Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.IY and/or SHeur2


  • This topic is locked This topic is locked
8 replies to this topic

#1 kjt253

kjt253

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 09 December 2009 - 05:01 PM

Hi

I'm using AVG and recently when scanning it has picked up the Vundo.IY trojan. I have some of the symptoms of this kind of trojan; annoying pop-ups and error messages from windows on start-up such as the SisTray failing to load, indows has encountered an error with ... and the program has had to close. (The ... is because windows doesn't actually tell me what program has closed there is just a gap where the name would be) and that Windows media updater has encountered a problem and needs to close. I am also unable to enable Windows defender but I'm not sure whether this is related. Also both AVG and McAfee have just began to report the blocking of the Trojan horse SHeur2.BXNY saying that an accessed file is infected.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Karen at 20:55:13.20 on 09/12/2009
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1919.578 [GMT 0:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\Karen\AppData\Local\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Users\Karen\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Karen\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Karen\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Karen\Documents\Downloads\dds.scr
C:\Windows\system32\taskeng.exe
C:\Windows\system32\mcbuilder.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/webhp?sourceid=navclient&hl=en-GB&ie=UTF-8
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\google\google_bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [EPSON Stylus D92 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibze.exe /fu "c:\windows\temp\E_S310E.tmp" /EF "HKCU"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Google Update] "c:\users\karen\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103470 -"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.40 Safari/530.5" -"http://www.xperteleven.com/gameviewer.aspx?Cup=0&gameid=7177087&sound=1&games=&vip=0&dh=5"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [toolbar_eula_launcher] c:\program files\packard bell\google_eula\EULALauncher.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\users\karen\appdata\local\temp\NAILogs.SH!
StartupFolder: c:\users\karen\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mortimer%20Beckett%20and%20the%20Time%20Paradox/Images/stg_drm.ocx
DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} - hxxp://zone.msn.com/bingame/rock/default/popcaploader1.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrvtx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSvx.sys [2009-12-1 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-12-1 161800]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2009-12-1 24856]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-1 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-1 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-1 360584]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-12-6 214664]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-11-19 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-11-19 334568]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-1 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2009-12-1 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-12-1 5832712]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-12-6 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-12-6 144704]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-11-19 967912]
R3 AVGIDSDrivervtx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSDriver.sys [2009-12-1 122376]
R3 AVGIDSFiltervtx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSFilter.sys [2009-12-1 30216]
R3 AVGIDSShimvtx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_vista\AVGIDSShim.sys [2009-12-1 27800]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-12-6 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-6 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-6 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-6 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
R3 SiS6350;SiS6350;c:\windows\system32\drivers\SISGRKMD.sys [2007-9-24 452968]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSGB6.sys [2007-10-28 47616]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-5-6 104000]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-26 21504]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-6 34248]

=============== Created Last 30 ================

2009-12-09 20:27:23 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 20:27:21 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 20:27:20 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 19:59:39 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 19:56:50 834048 ----a-w- c:\windows\system32\wininet.dll
2009-12-09 19:56:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-09 19:53:07 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 12:06:34 0 d-----w- c:\program files\Trend Micro
2009-12-08 19:09:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-08 19:09:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-08 19:09:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-08 19:00:58 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-08 19:00:02 0 d-----w- c:\users\karen\appdata\roaming\SUPERAntiSpyware.com
2009-12-08 19:00:02 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-08 18:58:30 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-07 14:10:00 0 d-----w- c:\users\karen\appdata\roaming\Malwarebytes
2009-12-07 13:46:45 0 d-----w- c:\programdata\Malwarebytes
2009-12-07 00:31:37 0 ---ha-w- C:\ntuser.dat.LOG2
2009-12-07 00:30:44 0 ---ha-w- C:\ntuser.dat.LOG1
2009-12-07 00:30:44 0 ----a-w- C:\ntuser.dat
2009-12-06 21:00:55 12078 ----a-w- c:\windows\system32\Config.MPF
2009-12-06 20:58:01 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-06 20:58:00 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-06 20:58:00 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-06 20:57:46 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-06 20:57:21 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-06 20:56:41 0 d-----w- c:\program files\common files\McAfee
2009-12-06 20:56:37 0 d-----w- c:\program files\McAfee.com
2009-12-06 20:41:21 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-02 21:02:35 36 ----a-w- c:\windows\system32\??
2009-12-02 17:47:09 0 d-----w- c:\programdata\Norton
2009-12-02 17:46:46 0 d-----w- c:\programdata\NortonInstaller
2009-12-01 18:04:10 0 d--h--w- C:\$AVG
2009-12-01 18:04:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-01 18:04:05 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-01 18:04:05 25608 ----a-w- c:\windows\system32\drivers\AVGIDSvx.sys
2009-12-01 18:04:05 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-12-01 18:03:44 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-01 18:03:29 0 d-----w- c:\windows\system32\drivers\Avg
2009-12-01 18:03:26 0 d-----w- c:\programdata\AVG Security Toolbar
2009-12-01 18:01:17 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2009-12-01 18:01:04 0 d-----w- c:\programdata\avg9
2009-11-25 10:14:14 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 09:59:45 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 09:59:43 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-25 09:59:39 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-11-17 12:43:17 0 d-----w- c:\program files\Windows Portable Devices
2009-11-17 12:42:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-17 10:43:40 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-11-17 10:43:39 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-11-17 10:43:39 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-11-17 10:41:54 2626 ----a-w- c:\windows\system32\wbem\BthMtpEnum.mof
2009-11-17 10:39:13 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-11-17 10:39:11 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-11-17 10:39:11 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-11-14 23:49:44 0 d-----w- c:\program files\VideoLAN
2009-11-11 23:25:35 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 23:20:06 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 20:32:37 0 d-----w- c:\programdata\Electronic Arts
2009-11-10 20:00:02 0 d-----w- c:\program files\Microsoft WSE
2009-11-10 19:59:30 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll

==================== Find3M ====================

2009-12-06 18:40:22 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-06 18:40:22 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-06 18:40:22 143360 ----a-w- c:\windows\inf\infstor.dat
2009-11-17 12:43:10 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-02 20:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-21 09:32:01 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-10-11 04:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2008-10-05 11:36:23 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-05-26 18:52:07 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-03-03 09:30:02 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008022520080303\index.dat
2008-03-10 09:30:00 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008030320080310\index.dat
2008-03-17 14:00:00 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008031020080317\index.dat
2008-03-17 17:30:01 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008031720080318\index.dat
2008-03-18 15:30:04 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008031820080319\index.dat
2008-03-19 10:00:01 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008031920080320\index.dat
2007-10-28 00:45:56 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 21:04:39.42 ===============


I attempted to scan with RootRepeal but encountered a lot of errors so I have been unable to complete it and attach the file

Any help with this issue would be much appreciated

Karen

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:24 PM

Posted 09 December 2009 - 06:48 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 kjt253

kjt253
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 09 December 2009 - 07:44 PM

Here is the log...

ComboFix 09-12-09.04 - Karen 10/12/2009 0:18.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1919.1017 [GMT 0:00]
Running from: c:\users\Karen\Documents\Downloads\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1764259137-3529655530-3795062156-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\users\Karen\AppData\Roaming\.#
c:\windows\Downloaded Program Files\popcaploader.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-10 to 2009-12-10 )))))))))))))))))))))))))))))))
.

2009-12-10 00:34 . 2009-12-10 00:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-10 00:04 . 2009-12-10 00:04 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2009-12-09 21:48 . 2009-12-09 21:52 34816 ----a-w- c:\windows\system32\drivers\rootrepeal1.sys
2009-12-09 20:27 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 20:27 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 20:27 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 19:59 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 19:56 . 2009-10-27 14:11 834048 ----a-w- c:\windows\system32\wininet.dll
2009-12-09 19:56 . 2009-10-27 13:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-09 19:53 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 12:06 . 2009-12-09 12:06 -------- d-----w- c:\program files\Trend Micro
2009-12-08 19:09 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-08 19:09 . 2009-12-08 19:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-08 19:09 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-08 19:00 . 2009-12-08 19:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-08 19:00 . 2009-12-10 00:14 -------- d-----w- c:\users\Karen\AppData\Roaming\SUPERAntiSpyware.com
2009-12-08 19:00 . 2009-12-10 00:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-07 14:10 . 2009-12-07 14:10 -------- d-----w- c:\users\Karen\AppData\Roaming\Malwarebytes
2009-12-07 13:49 . 2009-12-07 13:49 1519912 ----a-w- c:\programdata\avg9\IDS\profile\C__USERS_KAREN_APPDATA_LOCAL_GOOGLE_CHROME_APPLICATION_CHROME.EXE
2009-12-07 13:49 . 2009-12-07 13:49 6076 ----a-w- c:\programdata\avg9\IDS\profile\C__PROGRAM FILES_WINDOWS SIDEBAR_SIDEBAR.EXE
2009-12-07 13:49 . 2009-12-07 13:49 50626 ----a-w- c:\programdata\avg9\IDS\profile\C__PROGRAM FILES_WINDOWS LIVE_MESSENGER_MSNMSGR.EXE
2009-12-07 13:49 . 2009-12-07 13:49 3217780 ----a-w- c:\programdata\avg9\IDS\profile\C__PROGRAM FILES_UTORRENT_UTORRENT.EXE
2009-12-07 13:49 . 2009-12-07 13:49 352 ----a-w- c:\programdata\avg9\IDS\profile\C__PROGRAM FILES_MCAFEE.COM_AGENT_MCUPDATE.EXE
2009-12-07 13:46 . 2009-12-07 13:46 -------- d-----w- c:\programdata\Malwarebytes
2009-12-07 00:30 . 2009-12-07 00:30 0 ----a-w- C:\ntuser.dat
2009-12-06 20:58 . 2009-11-04 16:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-06 20:58 . 2009-11-04 16:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-06 20:58 . 2009-11-04 16:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-06 20:57 . 2009-07-16 12:32 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-06 20:57 . 2009-11-04 16:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-06 20:56 . 2009-12-06 20:57 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-06 20:56 . 2009-12-06 20:56 -------- d-----w- c:\program files\McAfee.com
2009-12-06 20:41 . 2009-11-04 16:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-06 18:16 . 2009-12-06 18:16 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb4D37.tmp.exe
2009-12-04 11:08 . 2009-12-01 18:02 304408 ----a-w- c:\programdata\avg9\update\backup\avgaspmx.dll
2009-12-03 16:47 . 2009-12-03 16:47 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-02 17:47 . 2009-12-02 20:36 -------- d-----w- c:\programdata\Norton
2009-12-02 17:46 . 2009-12-02 17:46 -------- d-----w- c:\programdata\NortonInstaller
2009-12-01 18:21 . 2009-12-01 18:02 3963648 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2009-12-01 18:21 . 2009-12-01 18:02 497944 ----a-w- c:\programdata\avg9\update\backup\avgchjwx.dll
2009-12-01 18:20 . 2009-12-01 18:02 877848 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2009-12-01 18:20 . 2009-12-01 18:02 1657112 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2009-12-01 18:04 . 2009-12-01 18:04 -------- d-----w- C:\$AVG
2009-12-01 18:04 . 2009-12-01 18:04 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-01 18:04 . 2009-12-01 18:04 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-01 18:04 . 2009-12-01 18:04 25608 ----a-w- c:\windows\system32\drivers\AVGIDSvx.sys
2009-12-01 18:04 . 2009-12-01 18:04 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-12-01 18:03 . 2009-12-01 18:03 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-01 18:03 . 2009-12-01 18:03 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-01 18:03 . 2009-12-09 10:16 -------- d-----w- c:\windows\system32\drivers\Avg
2009-12-01 18:03 . 2009-12-01 18:03 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-12-01 18:01 . 2009-12-01 18:01 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2009-12-01 18:01 . 2009-12-09 19:22 -------- d-----w- c:\programdata\avg9
2009-11-30 12:27 . 2009-11-30 12:27 552 ----a-w- c:\users\Karen\AppData\Local\d3d8caps.dat
2009-11-25 20:09 . 2009-11-25 20:09 784120 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-11-25 10:14 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 09:59 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 09:59 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-21 16:29 . 2009-11-21 16:29 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2009-11-17 12:43 . 2009-11-17 12:43 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-17 10:43 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-11-17 10:43 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-11-17 10:43 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-11-17 10:41 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-11-17 10:41 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-11-17 10:41 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-11-17 10:41 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-11-17 10:41 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-11-17 10:41 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-11-17 10:41 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-11-17 10:41 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-11-17 10:39 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-11-17 10:39 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-11-17 10:39 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-11-14 23:59 . 2009-11-14 23:59 -------- d-----w- c:\users\Karen\AppData\Roaming\Media Player Classic
2009-11-14 23:51 . 2009-12-07 00:50 -------- d-----w- c:\users\Karen\AppData\Roaming\vlc
2009-11-14 23:49 . 2009-11-14 23:49 -------- d-----w- c:\program files\VideoLAN
2009-11-11 23:25 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 23:20 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 20:32 . 2009-11-15 14:30 -------- d-----w- c:\programdata\Electronic Arts
2009-11-10 20:00 . 2009-11-10 20:00 10134 ----a-r- c:\users\Karen\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-11-10 20:00 . 2009-11-10 20:00 -------- d-----w- c:\program files\Microsoft WSE
2009-11-10 19:59 . 2006-09-28 16:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-11-10 19:34 . 2009-11-15 14:30 -------- d-----w- c:\program files\Electronic Arts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-10 00:35 . 2008-04-27 21:34 -------- d-----w- c:\programdata\Kontiki
2009-12-10 00:34 . 2009-01-13 12:55 -------- d-----w- c:\users\Karen\AppData\Roaming\uTorrent
2009-12-09 20:35 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 20:30 . 2007-10-27 16:42 -------- d-----w- c:\programdata\Microsoft Help
2009-12-07 13:52 . 2008-05-06 12:11 -------- d-----w- c:\program files\McAfee
2009-12-07 13:31 . 2008-02-03 13:52 125416 ----a-w- c:\users\Karen\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-07 00:01 . 2008-05-06 12:12 -------- d-----w- c:\programdata\McAfee
2009-12-06 18:51 . 2007-10-27 16:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-06 18:41 . 2007-10-27 16:35 -------- d-----w- c:\programdata\Symantec
2009-12-06 18:41 . 2007-10-27 16:37 -------- d-----w- c:\program files\Norton 360
2009-12-06 15:34 . 2008-12-08 09:55 -------- d-----w- c:\programdata\FLEXnet
2009-12-06 15:34 . 2007-10-27 16:25 -------- d-----w- c:\program files\Microsoft Works
2009-12-06 15:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-12-06 15:34 . 2009-11-02 22:39 -------- d-----w- c:\program files\iTunes
2009-12-01 18:01 . 2008-05-06 15:32 -------- d-----w- c:\program files\AVG
2009-11-29 15:37 . 2008-02-17 16:36 -------- d-----w- c:\users\Karen\AppData\Roaming\PlayFirst
2009-11-29 15:37 . 2008-02-17 16:36 -------- d-----w- c:\programdata\PlayFirst
2009-11-17 12:43 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 12:42 . 2009-11-17 12:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-17 08:19 . 2008-02-16 16:33 -------- d-----w- c:\program files\Java
2009-11-13 17:36 . 2007-10-27 16:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-08 22:55 . 2008-02-03 21:43 -------- d-----w- c:\program files\Messenger Plus! Live
2009-11-08 11:56 . 2009-11-08 11:56 -------- d-----w- c:\users\Karen\AppData\Roaming\ERS G-Studio
2009-11-02 22:40 . 2009-11-02 22:40 -------- d-----w- c:\program files\iPod
2009-11-02 22:40 . 2008-02-03 15:37 -------- d-----w- c:\program files\Common Files\Apple
2009-11-02 21:55 . 2009-11-02 21:55 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-02 20:42 . 2009-10-03 17:22 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-25 08:59 . 2009-04-26 13:13 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-25 08:58 . 2009-08-10 14:26 38208 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-25 08:58 . 2009-04-26 13:13 38208 ----a-w- c:\users\Karen\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-24 10:10 . 2009-10-24 10:10 249856 ----a-w- c:\programdata\PlayFirst\Games\components\pfMultiplayer.dll
2009-10-24 10:10 . 2009-10-24 10:09 466944 ----a-w- c:\programdata\PlayFirst\Games\pfHarness\pfHarness.dll
2009-10-22 12:42 . 2008-02-12 11:29 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-21 09:59 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-10-21 09:59 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-10-21 09:59 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-10-21 09:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-10-21 09:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-10-11 04:17 . 2008-12-10 21:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 01:02 . 2009-11-17 10:42 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-11-17 10:42 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-11-17 10:42 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-11-17 10:42 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-09-25 02:10 . 2009-11-17 10:42 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-11-17 10:42 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-11-17 10:42 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-11-17 10:42 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-11-17 10:42 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-11-17 10:42 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-11-17 10:42 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-11-17 10:42 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-11-17 10:42 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-11-17 10:42 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-11-17 10:42 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-11-17 10:42 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-11-17 10:42 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-11-17 10:42 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-11-17 10:42 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-11-17 10:42 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-11-17 10:42 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-11-17 10:42 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-11-17 10:42 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-11-17 10:42 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-11-17 10:42 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-11-17 10:42 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-11-17 10:42 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-11-17 10:42 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-11-17 10:42 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-11-17 10:42 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-11-17 10:42 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-20 08:02 . 2009-09-20 08:02 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbDF6.tmp.exe
2009-09-14 09:29 . 2009-10-18 14:17 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2008-10-05 11:36 . 2008-10-05 11:36 774144 ----a-w- c:\program files\RngInterstitial.dll
2007-10-27 16:33 . 2007-10-27 16:33 141824 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-10-28 00:45 . 2007-10-28 00:39 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 12:13 1115392 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe -scheduler" [X]
"kdx"="c:\program files\Kontiki\KHost.exe -all" [X]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe -silent" [X]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]
"Google Update"="c:\users\Karen\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-27 133104]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-11-01 289072]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103470 -Mozilla" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe -hide" [X]
"kdx"="c:\program files\Kontiki\KHost.exe -all" [X]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe -atboottime" [X]
"SiSTray"="c:\program files\SiS VGA Utilities\SiSTray.exe" [2007-09-17 552960]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-01 857648]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-03 4702208]
"Skytel"="Skytel.exe" [2007-08-03 1826816]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-01-11 232184]
"toolbar_eula_launcher"="c:\program files\Packard Bell\GOOGLE_EULA\EULALauncher.exe" [2007-02-20 28672]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-01 2020120]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

c:\users\Karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:a5,1d,b5,a7,36,52,ca,01

R0 AVGIDSErHrvtx;AVG9IDSErHr;c:\windows\System32\drivers\AVGIDSvx.sys [01/12/2009 18:04 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [01/12/2009 18:04 161800]
R1 Avgfwfd;AVG network filter service;c:\windows\System32\drivers\avgfwd6x.sys [01/12/2009 18:01 24856]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [01/12/2009 18:03 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\System32\drivers\avgtdix.sys [01/12/2009 18:04 360584]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [19/11/2009 09:50 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [19/11/2009 09:50 334568]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [01/12/2009 18:02 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [01/12/2009 18:02 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [01/12/2009 18:02 5832712]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [19/11/2009 09:50 967912]
R3 AVGIDSDrivervtx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSDriver.sys [01/12/2009 18:02 122376]
R3 AVGIDSFiltervtx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSFilter.sys [01/12/2009 18:02 30216]
R3 AVGIDSShimvtx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys [01/12/2009 18:02 27800]
R3 SiS6350;SiS6350;c:\windows\System32\drivers\SISGRKMD.sys [24/09/2007 10:46 452968]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\System32\drivers\SiSGB6.sys [28/10/2007 00:38 47616]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [26/05/2008 18:00 21504]

--- Other Services/Drivers In Memory ---

*Deregistered* - SASENUM

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?sourceid=navclient&hl=en-GB&ie=UTF-8
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 00:35
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x87FAA618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x859ced24
\Driver\ACPI -> acpi.sys @ 0x8069dd68
\Driver\atapi -> ataport.SYS @ 0x807b9a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-10 00:41:16
ComboFix-quarantined-files.txt 2009-12-10 00:41

Pre-Run: 61,184,245,760 bytes free
Post-Run: 61,087,416,320 bytes free

- - End Of File - - 768A93E2E21CBDCD81A9E969250BC24B

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:24 PM

Posted 09 December 2009 - 08:33 PM

I see signs of three antivirus programs in your log: AVG, Mcafee, and Symantec.
It looks like you are running AVG as your main antivirus, but the others are still there and haven't been uninstalled correctly. Can you clarify this for me?

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 kjt253

kjt253
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 10 December 2009 - 04:56 PM

Hey. Yeah I'm running AVG currently. I have a trial version of McAfee as well. Norton should have been uninstalled but I hear is difficult to get rid of. Here is the results of the scan...

GMER 1.0.15.15273 - http://www.gmer.net
Rootkit scan 2009-12-10 18:57:42
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Karen\AppData\Local\Temp\agrcqpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x8F47ACEC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x8F47B3F8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x8F47B544]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x8F47EBDE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x8F47EC10]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x8F47B4A8]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys ZwOpenProcess [0x8292B620]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x8F47B022]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x8F47B154]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x8F47ECE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x8F47EC4E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x8F47EC80]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x8F47ECB2]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x8F47AC9A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x8F47B5A4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0x8F47EB7E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x8F47AC3E]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys ZwTerminateProcess [0x8292B6D0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys ZwTerminateThread [0x8292B770]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys ZwWriteVirtualMemory [0x8292B810]

INT 0xA1 \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys 8F4D0800

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F4FC73A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F4FC74E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F4FC7DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8F4FC821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F4FC778]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F4FC7F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F4FC7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F4FC764]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 84E6B982 5 Bytes JMP 8F4FC7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!KeSetEvent + 191 84EEC8D4 4 Bytes [EC, AC, 47, 8F]
.text ntkrnlpa.exe!KeSetEvent + 1D9 84EEC91C 4 Bytes [F8, B3, 47, 8F]
.text ntkrnlpa.exe!KeSetEvent + 2D1 84EECA14 8 Bytes [44, B5, 47, 8F, DE, EB, 47, ...]
.text ntkrnlpa.exe!KeSetEvent + 2E1 84EECA24 4 Bytes [10, EC, 47, 8F]
.text ntkrnlpa.exe!KeSetEvent + 3D1 84EECB14 4 Bytes [A8, B4, 47, 8F]
.text ...
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 84FFF5B5 5 Bytes JMP 8F4FC825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 85009B82 5 Bytes JMP 8F4FC768 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 85050446 7 Bytes JMP 8F4FC7E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 85050709 5 Bytes JMP 8F4FC7F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 85054474 5 Bytes JMP 8F4FC77C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 850D174B 5 Bytes JMP 8F4FC73E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 850D1796 7 Bytes JMP 8F4FC752 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[596] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 00700F30
.text C:\Windows\system32\services.exe[596] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 00700076
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 007000C7
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 007000AC
.text C:\Windows\system32\services.exe[596] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 00700F5C
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 00700FC0
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 00700011
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 00700F4B
.text C:\Windows\system32\services.exe[596] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 00700F79
.text C:\Windows\system32\services.exe[596] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 00700F94
.text C:\Windows\system32\services.exe[596] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 00700036
.text C:\Windows\system32\services.exe[596] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 00700FA5
.text C:\Windows\system32\services.exe[596] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 00700051
.text C:\Windows\system32\services.exe[596] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 00700F0B
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 00700FE5
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 00700000
.text C:\Windows\system32\services.exe[596] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 00700091
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 00020F97
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 00020FA8
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 00020FEF
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 00020039
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 00020F7C
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 00020FD4
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 0002000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 00020FB9
.text C:\Windows\system32\services.exe[596] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 006F0038
.text C:\Windows\system32\services.exe[596] msvcrt.dll!system 7598804B 5 Bytes JMP 006F0027
.text C:\Windows\system32\services.exe[596] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 006F0FC8
.text C:\Windows\system32\services.exe[596] msvcrt.dll!_open 7598D106 5 Bytes JMP 006F0000
.text C:\Windows\system32\services.exe[596] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 006F0FB7
.text C:\Windows\system32\services.exe[596] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 006F0FEF
.text C:\Windows\system32\services.exe[596] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 00710FEF
.text C:\Windows\system32\services.exe[596] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 0071000A
.text C:\Windows\system32\services.exe[596] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 00710FD4
.text C:\Windows\system32\services.exe[596] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 0071001B
.text C:\Windows\system32\services.exe[596] WS2_32.dll!socket 770736D1 5 Bytes JMP 00760FE5
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 00DD00F2
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 00DD00E1
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 00DD011E
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 00DD0103
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 00DD00B5
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 00DD0036
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 00DD0051
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 00DD0FAC
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 00DD00A4
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 00DD006C
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 00DD0087
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 00DD0FE5
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 00DD00C6
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 00DD0F6C
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 00DD001B
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 00DD0000
.text C:\Windows\system32\lsass.exe[608] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 00DD0F91
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 00DB0051
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 00DB0FCA
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 00DB0FEF
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 00DB0FAF
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 00DB0F94
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 00DB0025
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 00DB000A
.text C:\Windows\system32\lsass.exe[608] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 00DB0036
.text C:\Windows\system32\lsass.exe[608] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 00DC0F90
.text C:\Windows\system32\lsass.exe[608] msvcrt.dll!system 7598804B 5 Bytes JMP 00DC0FB5
.text C:\Windows\system32\lsass.exe[608] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 00DC0FD7
.text C:\Windows\system32\lsass.exe[608] msvcrt.dll!_open 7598D106 5 Bytes JMP 00DC0000
.text C:\Windows\system32\lsass.exe[608] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 00DC0FC6
.text C:\Windows\system32\lsass.exe[608] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 00DC0011
.text C:\Windows\system32\lsass.exe[608] WS2_32.dll!socket 770736D1 5 Bytes JMP 00DF0000
.text C:\Windows\system32\lsass.exe[608] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 00DE0000
.text C:\Windows\system32\lsass.exe[608] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 00DE0011
.text C:\Windows\system32\lsass.exe[608] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 00DE002C
.text C:\Windows\system32\lsass.exe[608] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 00DE0FDB
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 00580F79
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 005800BF
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 00580F28
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 00580F43
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 00580089
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 00580014
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 00580025
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 00580F94
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 00580FAF
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 0058005B
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 0058006C
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 00580040
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 005800A4
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 005800DA
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 00580FDE
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 00580FEF
.text C:\Windows\system32\svchost.exe[812] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 00580F5E
.text C:\Windows\system32\svchost.exe[812] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 00570FAD
.text C:\Windows\system32\svchost.exe[812] msvcrt.dll!system 7598804B 5 Bytes JMP 00570038
.text C:\Windows\system32\svchost.exe[812] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 0057000C
.text C:\Windows\system32\svchost.exe[812] msvcrt.dll!_open 7598D106 5 Bytes JMP 00570FEF
.text C:\Windows\system32\svchost.exe[812] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 0057001D
.text C:\Windows\system32\svchost.exe[812] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 00570FD2
.text C:\Windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 00560FA8
.text C:\Windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 00560FB9
.text C:\Windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 00560FEF
.text C:\Windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 00560040
.text C:\Windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 00560F8D
.text C:\Windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 00560FCA
.text C:\Windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 0056000A
.text C:\Windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 0056001B
.text C:\Windows\system32\svchost.exe[812] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 00650FE5
.text C:\Windows\system32\svchost.exe[812] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 00650FCA
.text C:\Windows\system32\svchost.exe[812] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 00650FAF
.text C:\Windows\system32\svchost.exe[812] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 00650000
.text C:\Windows\system32\svchost.exe[812] ole32.dll!CoCreateInstance 75DA9EA6 5 Bytes JMP 005C000A
.text C:\Windows\system32\svchost.exe[812] WS2_32.dll!socket 770736D1 5 Bytes JMP 0066000A
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 005300B6
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 00530F70
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 00530F30
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 00530F4B
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 00530065
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 00530014
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 00530025
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 0053009B
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 00530F8B
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 0053004A
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 00530FA8
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 00530FC3
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 00530080
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 005300EC
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 00530FDE
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 00530FEF
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 005300C7
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 0052004C
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!system 7598804B 5 Bytes JMP 00520FB7
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 0052001D
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_open 7598D106 5 Bytes JMP 00520FEF
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 00520FC8
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 0052000C
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 00300062
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 0030003D
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 00300000
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 00300FC0
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 00300073
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 0030001B
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 00300FDB
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 0030002C
.text C:\Windows\system32\svchost.exe[880] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 00540FEF
.text C:\Windows\system32\svchost.exe[880] WININET.dll!InternetOpenW 76A5D7DA 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[880] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 00540FDE
.text C:\Windows\system32\svchost.exe[880] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 00540014
.text C:\Windows\system32\svchost.exe[880] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 00540025
.text C:\Windows\system32\svchost.exe[880] WS2_32.dll!socket 770736D1 5 Bytes JMP 0065000A
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 00F90F3C
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 00F9008C
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 00F900BF
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 00F900AE
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 00F90F7C
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 00F90FC0
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 00F90FAF
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 00F90F61
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 00F9004A
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 00F90025
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 00F90F8D
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 00F90F9E
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 00F90071
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 00F900DA
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 00F90000
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 00F90FEF
.text C:\Windows\system32\svchost.exe[988] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 00F9009D
.text C:\Windows\system32\svchost.exe[988] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 00BF0FB7
.text C:\Windows\system32\svchost.exe[988] msvcrt.dll!system 7598804B 5 Bytes JMP 00BF0038
.text C:\Windows\system32\svchost.exe[988] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 00BF0FD2
.text C:\Windows\system32\svchost.exe[988] msvcrt.dll!_open 7598D106 5 Bytes JMP 00BF0FEF
.text C:\Windows\system32\svchost.exe[988] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 00BF0027
.text C:\Windows\system32\svchost.exe[988] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 00BF000C
.text C:\Windows\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 00BE0F9B
.text C:\Windows\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 00BE002C
.text C:\Windows\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 00BE0FE5
.text C:\Windows\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 00BE003D
.text C:\Windows\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 00BE0F8A
.text C:\Windows\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 00BE001B
.text C:\Windows\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 00BE0000
.text C:\Windows\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 00BE0FCA
.text C:\Windows\system32\svchost.exe[988] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 00FA0FE5
.text C:\Windows\system32\svchost.exe[988] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 00FA0000
.text C:\Windows\system32\svchost.exe[988] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 00FA0FC0
.text C:\Windows\system32\svchost.exe[988] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 00FA0011
.text C:\Windows\system32\svchost.exe[988] WS2_32.dll!socket 770736D1 5 Bytes JMP 00FB000A
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 00CE00BF
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 00CE0F83
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 00CE00E1
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 00CE0F54
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 00CE0093
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 00CE0FCA
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 00CE0025
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 00CE0F94
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 00CE0076
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 00CE0051
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 00CE0FB9
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 00CE0036
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 00CE00A4
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 00CE00F2
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 00CE0000
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 00CE0FEF
.text C:\Windows\System32\svchost.exe[1016] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 00CE00D0
.text C:\Windows\System32\svchost.exe[1016] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 00CD003F
.text C:\Windows\System32\svchost.exe[1016] msvcrt.dll!system 7598804B 5 Bytes JMP 00CD0FBE
.text C:\Windows\System32\svchost.exe[1016] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 00CD001D
.text C:\Windows\System32\svchost.exe[1016] msvcrt.dll!_open 7598D106 5 Bytes JMP 00CD0000
.text C:\Windows\System32\svchost.exe[1016] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 00CD002E
.text C:\Windows\System32\svchost.exe[1016] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 00CD0FE3
.text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 00820F94
.text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 00820036
.text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 00820FEF
.text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 00820FAF
.text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 0082005B
.text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 00820025
.text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 0082000A
.text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 00820FD4
.text C:\Windows\System32\svchost.exe[1016] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 00CF0000
.text C:\Windows\System32\svchost.exe[1016] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 00CF0FE5
.text C:\Windows\System32\svchost.exe[1016] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 00CF0011
.text C:\Windows\System32\svchost.exe[1016] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 00CF002C
.text C:\Windows\System32\svchost.exe[1016] WS2_32.dll!socket 770736D1 5 Bytes JMP 01000000
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 01750F48
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 0175008E
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 017500D5
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 017500C4
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 01750F74
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 01750FCA
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 01750025
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 01750073
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 01750F9B
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 01750047
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 01750058
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 01750036
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 01750F63
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 01750F2D
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 01750000
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 01750FEF
.text C:\Windows\System32\svchost.exe[1068] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 017500A9
.text C:\Windows\System32\svchost.exe[1068] msvcrt.dll!_wsystem 75987F2F 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[1068] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 01740033
.text C:\Windows\System32\svchost.exe[1068] msvcrt.dll!system 7598804B 5 Bytes JMP 01740022
.text C:\Windows\System32\svchost.exe[1068] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 01740FC3
.text C:\Windows\System32\svchost.exe[1068] msvcrt.dll!_open 7598D106 5 Bytes JMP 01740FEF
.text C:\Windows\System32\svchost.exe[1068] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 01740FB2
.text C:\Windows\System32\svchost.exe[1068] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 01740FDE
.text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 016E0051
.text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 016E0FB9
.text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 016E0FE5
.text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 016E0040
.text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 016E0062
.text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 016E0FD4
.text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 016E000A
.text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 016E0025
.text C:\Windows\System32\svchost.exe[1068] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 017E0FEF
.text C:\Windows\System32\svchost.exe[1068] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 017E0FD4
.text C:\Windows\System32\svchost.exe[1068] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 017E0FAF
.text C:\Windows\System32\svchost.exe[1068] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 017E000A
.text C:\Windows\System32\svchost.exe[1068] WS2_32.dll!socket 770736D1 5 Bytes JMP 01830FE5
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 005D0F46
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 005D008C
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 005D00C2
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 005D0F2B
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 005D0F6B
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 005D0FCA
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 005D0FB9
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 005D0071
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 005D0039
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 005D0F8D
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 005D0F7C
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 005D0F9E
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 005D0060
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 005D0F06
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 005D0000
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 005D0FEF
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 005D00A7
.text C:\Windows\system32\svchost.exe[1120] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 00580F95
.text C:\Windows\system32\svchost.exe[1120] msvcrt.dll!system 7598804B 5 Bytes JMP 00580FA6
.text C:\Windows\system32\svchost.exe[1120] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 00580FD2
.text C:\Windows\system32\svchost.exe[1120] msvcrt.dll!_open 7598D106 5 Bytes JMP 00580000
.text C:\Windows\system32\svchost.exe[1120] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 00580FB7
.text C:\Windows\system32\svchost.exe[1120] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 00580FE3
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 0056006C
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 0056004A
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 0056000A
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 0056005B
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 0056007D
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 00560025
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 00560FEF
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 00560FD4
.text C:\Windows\system32\svchost.exe[1120] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 005E0FE5
.text C:\Windows\system32\svchost.exe[1120] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 005E0FCA
.text C:\Windows\system32\svchost.exe[1120] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 005E0FB9
.text C:\Windows\system32\svchost.exe[1120] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 005E000A
.text C:\Windows\system32\svchost.exe[1120] WS2_32.dll!socket 770736D1 5 Bytes JMP 005F0FEF
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 00580064
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 00580F1E
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 00580F03
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 0058009A
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 00580031
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 00580FB9
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 00580FA8
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 00580053
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 00580014
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 00580F72
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 00580F61
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 00580F8D
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 00580042
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 005800BF
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 00580FD4
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 00580FEF
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 00580089
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 00570042
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!system 7598804B 5 Bytes JMP 00570FB7
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 00570FE3
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_open 7598D106 5 Bytes JMP 0057000C
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 00570FC8
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 0057001D
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 00560F94
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 00560025
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 00560FEF
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 00560040
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 00560051
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 0056000A
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 00560FD4
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 00560FB9
.text C:\Windows\system32\svchost.exe[1268] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 00590FEF
.text C:\Windows\system32\svchost.exe[1268] WININET.dll!InternetOpenW 76A5D7DA 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1268] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 00590FDE
.text C:\Windows\system32\svchost.exe[1268] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 00590FCD
.text C:\Windows\system32\svchost.exe[1268] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 00590FBC
.text C:\Windows\system32\svchost.exe[1268] WS2_32.dll!socket 770736D1 5 Bytes JMP 005D0FE5
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 00DE0F6F
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 00DE00B5
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 00DE00F2
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 00DE00E1
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 00DE007F
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 00DE002C
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 00DE0FDB
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 00DE0F8A
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 00DE006E
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 00DE0FA5
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 00DE0051
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 00DE0FC0
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 00DE009A
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 00DE010D
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 00DE001B
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 00DE0000
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 00DE00D0
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 00D90F93
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!system 7598804B 5 Bytes JMP 00D90FA4
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 00D90FC6
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_open 7598D106 5 Bytes JMP 00D90000
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 00D90FB5
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 00D90FD7
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 00620F8D
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 00620F9E
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 00620FEF
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 00620025
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 0062004A
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 00620FD4
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 0062000A
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 00620FB9
.text C:\Windows\system32\svchost.exe[1436] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 00DF0FEF
.text C:\Windows\system32\svchost.exe[1436] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 00DF0000
.text C:\Windows\system32\svchost.exe[1436] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 00DF0011
.text C:\Windows\system32\svchost.exe[1436] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 00DF0FCA
.text C:\Windows\system32\svchost.exe[1436] WS2_32.dll!socket 770736D1 5 Bytes JMP 01000FEF
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 00E00F37
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 00E0007D
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 00E00098
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 00E00F01
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 00E00058
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 00E00FC3
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 00E0000A
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 00E00F5C
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 00E00F7E
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 00E00036
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 00E00047
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 00E00025
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 00E00F6D
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 00E000A9
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 00E00FDE
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 00E00FEF
.text C:\Windows\Explorer.EXE[1684] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 00E00F1C
.text C:\Windows\Explorer.EXE[1684] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 00DE0F8D
.text C:\Windows\Explorer.EXE[1684] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 00DE002F
.text C:\Windows\Explorer.EXE[1684] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 00DE0FEF
.text C:\Windows\Explorer.EXE[1684] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 00DE0FA8
.text C:\Windows\Explorer.EXE[1684] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 00DE0F72
.text C:\Windows\Explorer.EXE[1684] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 00DE0FCD
.text C:\Windows\Explorer.EXE[1684] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 00DE0FDE
.text C:\Windows\Explorer.EXE[1684] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 00DE001E
.text C:\Windows\Explorer.EXE[1684] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 00DF0F8B
.text C:\Windows\Explorer.EXE[1684] msvcrt.dll!system 7598804B 5 Bytes JMP 00DF0FA6
.text C:\Windows\Explorer.EXE[1684] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 00DF0FB7
.text C:\Windows\Explorer.EXE[1684] msvcrt.dll!_open 7598D106 5 Bytes JMP 00DF0FEF
.text C:\Windows\Explorer.EXE[1684] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 00DF0016
.text C:\Windows\Explorer.EXE[1684] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 00DF0FDE
.text C:\Windows\Explorer.EXE[1684] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 00E10000
.text C:\Windows\Explorer.EXE[1684] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 00E10011
.text C:\Windows\Explorer.EXE[1684] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 00E1002C
.text C:\Windows\Explorer.EXE[1684] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 00E10FDB
.text C:\Windows\Explorer.EXE[1684] WS2_32.dll!socket 770736D1 5 Bytes JMP 01EB0FE5
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2520] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2520] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 00520F50
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 00520096
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 00520F1D
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 00520F2E
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 00520F90
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 00520FD4
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 00520FC3
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 0052007B
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 0052006A
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 00520FB2
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 00520FA1
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 00520039
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 00520F75
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 005200C5
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 00520FE5
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 0052000A
.text C:\Windows\system32\svchost.exe[2852] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 00520F3F
.text C:\Windows\system32\svchost.exe[2852] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 004C003F
.text C:\Windows\system32\svchost.exe[2852] msvcrt.dll!system 7598804B 5 Bytes JMP 004C0FBE
.text C:\Windows\system32\svchost.exe[2852] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 004C001D
.text C:\Windows\system32\svchost.exe[2852] msvcrt.dll!_open 7598D106 5 Bytes JMP 004C0FEF
.text C:\Windows\system32\svchost.exe[2852] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 004C002E
.text C:\Windows\system32\svchost.exe[2852] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 004C000C
.text C:\Windows\system32\svchost.exe[2852] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 00020040
.text C:\Windows\system32\svchost.exe[2852] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 00020025
.text C:\Windows\system32\svchost.exe[2852] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 00020FEF
.text C:\Windows\system32\svchost.exe[2852] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 00020F9E
.text C:\Windows\system32\svchost.exe[2852] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 00020F8D
.text C:\Windows\system32\svchost.exe[2852] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 00020FB9
.text C:\Windows\system32\svchost.exe[2852] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 00020FD4
.text C:\Windows\system32\svchost.exe[2852] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 0002000A
.text C:\Windows\system32\svchost.exe[2852] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 0053000A
.text C:\Windows\system32\svchost.exe[2852] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 0053001B
.text C:\Windows\system32\svchost.exe[2852] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 00530FE5
.text C:\Windows\system32\svchost.exe[2852] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 00530036
.text C:\Windows\system32\svchost.exe[2852] WS2_32.dll!socket 770736D1 5 Bytes JMP 00540FE5
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 00050F18
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 00050F29
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 00050083
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 00050EEC
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 00050F4B
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 00050FC3
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 00050014
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 00050F3A
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 00050F68
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 00050F8D
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 00050025
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 00050FA8
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 00050040
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 0005009E
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 00050FD4
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 00050FE5
.text C:\Windows\system32\svchost.exe[3600] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 00050EFD
.text C:\Windows\system32\svchost.exe[3600] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 00070FA8
.text C:\Windows\system32\svchost.exe[3600] msvcrt.dll!system 7598804B 5 Bytes JMP 00070FB9
.text C:\Windows\system32\svchost.exe[3600] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 00070029
.text C:\Windows\system32\svchost.exe[3600] msvcrt.dll!_open 7598D106 5 Bytes JMP 00070FEF
.text C:\Windows\system32\svchost.exe[3600] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 00070FD4
.text C:\Windows\system32\svchost.exe[3600] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 0007000C
.text C:\Windows\system32\svchost.exe[3600] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 0008005B
.text C:\Windows\system32\svchost.exe[3600] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 00080FCA
.text C:\Windows\system32\svchost.exe[3600] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 0008000A
.text C:\Windows\system32\svchost.exe[3600] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 00080FB9
.text C:\Windows\system32\svchost.exe[3600] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 00080F9E
.text C:\Windows\system32\svchost.exe[3600] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 0008002C
.text C:\Windows\system32\svchost.exe[3600] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 0008001B
.text C:\Windows\system32\svchost.exe[3600] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 00080FE5
.text C:\Windows\system32\svchost.exe[3600] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 00270000
.text C:\Windows\system32\svchost.exe[3600] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 00270FDB
.text C:\Windows\system32\svchost.exe[3600] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 0027001B
.text C:\Windows\system32\svchost.exe[3600] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 00270FC0
.text C:\Windows\system32\svchost.exe[3600] WS2_32.dll!socket 770736D1 5 Bytes JMP 002D0FEF
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!GetStartupInfoW 759E1929 5 Bytes JMP 00090F29
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!GetStartupInfoA 759E19C9 5 Bytes JMP 00090F44
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!CreateProcessW 759E1BF3 5 Bytes JMP 00090EFD
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!CreateProcessA 759E1C28 5 Bytes JMP 0009008A
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!VirtualProtect 759E1DC3 5 Bytes JMP 00090054
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!CreateNamedPipeA 759E2EF5 5 Bytes JMP 00090FD4
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!CreateNamedPipeW 759E5C0C 5 Bytes JMP 00090025
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!CreatePipe 75A08E6E 5 Bytes JMP 00090F55
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!LoadLibraryExW 75A09109 5 Bytes JMP 00090F7A
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!LoadLibraryW 75A09362 5 Bytes JMP 00090FB2
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!LoadLibraryExA 75A094B4 5 Bytes JMP 00090FA1
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!LoadLibraryA 75A094DC 5 Bytes JMP 00090FC3
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!VirtualProtectEx 75A0DBDA 5 Bytes JMP 0009006F
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!GetProcAddress 75A2903B 5 Bytes JMP 000900A5
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!CreateFileW 75A2AECB 5 Bytes JMP 00090000
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!CreateFileA 75A2CE5F 5 Bytes JMP 00090FEF
.text C:\Windows\System32\svchost.exe[3680] kernel32.dll!WinExec 75A75CF7 5 Bytes JMP 00090F18
.text C:\Windows\System32\svchost.exe[3680] msvcrt.dll!_wsystem 75987F2F 5 Bytes JMP 000B004E
.text C:\Windows\System32\svchost.exe[3680] msvcrt.dll!system 7598804B 5 Bytes JMP 000B0FC3
.text C:\Windows\System32\svchost.exe[3680] msvcrt.dll!_creat 7598BBE1 5 Bytes JMP 000B0018
.text C:\Windows\System32\svchost.exe[3680] msvcrt.dll!_open 7598D106 5 Bytes JMP 000B0FEF
.text C:\Windows\System32\svchost.exe[3680] msvcrt.dll!_wcreat 7598D326 5 Bytes JMP 000B0033
.text C:\Windows\System32\svchost.exe[3680] msvcrt.dll!_wopen 7598D501 5 Bytes JMP 000B0FDE
.text C:\Windows\System32\svchost.exe[3680] ADVAPI32.dll!RegCreateKeyExA 758839AB 5 Bytes JMP 000C0F9E
.text C:\Windows\System32\svchost.exe[3680] ADVAPI32.dll!RegCreateKeyA 75883BA9 5 Bytes JMP 000C0FC0
.text C:\Windows\System32\svchost.exe[3680] ADVAPI32.dll!RegOpenKeyA 758889C7 5 Bytes JMP 000C000A
.text C:\Windows\System32\svchost.exe[3680] ADVAPI32.dll!RegCreateKeyW 7589391E 5 Bytes JMP 000C0FAF
.text C:\Windows\System32\svchost.exe[3680] ADVAPI32.dll!RegCreateKeyExW 758941F1 5 Bytes JMP 000C0F79
.text C:\Windows\System32\svchost.exe[3680] ADVAPI32.dll!RegOpenKeyExA 75897C42 5 Bytes JMP 000C0FE5
.text C:\Windows\System32\svchost.exe[3680] ADVAPI32.dll!RegOpenKeyW 7589E2B5 5 Bytes JMP 000C001B
.text C:\Windows\System32\svchost.exe[3680] ADVAPI32.dll!RegOpenKeyExW 758A7BA1 5 Bytes JMP 000C0036
.text C:\Windows\System32\svchost.exe[3680] WININET.dll!InternetOpenA 76A5D47D 5 Bytes JMP 00670FEF
.text C:\Windows\System32\svchost.exe[3680] WININET.dll!InternetOpenW 76A5D7DA 5 Bytes JMP 00670FD4
.text C:\Windows\System32\svchost.exe[3680] WININET.dll!InternetOpenUrlA 76A5FE4B 5 Bytes JMP 00670FB9
.text C:\Windows\System32\svchost.exe[3680] WININET.dll!InternetOpenUrlW 76AA9139 5 Bytes JMP 00670F9E
.text C:\Windows\System32\svchost.exe[3680] WS2_32.dll!socket 770736D1 5 Bytes JMP 00870FEF

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 87F51618

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:24 PM

Posted 10 December 2009 - 05:33 PM

You never want to run more than one antivirus. They can conflict and even crash your system. Select one that you wish to keep and then uninstall the other two. If you have problems completely removing Norton you can run the Norton removal tool.

http://service1.symantec.com/Support/tsgen...005033108162039

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 kjt253

kjt253
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 11 December 2009 - 08:48 AM

Host Name: KAREN-PC
OS Name: Microsoft© Windows VistaT Home Premium
OS Version: 6.0.6002 Service Pack 2 Build 6002
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Karen
Registered Organization:
Product ID: 89578-OEM-7332157-00115
Original Install Date: 03/02/2008, 13:35:45
System Boot Time: 11/12/2009, 10:13:25
System Manufacturer: Packard Bell BV
System Model: EasyNote_MX37-T-003
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 6 Model 15 Stepping 13 GenuineIntel ~1500 Mhz
BIOS Version: American Megatrends Inc. 208 , 24/10/2007
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 1,919 MB
Available Physical Memory: 971 MB
Page File: Max Size: 4,082 MB
Page File: Available: 2,417 MB
Page File: In Use: 1,665 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\KAREN-PC
Hotfix(s): 203 Hotfix(s) Installed.
[01]: {8B2F38F1-6D3C-4D87-AD2F-954AF6942800}
[02]: KB971513
[03]: KB971512
[04]: KB960362
[05]: KB971514
[06]: KB925528
[07]: KB925902
[08]: KB929399
[09]: KB929615
[10]: KB929685
[11]: KB929735
[12]: KB929761
[13]: KB929762
[14]: KB929763
[15]: KB929777
[16]: KB930163
[17]: KB930178
[18]: KB930857
[19]: KB931099
[20]: KB931174
[21]: KB931573
[22]: KB931621
[23]: KB932471
[24]: KB932539
[25]: KB932818
[26]: KB933579
[27]: KB933729
[28]: KB934796
[29]: KB935652
[30]: KB936003
[31]: KB936021
[32]: KB936229
[33]: KB936357
[34]: KB936782
[35]: KB936825
[36]: KB937077
[37]: KB938127
[38]: KB938928
[39]: KB938952
[40]: KB939159
[41]: KB939165
[42]: KB940105
[43]: KB941202
[44]: KB941229
[45]: KB941568
[46]: KB941569
[47]: KB941600
[48]: KB941644
[49]: KB943055
[50]: KB943078
[51]: KB945553
[52]: KB946026
[53]: KB946456
[54]: KB947172
[55]: KB905866
[56]: KB928089
[57]: KB929123
[58]: KB929427
[59]: KB929916
[60]: KB931213
[61]: KB931768
[62]: KB931836
[63]: KB932246
[64]: KB933360
[65]: KB933566
[66]: KB933928
[67]: KB935280
[68]: KB935807
[69]: KB936824
[70]: KB937143
[71]: KB937287
[72]: KB938123
[73]: KB938194
[74]: KB938371
[75]: KB938464
[76]: KB938979
[77]: KB941649
[78]: KB941651
[79]: KB941693
[80]: KB942615
[81]: KB942624
[82]: KB942763
[83]: KB943302
[84]: KB943411
[85]: KB943899
[86]: KB944533
[87]: KB946041
[88]: KB947562
[89]: KB947864
[90]: KB948590
[91]: KB948609
[92]: KB948610
[93]: KB948881
[94]: KB950124
[95]: KB950125
[96]: KB950126
[97]: KB950582
[98]: KB950759
[99]: KB950760
[100]: KB950762
[101]: KB950974
[102]: KB951066
[103]: KB951072
[104]: KB951376
[105]: KB951618
[106]: KB951698
[107]: KB951978
[108]: KB952004
[109]: KB952069
[110]: KB952287
[111]: KB952709
[112]: KB952714
[113]: KB953155
[114]: KB953733
[115]: KB953838
[116]: KB953839
[117]: KB954154
[118]: KB954155
[119]: KB954211
[120]: KB954366
[121]: KB954459
[122]: KB955020
[123]: KB955069
[124]: KB955302
[125]: KB955430
[126]: KB955519
[127]: KB955839
[128]: KB956390
[129]: KB956391
[130]: KB956572
[131]: KB956744
[132]: KB956802
[133]: KB956841
[134]: KB957000
[135]: KB957095
[136]: KB957097
[137]: KB957200
[138]: KB957321
[139]: KB957388
[140]: KB958215
[141]: KB958481
[142]: KB958483
[143]: KB958623
[144]: KB958624
[145]: KB958644
[146]: KB958687
[147]: KB958690
[148]: KB958869
[149]: KB959108
[150]: KB959130
[151]: KB959426
[152]: KB959772
[153]: KB960225
[154]: KB960544
[155]: KB960714
[156]: KB960715
[157]: KB960803
[158]: KB961260
[159]: KB961371
[160]: KB961501
[161]: KB963027
[162]: KB967632
[163]: KB967723
[164]: KB968389
[165]: KB968537
[166]: KB968816
[167]: KB969897
[168]: KB969898
[169]: KB969947
[170]: KB970238
[171]: KB970430
[172]: KB970653
[173]: KB970710
[174]: KB971486
[175]: KB971557
[176]: KB971657
[177]: KB971737
[178]: KB971961
[179]: KB972036
[180]: KB972145
[181]: KB972260
[182]: KB973346
[183]: KB973507
[184]: KB973525
[185]: KB973540
[186]: KB973565
[187]: KB973687
[188]: KB973768
[189]: KB973917
[190]: KB974306
[191]: KB974318
[192]: KB974455
[193]: KB974469
[194]: KB974470
[195]: KB974571
[196]: KB975467
[197]: KB975517
[198]: KB976098
[199]: KB976325
[200]: KB976470
[201]: KB976749
[202]: KB948465
[203]: 940157
Network Card(s): 2 NIC(s) Installed.
[01]: SiS191 Ethernet Controller
Connection Name: Local Area Connection
Status: Media disconnected
[02]: Atheros AR5007EG Wireless Network Adapter
Connection Name: Wireless Network Connection
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
IP address(es)
[01]: 192.168.1.2
[02]: fe80::70f7:aadb:a847:bde4
13:46:45:858 288 ForceUnloadDriver: NtUnloadDriver error 2
13:46:45:860 288 ForceUnloadDriver: NtUnloadDriver error 2
13:46:45:863 288 ForceUnloadDriver: NtUnloadDriver error 2
13:46:45:906 288 main: Driver KLMD successfully dropped
13:46:45:918 288 main: Driver KLMD successfully loaded
13:46:45:919 288
Scanning Registry ...
13:46:45:919 288 ScanServices: Searching service UACd.sys
13:46:45:919 288 ScanServices: Open/Create key error 2
13:46:45:920 288 ScanServices: Searching service TDSSserv.sys
13:46:45:920 288 ScanServices: Open/Create key error 2
13:46:45:920 288 ScanServices: Searching service gaopdxserv.sys
13:46:45:920 288 ScanServices: Open/Create key error 2
13:46:45:920 288 ScanServices: Searching service gxvxcserv.sys
13:46:45:920 288 ScanServices: Open/Create key error 2
13:46:45:920 288 ScanServices: Searching service MSIVXserv.sys
13:46:45:920 288 ScanServices: Open/Create key error 2
13:46:45:931 288 UnhookRegistry: Kernel module file name: C:\Windows\system32\ntkrnlpa.exe, base addr: 84E14000
13:46:45:932 288 UnhookRegistry: Kernel local addr: 1B00000
13:46:45:932 288 UnhookRegistry: KeServiceDescriptorTable addr: 1C37B00
13:46:45:935 288 UnhookRegistry: KiServiceTable addr: 1BAC82C
13:46:45:935 288 UnhookRegistry: NtEnumerateKey service number (local): 85
13:46:45:935 288 UnhookRegistry: NtEnumerateKey local addr: 1CFD0BA
13:46:45:944 288 KLMD_OpenDevice: Trying to open KLMD device
13:46:45:944 288 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
13:46:45:944 288 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
13:46:45:945 288 KLMD_ReadMem: Trying to ReadMemory 0x84E5CD19[0x4]
13:46:45:945 288 UnhookRegistry: NtEnumerateKey service number (kernel): 85
13:46:45:945 288 KLMD_ReadMem: Trying to ReadMemory 0x84EC0A40[0x4]
13:46:45:945 288 UnhookRegistry: NtEnumerateKey real addr: 850110BA
13:46:45:945 288 UnhookRegistry: NtEnumerateKey calc addr: 850110BA
13:46:45:945 288 UnhookRegistry: No SDT hooks found on NtEnumerateKey
13:46:45:945 288 KLMD_ReadMem: Trying to ReadMemory 0x850110BA[0xA]
13:46:45:945 288 UnhookRegistry: No splicing found on NtEnumerateKey
13:46:45:956 288
Scanning Kernel memory ...
13:46:45:957 288 KLMD_OpenDevice: Trying to open KLMD device
13:46:45:957 288 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
13:46:45:957 288 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
13:46:45:957 288 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 880DBA60
13:46:45:957 288 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
13:46:45:957 288 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 886B4AC8
13:46:45:957 288 KLMD_GetLowerDeviceObject: Trying to get lower device object for 886B4AC8
13:46:45:957 288 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 87F12F08
13:46:45:957 288 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87F12F08
13:46:45:957 288 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 87F38B98
13:46:45:957 288 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87F38B98
13:46:45:957 288 KLMD_ReadMem: Trying to ReadMemory 0x87F38B98[0x38]
13:46:45:957 288 DetectCureTDL3: DRIVER_OBJECT addr: 87F2D710
13:46:45:958 288 KLMD_ReadMem: Trying to ReadMemory 0x87F2D710[0xA8]
13:46:45:958 288 KLMD_ReadMem: Trying to ReadMemory 0x87F0C6B0[0x208]
13:46:45:958 288 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
13:46:45:958 288 DetectCureTDL3: IrpHandler (0) addr: 807C4140
13:46:45:958 288 DetectCureTDL3: IrpHandler (1) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (2) addr: 807C4140
13:46:45:958 288 DetectCureTDL3: IrpHandler (3) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (4) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (5) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (6) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (7) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (8) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (9) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (10) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (11) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (12) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (13) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (14) addr: 807B2A5A
13:46:45:958 288 DetectCureTDL3: IrpHandler (15) addr: 807B2A2C
13:46:45:958 288 DetectCureTDL3: IrpHandler (16) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (17) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (18) addr: 84E3C9D2
13:46:45:958 288 DetectCureTDL3: IrpHandler (19) addr: 84E3C9D2
13:46:45:959 288 DetectCureTDL3: IrpHandler (20) addr: 84E3C9D2
13:46:45:959 288 DetectCureTDL3: IrpHandler (21) addr: 84E3C9D2
13:46:45:959 288 DetectCureTDL3: IrpHandler (22) addr: 807B2A88
13:46:45:959 288 DetectCureTDL3: IrpHandler (23) addr: 807BFB70
13:46:45:959 288 DetectCureTDL3: IrpHandler (24) addr: 84E3C9D2
13:46:45:959 288 DetectCureTDL3: IrpHandler (25) addr: 84E3C9D2
13:46:45:959 288 DetectCureTDL3: IrpHandler (26) addr: 84E3C9D2
13:46:45:959 288 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
13:46:45:959 288 KLMD_ReadMem: DeviceIoControl error 1
13:46:45:959 288 TDL3_StartIoHookDetect: Unable to get StartIo handler code
13:46:45:959 288 TDL3_FileDetect: Processing driver: atapi
13:46:45:959 288 TDL3_FileDetect: Parameters: C:\Windows\system32\drivers\tsk_atapi.sys, C:\Windows\system32\Drivers\tsk_tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_tsk_atapi.sys
13:46:45:959 288 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\tsk_atapi.sys
13:46:45:959 288 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\tsk_atapi.sys
13:46:45:977 288
Completed

Results:
13:46:45:977 288 Infected objects in memory: 0
13:46:45:979 288 Cured objects in memory: 0
13:46:45:979 288 Infected objects on disk: 0
13:46:45:979 288 Objects on disk cured on reboot: 0
13:46:45:980 288 Objects on disk deleted on reboot: 0
13:46:45:980 288 Registry nodes deleted on reboot: 0
13:46:45:980 288

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:24 PM

Posted 11 December 2009 - 06:48 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Filelook::
atapi.sys
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:24 PM

Posted 26 December 2009 - 08:24 PM

Unfortunately there has been no response. :(
This topic will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users