\My Documents\120109a.reg
c:\program files\INSTALL.LOG
c:\windows\kb913800.exe
c:\windows\system32\inf
c:\windows\system32\inf\MA_CMIDI.INF
c:\windows\system32\msvcsv60.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-18 to 2009-12-18 )))))))))))))))))))))))))))))))
.

2009-12-15 01:06 . 2009-12-15 01:06 -------- d--h--w- c:\windows\PIF
2009-12-05 18:34 . 2009-12-05 18:34 73728 ----a-r- c:\documents and settings\Liberatore Family\Application Data\Microsoft\Installer\{D6209782-BDE3-461A-81BC-D6BF0965E5F0}\NewShortcut4_6CD9DF7760004B98AD308333FDB79F08.exe
2009-12-05 18:34 . 2009-12-05 18:34 61440 ----a-r- c:\documents and settings\Liberatore Family\Application Data\Microsoft\Installer\{D6209782-BDE3-461A-81BC-D6BF0965E5F0}\NewShortcut6_3A34C0E335D54AD08608B4325A975D9B.exe
2009-12-05 18:34 . 2009-12-05 18:34 2238 ----a-r- c:\documents and settings\Liberatore Family\Application Data\Microsoft\Installer\{D6209782-BDE3-461A-81BC-D6BF0965E5F0}\NewShortcut3_F8FA879B6B95476CA4CFC483873769AB.exe
2009-12-05 18:34 . 2009-12-05 18:34 69632 ----a-r- c:\documents and settings\Liberatore Family\Application Data\Microsoft\Installer\{D6209782-BDE3-461A-81BC-D6BF0965E5F0}\NewShortcut2_6CD9DF7760004B98AD308333FDB79F08.exe
2009-12-05 18:34 . 2009-12-05 18:34 2238 ----a-r- c:\documents and settings\Liberatore Family\Application Data\Microsoft\Installer\{D6209782-BDE3-461A-81BC-D6BF0965E5F0}\NewShortcut1_F8FA879B6B95476CA4CFC483873769AB.exe
2009-12-05 18:34 . 2009-12-05 18:34 2238 ----a-r- c:\documents and settings\Liberatore Family\Application Data\Microsoft\Installer\{D6209782-BDE3-461A-81BC-D6BF0965E5F0}\ARPPRODUCTICON.exe
2009-12-05 18:33 . 2009-12-05 18:33 -------- d-----w- c:\program files\Seagate
2009-12-02 15:13 . 2009-12-02 15:13 -------- d-----w- c:\program files\Citrix
2009-12-02 15:13 . 2009-12-02 15:13 -------- d-----w- c:\documents and settings\Liberatore Family\Local Settings\Application Data\Citrix
2009-12-02 00:28 . 2009-09-07 18:02 27944 ----a-w- c:\windows\system32\sbbd.exe
2009-12-02 00:28 . 2009-12-12 21:00 -------- d-----w- C:\VIPRERESCUE
2009-12-01 18:48 . 2009-08-05 19:58 93872 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-12-01 18:46 . 2009-12-17 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-01 18:34 . 2009-12-05 01:41 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-01 18:33 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 18:33 . 2009-12-05 01:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-01 18:33 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 18:14 . 2009-12-01 18:14 -------- d-----w- c:\program files\Trend Micro
2009-11-30 22:50 . 2009-11-30 22:50 2 --shatr- c:\windows\winstart.bat
2009-11-30 22:49 . 2009-12-17 01:08 -------- d-----w- c:\program files\UnHackMe
2009-11-30 01:31 . 2009-12-04 01:52 117760 ----a-w- c:\documents and settings\Liberatore Family\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-30 01:31 . 2009-11-30 01:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-29 21:45 . 2009-12-05 13:11 -------- d-----w- c:\windows\BDOSCAN8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-16 22:02 . 2007-04-01 14:26 -------- d-----w- c:\program files\McAfee
2009-12-15 01:32 . 2007-04-01 14:09 105344 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2009-12-09 00:04 . 2009-04-04 13:47 -------- d-----w- c:\documents and settings\Liberatore Family\Application Data\Digidesign
2009-12-06 22:42 . 2007-04-06 18:53 -------- d-----w- c:\documents and settings\Liberatore Family\Application Data\U3
2009-12-05 20:18 . 2007-07-21 19:46 48 ----a-w- c:\windows\msocreg32.dat
2009-12-05 18:34 . 2007-04-06 20:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-03 01:35 . 2007-04-08 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-01 18:53 . 2007-04-08 12:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-01 17:29 . 2007-04-08 12:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-30 01:31 . 2009-03-01 22:11 -------- d-----w- c:\documents and settings\Liberatore Family\Application Data\SUPERAntiSpyware.com
2009-11-29 21:49 . 2008-01-20 18:04 -------- d-----w- c:\documents and settings\Liberatore Family\Application Data\HPAppData
2009-11-12 01:11 . 2007-04-01 14:28 -------- d-----w- c:\program files\Roxio
2009-11-12 00:58 . 2009-10-15 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2009-11-10 00:58 . 2009-11-10 00:58 -------- d-----w- c:\documents and settings\Liberatore Family\Application Data\Publish Providers
2009-11-10 00:58 . 2009-11-10 00:58 -------- d-----w- c:\documents and settings\Liberatore Family\Application Data\NetMedia Providers
2009-11-10 00:58 . 2009-11-10 00:58 -------- d-----w- c:\documents and settings\Liberatore Family\Application Data\Sony
2009-11-10 00:50 . 2009-11-10 00:50 -------- d-----w- c:\program files\Sony
2009-11-07 13:19 . 2009-11-07 13:14 23155 ----a-w- c:\windows\hpqins15.dat
2009-10-30 20:45 . 2009-10-30 20:45 -------- d-----w- c:\program files\iZotope
2009-10-29 07:46 . 2005-08-16 09:18 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-08-16 09:18 78336 ------w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-08-16 09:18 17408 ------w- c:\windows\system32\corpol.dll
2009-10-25 16:31 . 2008-04-10 20:37 61440 ----a-w- c:\documents and settings\Liberatore Family\Application Data\Waves Audio\Caches\C\Program Files\Waves\Plug-Ins\IDR.dll\XWMC\1000.dll
2009-10-24 20:58 . 2007-07-06 21:39 -------- d-----w- c:\documents and settings\Liberatore Family\Application Data\PACE Anti-Piracy
2009-10-24 20:58 . 2007-07-06 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-10-24 20:52 . 2009-10-24 20:52 -------- d-----w- c:\documents and settings\Liberatore Family\Application Data\iZotope
2009-10-21 05:38 . 2005-08-16 09:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 09:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-15 23:26 . 2007-04-01 14:32 79880 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 23:10 . 2009-10-15 23:10 10134 ----a-r- c:\documents and settings\Liberatore Family\Application Data\Microsoft\Installer\{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}\ARPPRODUCTICON.exe
2009-10-13 10:30 . 2005-08-16 09:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 09:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 09:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-01-23 23:31 . 2009-01-23 23:31 604 ---ha-w- c:\program files\STLL Notifier
2009-01-18 17:15 . 2009-01-18 17:15 604 ---ha-w- c:\program files\WSTLL Notifier
2008-04-08 21:41 . 2007-11-02 22:06 0 ---ha-w- c:\program files\Common Files\MSN
2009-10-06 01:03 . 2009-10-06 01:03 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-10-06 01:03 . 2009-10-06 01:03 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-10-06 01:03 . 2009-10-06 01:03 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-10-06 01:03 . 2009-10-06 01:03 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-04-10 16:01 . 2008-04-10 16:01 6275816 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-08 7630848]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2009-12-02 15:13 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave3"=Digi32.dll
"MIDI2"=diomidi.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Liberatore Family^Start Menu^Programs^Startup^AutoBackup Launcher.lnk]
path=c:\documents and settings\Liberatore Family\Start Menu\Programs\Startup\AutoBackup Launcher.lnk
backup=c:\windows\pss\AutoBackup Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
2008-12-04 03:12 77824 ----a-w- c:\program files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ------w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2008-09-08 15:03 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2009-03-17 17:17 2387968 ----a-w- c:\program files\Roxio\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-12-03 21:14 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2009-10-29 11:54 1218008 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-08 11:54 7630848 ------w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-27 11:19 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StxTrayMenu]
2007-01-18 18:20 190008 ----a-w- c:\program files\Seagate\SystemTray\StxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [7/8/2007 6:12 PM 16384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [12/1/2009 1:48 PM 93872]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [7/8/2007 6:11 PM 16400]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [9/9/2008 8:07 AM 309744]
S3 cpuz128;cpuz128;c:\program files\PC Wizard 2008\pcwiz32.sys [2/9/2008 10:27 AM 7808]
S3 DGFWBOOT;Bootloader Service for Mbox 2 Pro Driver (WDM);c:\windows\system32\drivers\dgfwboot.sys [7/8/2007 6:11 PM 24080]
S3 DIGIFW;Service for Mbox 2 Pro Driver (WDM);c:\windows\system32\drivers\digifw.sys [7/8/2007 6:11 PM 167952]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe [12/2/2009 10:13 AM 161144]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [4/9/2009 9:48 PM 52008]
S3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [10/15/2009 6:09 PM 16384]
S3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [10/15/2009 6:09 PM 16640]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [9/9/2008 8:07 AM 1120752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [4/7/2007 10:02 AM 406784]
S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [4/7/2007 10:02 AM 10912]
S3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [4/7/2007 10:02 AM 19904]
S4 SessionLauncher;SessionLauncher;c:\docume~1\LIBERA~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\LIBERA~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-03-17 17:14 451872 ----a-w- c:\program files\Roxio\LSRunOnce.exe
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Liberatore Family\Application Data\Mozilla\Firefox\Profiles\5esza3lw.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\PACE Anti-Piracy\iLok\NPPaceILok.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BHR - c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 18:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll
.
Completion time: 2009-12-18 18:52:10
ComboFix-quarantined-files.txt 2009-12-18 23:51

Pre-Run: 103,626,194,944 bytes free
Post-Run: 103,586,066,432 bytes free

- - End Of File - - 8B59BFF7DB34744193B1A8F19F134005

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:00 PM

Posted 18 December 2009 - 08:16 PM

c:\windows\kb913800.exe


Combofix found this worm and removed it. It's a file infector so we will need to do a couple of extra scans to find any files it may have got to.


Should be clear to give MBAM a run next. Let me know if it won't start

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#15 Kurtlib

Kurtlib
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 19 December 2009 - 03:55 PM

ran mabm - it found 1 infected file, I deleted it and saved log, rebooted when asked, re-ran mabm and everything came up clean. the infected file is one that i downloaded about 2 years ago so i guess the infection is new - not clear to me that the infected file is related to the worm that was removed?

Malwarebytes' Anti-Malware 1.42
Database version: 3393
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/19/2009 1:00:08 PM
mbam-log-2009-12-19 (13-00-02).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 320333
Time elapsed: 1 hour(s), 32 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mini Screen Capture\MiniScreenCapture.exe (Trojan.FakeAlert) -> No action taken.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users