Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with FakeAlert trojan and TDSS rootkit


  • This topic is locked This topic is locked
6 replies to this topic

#1 kcork

kcork

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 31 December 2009 - 03:52 PM

Shortly before Christmas, the computer got very, very sick. We were getting all kinds of pop-ups for porn sites and requests to use AntiMalware. I don't think any of us intentionally tried to download AntiMalware, but its possible one of the kids might have. I also had a lot of trouble running some programs and couldn't get to the control panel. It was bad.
After seeing some posts online about this, I downloaded and ran MalwareBytes and SuperAntiSpyware. They both removed a lot of problems. However, after repeatedly running them, it seems like they've been unable to completely get rid of Trojan.FakeAlert and Rootkit.TDSS in particular. Depending how long I go between runs and if I use the computer for other tasks, the scans sometimes pick up other items. Just yesterday, I also got a notice from our ISP (Comcast) that we'd been flagged as sending out spam or viruses and they are now blocking port 25 so we can't send emails until we get the problem resolved.

I've followed the instructions in this forum. Below and attached are the results of DDS.

Unfortunately, I can't get RootRepeal to work at all. I downloaded it from your forum link ok to my desktop. But when I run it, it just stays stuck with a simple message window saying that it is initializing and never fully comes up. It's been that way for over a half hour and counting now.

I would appreciate any help you can provide! Thank you!


DDS (Ver_09-12-01.01) - NTFSx86
Run by Kevin at 15:31:38.42 on Thu 12/31/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.395 [GMT -5:00]

AV: AntiMalware *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Kevin\Desktop\RootRepeal.exe
C:\Documents and Settings\Kevin\Desktop\dds.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msnbc.com
uSearch Page = hxxp://www.google.com
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uCustomizeSearch =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hewlett-packard\digital imaging\bin\HPDTLK02.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} -
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {2D51D869-C36B-42bd-AE68-0A81BC771FA5} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [USB Storage Toolbox] c:\program files\ali mp3 player\Res.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
dRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\npjpi150_10.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: adp.com\ipay
Trusted Zone: currentgroup.com\sslvpn
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136669249328
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553557800} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4926/mcfscan.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: duwabulu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 91.212.127.226 winguard-2009.microsoft.com
Hosts: 91.212.127.226 winguard-2009.com
Hosts: 91.212.127.226 www.winguard-2009.com

============= SERVICES / DRIVERS ===============

R? aawservice;Lavasoft Ad-Aware Service
R? CSVirtA;Cisco Systems SSL VPN Adapter
R? FlyUsb;FLY Fusion
R? GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506
R? McSysmon;McAfee SystemGuards
R? mferkdk;McAfee Inc. mferkdk
R? mfesmfk;McAfee Inc. mfesmfk
R? NPF;NetGroup Packet Filter Driver
R? rootrepeal[1];rootrepeal[1]
R? SABKUTIL;SABKUTIL
R? SASENUM;SASENUM
R? SAVScan;SAVScan
S? McProxy;McAfee Proxy Service
S? McShield;McAfee Real-time Scanner
S? mfeavfk;McAfee Inc. mfeavfk
S? mfebopk;McAfee Inc. mfebopk
S? mfehidk;McAfee Inc. mfehidk
S? rootrepeal;rootrepeal
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
S? Viewpoint Manager Service;Viewpoint Manager Service

=============== Created Last 30 ================

2009-12-31 20:01:17 34816 ----a-w- c:\windows\system32\drivers\rootrepeal[1].sys
2009-12-31 18:31:39 0 d-----w- c:\program files\Cobian Backup 9
2009-12-28 18:50:08 0 d-----w- c:\program files\Trend Micro
2009-12-27 15:47:25 124 ----a-w- c:\windows\system32\srcr.dat
2009-12-27 03:53:28 0 d-----w- c:\docume~1\kevin\applic~1\SUPERAntiSpyware.com
2009-12-24 11:58:23 108 ----a-w- c:\windows\system32\26108078.BAT
2009-12-20 19:20:04 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-20 18:41:09 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-18 02:59:42 0 d-----w- c:\program files\AntiMalware
2009-12-18 02:36:19 666 ----a-w- c:\windows\system32\krl32mainweq.dll

==================== Find3M ====================

2009-12-31 20:33:59 773120 ----a-w- c:\windows\system32\drivers\aec.sys
2009-12-24 17:31:46 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2007-04-21 15:58:56 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-08-03 21:11:21 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080320080804\index.dat

============= FINISH: 15:42:00.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:56 AM

Posted 09 January 2010 - 03:13 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log
Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 kcork

kcork
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 12 January 2010 - 04:22 AM

Hi Elise.
Thank you so much for offering to help me with my computer.

I described the original issues in my original post. More recently, the computer seems to sporadically lock up lately. When that happens, I've re-run MalwareBytes and SuperAntiSpyware. Each time, it seems to always be detecting some of these viruses and rootkits and never fully gets rid of them.

I've followed your instructions. I re-dowloaded and re-ran DDS. The 2 logs are below. I also downloaded and ran GMER and posted its log below as well.

Thank you again for your assistance. I will wait for your next instructions.
- Kevin

DDS.txt results:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Kevin at 21:56:32.23 on Mon 01/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1429 [GMT -5:00]

AV: AntiMalware *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kevin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msnbc.com
uSearch Page = hxxp://www.google.com
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uCustomizeSearch =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hewlett-packard\digital imaging\bin\HPDTLK02.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} -
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {2D51D869-C36B-42bd-AE68-0A81BC771FA5} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [USB Storage Toolbox] c:\program files\ali mp3 player\Res.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
dRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickbooks update agent.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\npjpi150_10.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: adp.com\ipay
Trusted Zone: currentgroup.com\sslvpn
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136669249328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553557800} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4926/mcfscan.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: duwabulu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 91.212.127.226 winguard-2009.microsoft.com
Hosts: 91.212.127.226 winguard-2009.com
Hosts: 91.212.127.226 www.winguard-2009.com

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-3 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-3 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-3 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-23 24652]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-3 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-3 35272]
S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\cynthie\local settings\temporary internet files\content.ie5\kkmxr396\sabkutil.sys --> c:\documents and settings\cynthie\local settings\temporary internet files\content.ie5\kkmxr396\SABKUTIL.sys [?]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2007-7-24 22136]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2007-12-24 18560]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-3 606736]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-3 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-3 40552]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\npf.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 rootrepeal[1];rootrepeal[1];c:\windows\system32\drivers\rootrepeal[1].sys [2009-12-31 34816]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 SAVScan;SAVScan;c:\program files\norton antivirus\savscan.exe --> c:\program files\norton antivirus\SAVScan.exe [?]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S4 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-24 30192]

=============== Created Last 30 ================

2009-12-31 20:01:17 34816 ------w- c:\windows\system32\drivers\rootrepeal[1].sys
2009-12-31 18:31:39 0 d-----w- c:\program files\Cobian Backup 9
2009-12-28 18:50:08 0 d-----w- c:\program files\Trend Micro
2009-12-27 03:53:28 0 d-----w- c:\docume~1\kevin\applic~1\SUPERAntiSpyware.com
2009-12-24 11:58:23 108 ------w- c:\windows\system32\26108078.BAT
2009-12-20 19:20:04 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-20 18:41:09 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-18 02:59:42 0 d-----w- c:\program files\AntiMalware
2009-12-18 02:36:19 666 ------w- c:\windows\system32\krl32mainweq.dll

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-24 17:31:46 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\httpapi.dll
2007-04-21 15:58:56 774144 ------w- c:\program files\RngInterstitial.dll
2008-08-03 21:11:21 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080320080804\index.dat

============= FINISH: 21:57:42.37 ===============




Attach.txt results:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/31/2003 7:24:47 PM
System Uptime: 1/11/2010 9:48:19 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | A7N8X-LA
Processor: AMD Athlon™ XP 2800+ | Socket A | 2079/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 86 GiB total, 22.45 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 0.953 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is FIXED (NTFS) - 233 GiB total, 96.198 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems SSL VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems SSL VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CSVirtA

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel Acoustic Echo Canceller
Device ID: SW\{4245FF73-1DB4-11D2-86E4-98AE20524153}\{9B365890-165F-11D0-A195-0020AFD156E4}
Manufacturer: Microsoft
Name: Microsoft Kernel Acoustic Echo Canceller
PNP Device ID: SW\{4245FF73-1DB4-11D2-86E4-98AE20524153}\{9B365890-165F-11D0-A195-0020AFD156E4}
Service: aec

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


3D Home Design Suite
4200
4200_Help
4200Tour
4200Trb
Acronis True Image Home
Ad-Aware
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Illustrator 10
Adobe Photoshop 7.0
Adobe Reader 8.1.3
Adobe Shockwave Player 11
Adobe SVG Viewer 6.0
Adobe® Photoshop® Album Starter Edition 3.2
Advanced System Optimizer 2.01.4
Advanced WindowsCare Personal
AIM 6
AIM Toolbar 5.0
AiO_Scan
AiOSoftware
ALI MP3 Player
Apple Mobile Device Support
Apple Software Update
ArcSoft ShowBiz 2
Ashampoo WinOptimizer 5.09
BitZipper 5.0.6
Bonjour
BOSS Fonts Manager
BufferChm
Camera Support Core Library
Camera Window
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CC_ccStart
Cisco SSL VPN Client
Cobian Backup 9
Command On Demand for Command Software
Compatibility Pack for the 2007 Office system
Copy
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Destinations
Director
DocProc
DocumentViewer
DV Camcorder
EarthLink Common Authentication
Ethereal 0.10.4
Fax
FinePixViewer Ver.4.1
FLY World
FUJIFILM USB Driver
GiPo@MoveOnBoot 1.9.5
Google Desktop
Google Earth
Google SketchUp 7
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Homemade Greeting Cards
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hoyle Board Games 4
HP Deskjet Preloaded Printer Drivers
HP Diagnostic Assistant
HP Image Zone 4.2
HP Instant Support
HP Organize
HP Photo and Imaging 2.0 - Photosmart Cameras
HP PSC & OfficeJet 4.2
HP Software Update
HP Unload DLL Patch
HPImageZone
HPIZ Fix2
hpmdtab
HpSdpAppCoreApp
HPSystemDiagnostics
ImageMixer VCD2 for FinePix
InstantShare
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
KBD
LG USB Modem driver
LiveReg (Symantec Corporation)
Lookout
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Standard Edition 2003
Microsoft Office Visio Viewer 2003 (English)
Microsoft Office XP Professional with FrontPage
Microsoft Picture It! Express 2002
Microsoft Plus! Digital Media Edition
Microsoft Silverlight
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Works 7.0
Microsoft XML Parser
MicroStaff WINASPI
MobileMe Control Panel
MovieEdit Task
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Multimedia Card Reader
Musicmatch® Jukebox
Norton AntiVirus 2004 Professional
NVIDIA Drivers
NVIDIA Ethernet Driver
NVIDIA Windows 2000/XP Display Drivers
OmniPass
Overland
PC-Doctor for Windows
Personal Home Inventory 4.0
PhotoGallery
Photosmart 140,240,7200,7600,7700,7900 Series
PhotoStitch
Print Workshop: Heartfelt Holiday Greeting Cards
PrintScreen
ProductContext
PS2
PS7700
PSShortcutsP
PSShortP
QFolder
QuickBooks
QuickBooks Pro 2005
QuickBooks Pro 2009
QuickProjects
QuickTime
RAW Image Task 1.0
Readme
RealOne Player
RecordNow!
Registry Mechanic 6.0
RemoteCapture Task 1.0.2
Rhapsody Player Engine
S3Display
S3Gamma2
S3Info2
S3Overlay
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shockwave
SkinsHP1
SkinsHP2
Skype web features
Skype™ 4.1
Sonic Update Manager
Spelling Dictionaries Support For Adobe Reader 8
STX from Hewlett-Packard Desktops (remove only)
SUPERAntiSpyware Free Edition
SupportSoft Assisted Service
The Weather Channel Desktop 6
toolkit
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
V CAST Music Manager
Viewpoint Media Player
Virtual Earth 3D (Beta)
Visual Studio 2005 Tools for Office Second Edition Runtime
WebFldrs XP
WebReg
Windows Driver Package - LeapFrog (FlyUsb) USB (06/15/2007 1.0.0.6)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Service Pack 3
WinPatrol
WinZip
Yahoo! Address AutoComplete
Yahoo! Internet Mail
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

1/9/2010 2:38:27 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service GoogleDesktopManager-092308-165331 with arguments "" in order to run the server: {A5E46143-1803-4E90-A85E-342AD9E7730B}
1/9/2010 12:43:37 PM, error: Service Control Manager [7000] - The NNSvc service failed to start due to the following error: The system cannot find the file specified.
1/9/2010 12:40:13 PM, information: Windows File Protection [64004] - The protected system file aec.sys could not be restored to its original, valid version. The file version of the bad file is unknown The specific error code is 0x000003e3 [The I/O operation has been aborted because of either a thread exit or an application request. ].
1/9/2010 10:32:15 AM, error: DCOM [10001] - Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} as /. The error: "%233" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe -Embedding
1/9/2010 10:01:39 AM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\drivers\aec.sys could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
1/9/2010 1:20:52 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
1/9/2010 1:20:52 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL. Reference error message: The operation completed successfully. .
1/9/2010 1:20:52 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
1/11/2010 9:51:35 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SystemGuards service to connect.
1/11/2010 9:51:35 PM, error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/11/2010 8:29:07 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
1/11/2010 8:29:07 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================



GMER.log results:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-12 03:59:46
Windows 5.1.2600 Service Pack 3
Running: nhzv4jiu.exe; Driver: C:\DOCUME~1\Kevin\LOCALS~1\Temp\uxldqpob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAFF5378A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAFF53738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAFF5374C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAFF537CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAFF53710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAFF53724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAFF5379E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAFF53776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAFF53762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAFF537F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAFF537E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAFF537B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP AFF537B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F600 5 Bytes JMP AFF5378E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570441 5 Bytes JMP AFF53766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741D0 5 Bytes JMP AFF53714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057457F 7 Bytes JMP AFF537A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578606 5 Bytes JMP AFF537E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A81 7 Bytes JMP AFF537CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP AFF53750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B0 5 Bytes JMP AFF537FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B58D 5 Bytes JMP AFF53728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP AFF5373C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD47 5 Bytes JMP AFF5377A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB9E24340, 0xFFF3F, 0xF8000020]
init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF773F358]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6300, 0x234A20, 0xF8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC000A
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC008E
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F8F
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0069
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0058
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0FB6
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC00B0
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC009F
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F21
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F32
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC00D5
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0047
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0F7E
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC002C
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC001B
.text C:\WINDOWS\System32\svchost.exe[512] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC0F43
.text C:\WINDOWS\System32\svchost.exe[512] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0066004A
.text C:\WINDOWS\System32\svchost.exe[512] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660087
.text C:\WINDOWS\System32\svchost.exe[512] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660FEF
.text C:\WINDOWS\System32\svchost.exe[512] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0066001B
.text C:\WINDOWS\System32\svchost.exe[512] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660076
.text C:\WINDOWS\System32\svchost.exe[512] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660000
.text C:\WINDOWS\System32\svchost.exe[512] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00660065
.text C:\WINDOWS\System32\svchost.exe[512] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FDE
.text C:\WINDOWS\System32\svchost.exe[512] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650FCF
.text C:\WINDOWS\System32\svchost.exe[512] msvcrt.dll!system 77C293C7 5 Bytes JMP 0065005A
.text C:\WINDOWS\System32\svchost.exe[512] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0065002E
.text C:\WINDOWS\System32\svchost.exe[512] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0065000C
.text C:\WINDOWS\System32\svchost.exe[512] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0065003F
.text C:\WINDOWS\System32\svchost.exe[512] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0065001D
.text C:\WINDOWS\System32\svchost.exe[512] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00630000
.text C:\WINDOWS\System32\svchost.exe[512] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00630FE5
.text C:\WINDOWS\System32\svchost.exe[512] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00630FD4
.text C:\WINDOWS\System32\svchost.exe[512] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0063002F
.text C:\WINDOWS\System32\svchost.exe[512] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F79
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F8A
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F48
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700C6
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F23
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070F12
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0007007F
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FDB
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0007002C
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700A1
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0006006C
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FC0
.text C:\WINDOWS\system32\services.exe[1032] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FA1
.text C:\WINDOWS\system32\services.exe[1032] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FB2
.text C:\WINDOWS\system32\services.exe[1032] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FD7
.text C:\WINDOWS\system32\services.exe[1032] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1032] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050022
.text C:\WINDOWS\system32\services.exe[1032] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[1032] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F70
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F81
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0FA8
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0FB9
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0051
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F53
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC009B
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F1D
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC00B6
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC00D1
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC008A
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC0F2E
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0FA8
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0036
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0F83
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB0025
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0014
.text C:\WINDOWS\system32\lsass.exe[1044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0FAB
.text C:\WINDOWS\system32\lsass.exe[1044] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\lsass.exe[1044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\lsass.exe[1044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\lsass.exe[1044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0FC6
.text C:\WINDOWS\system32\lsass.exe[1044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0FE3
.text C:\WINDOWS\system32\lsass.exe[1044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A9004C
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A90F57
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A90F72
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A9002F
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A90FA8
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A9008E
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A90071
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A900CB
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A900BA
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A900E6
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A90F8D
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A90FD4
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A90F46
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A90014
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A90FC3
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A9009F
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A80FB9
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A80F6B
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A8000A
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A80FDE
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A80F7C
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A80F97
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C8, 88]
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A80FA8
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A7008B
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70066
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A7003A
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A7004B
.text C:\WINDOWS\system32\svchost.exe[1196] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A7001D
.text C:\WINDOWS\system32\svchost.exe[1196] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C5007D
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C5006C
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C5005B
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50F9E
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C50040
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C500B3
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C50098
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C500CE
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C50F35
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C500E9
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50FB9
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C50F6D
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C5002F
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C50F46
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C40025
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C40F8A
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C40FD4
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C40FE5
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40047
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C40FAF
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E4, 88] {IN AL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C40036
.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30F8B
.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30FA6
.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C30FC8
.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30FB7
.text C:\WINDOWS\system32\svchost.exe[1264] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C30FE3
.text C:\WINDOWS\system32\svchost.exe[1264] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1324] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02CE0FEF
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02CE0F6D
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02CE0F7E
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02CE0058
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02CE0F9B
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02CE002C
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02CE0F26
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02CE0F41
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02CE00A4
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02CE0093
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02CE0EF0
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02CE003D
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02CE0000
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02CE0F52
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02CE0FC0
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02CE001B
.text C:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02CE0F15
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02CD0036
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02CD0F94
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02CD001B
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02CD000A
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02CD0FAF
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02CD0FEF
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02CD0FCA
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ED, 8A]
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02CD0047
.text C:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02CC0078
.text C:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!system 77C293C7 5 Bytes JMP 02CC0FE3
.text C:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02CC0038
.text C:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02CC0000
.text C:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02CC0049
.text C:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02CC0011
.text C:\WINDOWS\System32\svchost.exe[1360] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02810FE5
.text C:\WINDOWS\System32\svchost.exe[1360] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 027F0000
.text C:\WINDOWS\System32\svchost.exe[1360] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 027F0FE5
.text C:\WINDOWS\System32\svchost.exe[1360] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 027F001B
.text C:\WINDOWS\System32\svchost.exe[1360] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 027F0040
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0065004A
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650039
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650028
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650F75
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650F97
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0065006C
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650F24
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006500A2
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00650087
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00650EE4
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00650F86
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00650FD4
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0065005B
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650FA8
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00650FC3
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00650F09
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640F61
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00640FC3
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640FDE
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640F72
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00640F8D
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [84, 88]
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00640F9E
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630FAD
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630038
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0063001D
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00630FC8
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00630FE3
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780FEF
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780F66
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780F8B
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780065
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0078004A
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780FA8
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780F3A
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780076
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00780F18
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F29
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00780EFD
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00780039
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00780000
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00780F4B
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00780FB9
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00780FD4
.text C:\WINDOWS\System32\svchost.exe[1536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007800A7
.text C:\WINDOWS\System32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00770025
.text C:\WINDOWS\System32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00770076
.text C:\WINDOWS\System32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770FCA
.text C:\WINDOWS\System32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00770000
.text C:\WINDOWS\System32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00770065
.text C:\WINDOWS\System32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770FEF
.text C:\WINDOWS\System32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00770FB9
.text C:\WINDOWS\System32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [97, 88]
.text C:\WINDOWS\System32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770040
.text C:\WINDOWS\System32\svchost.exe[1536] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00760058
.text C:\WINDOWS\System32\svchost.exe[1536] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760FCD
.text C:\WINDOWS\System32\svchost.exe[1536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00760018
.text C:\WINDOWS\System32\svchost.exe[1536] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760FEF
.text C:\WINDOWS\System32\svchost.exe[1536] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0076003D
.text C:\WINDOWS\System32\svchost.exe[1536] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760FDE
.text C:\WINDOWS\System32\svchost.exe[1536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0096
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0FA1
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE006F
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0054
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FBC
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F4E
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F75
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00D6
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00BB
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F22
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0043
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F86
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FCD
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0014
.text C:\WINDOWS\System32\svchost.exe[1712] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F3D
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0051
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0036
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD001B
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD000A
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0FEF
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88]
.text C:\WINDOWS\System32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD006C
.text C:\WINDOWS\System32\svchost.exe[1712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0F7A
.text C:\WINDOWS\System32\svchost.exe[1712] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0F95
.text C:\WINDOWS\System32\svchost.exe[1712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FB7
.text C:\WINDOWS\System32\svchost.exe[1712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FE3
.text C:\WINDOWS\System32\svchost.exe[1712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FA6
.text C:\WINDOWS\System32\svchost.exe[1712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0FD2
.text C:\WINDOWS\System32\svchost.exe[1712] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0000
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E6008A
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E60F8B
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E60065
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E60FA8
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E6004A
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E6009B
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E60F5F
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E60F13
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E60F24
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E60EEE
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E60FC3
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E6000A
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E60F7A
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E60FD4
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E60025
.text C:\WINDOWS\System32\svchost.exe[1996] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E600AC
.text C:\WINDOWS\System32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E50025
.text C:\WINDOWS\System32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E50F97
.text C:\WINDOWS\System32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E50FD4
.text C:\WINDOWS\System32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E50FE5
.text C:\WINDOWS\System32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E50FA8
.text C:\WINDOWS\System32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E50000
.text C:\WINDOWS\System32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E5004A
.text C:\WINDOWS\System32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E50FC3
.text C:\WINDOWS\System32\svchost.exe[1996] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E40F78
.text C:\WINDOWS\System32\svchost.exe[1996] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E40F89
.text C:\WINDOWS\System32\svchost.exe[1996] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E40FAB
.text C:\WINDOWS\System32\svchost.exe[1996] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40FE3
.text C:\WINDOWS\System32\svchost.exe[1996] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E40F9A
.text C:\WINDOWS\System32\svchost.exe[1996] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E40FC6
.text C:\WINDOWS\System32\svchost.exe[1996] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30000
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0080
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A006F
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F97
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0040
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F44
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F55
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00B8
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F29
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F04
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F70
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A002F
.text C:\WINDOWS\Explorer.EXE[3568] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00A7
.text C:\WINDOWS\Explorer.EXE[3568] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FDE
.text C:\WINDOWS\Explorer.EXE[3568] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290FAB
.text C:\WINDOWS\Explorer.EXE[3568] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290025
.text C:\WINDOWS\Explorer.EXE[3568] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290014
.text C:\WINDOWS\Explorer.EXE[3568] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290068
.text C:\WINDOWS\Explorer.EXE[3568] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\Explorer.EXE[3568] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FBC
.text C:\WINDOWS\Explorer.EXE[3568] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\Explorer.EXE[3568] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FCD
.text C:\WINDOWS\Explorer.EXE[3568] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0F90
.text C:\WINDOWS\Explorer.EXE[3568] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A001B
.text C:\WINDOWS\Explorer.EXE[3568] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FC6
.text C:\WINDOWS\Explorer.EXE[3568] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[3568] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FAB
.text C:\WINDOWS\Explorer.EXE[3568] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[3568] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C000A
.text C:\WINDOWS\Explorer.EXE[3568] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C001B
.text C:\WINDOWS\Explorer.EXE[3568] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[3568] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C0036
.text C:\WINDOWS\Explorer.EXE[3568] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02A60FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTltdquuottt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTltdquuottt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTkxuxuktytq.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTqyertltpjb.dat
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTrrkirfjflg.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InProcServer32@ %SystemRoot%\system32\SHELL32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InProcServer32@ThreadingModel Apartment

---- EOF - GMER 1.0.15 ----

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:56 AM

Posted 12 January 2010 - 10:48 AM

Hello kcork,

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Please download HostsXpert 4.2
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File". Note - if you get an error message, click first "Make Writeable".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 kcork

kcork
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 14 January 2010 - 10:52 PM

Ugh. :(
The computer is used for personal banking, etc. Based on the recommendations I reviewed, it sounds like I should reformat and reinstall. Is that something you would be able to walk me through, or should I take it to someone? And it sounds like I shouldn't bother with the combofix steps, correct?
- Kevin

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:56 AM

Posted 15 January 2010 - 02:34 AM

No, if you decide to reformat there is no need for the other steps.

A good tutorial on how to reformat and reinstall can be found here

Let me know if you have any more questions or if I can close this topic :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:56 AM

Posted 22 January 2010 - 06:50 AM

Due to lack of activity, this topic will now be closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users