Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tdlcmd.dll identified as DNSChanger.as


  • This topic is locked This topic is locked
12 replies to this topic

#1 McGrumpy

McGrumpy

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 31 December 2009 - 04:40 PM

Greetings,

McAfee Enterprise 8.5.0i is reporting that tdlcmd.dll is infected with DNSChanger.as. It reports that it successfully deleted the file but it keeps coming back. Prior to posting here I have run full scans again with McAfee, Spybot SD and Malwarebytes' Anti-Malware. Other than finding normal tracking/ad items, they were clean. Like most people, shortly after rebooting the virus warning returns.
Per the instructions I have the 2 DDS logs and 1 Root Repeal log. Any help in cleaning my daughter's laptop would be greatly appreciated!


DDS (Ver_09-12-01.01) - NTFSx86
Run by family at 16:00:27.18 on Thu 12/31/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1239 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\family\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://twilightguide.com/tg/
uSearch Bar =
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s
mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\family\startm~1\programs\startup\imvu.lnk - c:\documents and settings\family\application data\imvuclient\IMVUClient.exe
StartupFolder: c:\docume~1\family\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\family\startm~1\programs\startup\regist~1.lnk - d:\RegistrationReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\family\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\family\applic~1\mozilla\firefox\profiles\0496pt4l.default\
FF - prefs.js: browser.startup.homepage - hxxp://twilightguide.com/tg/
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-8-23 104000]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-8-23 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-8-23 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-8-23 168776]

=============== Created Last 30 ================

2009-12-31 20:57:06 0 d-----w- c:\program files\Runtime Software
2009-12-27 12:47:12 0 d-----w- c:\program files\JRE
2009-12-26 23:20:40 778240 ----a-w- c:\windows\system32\Petz 5.scr
2009-12-26 23:20:18 0 d-----w- c:\program files\Ubi Soft
2009-12-02 03:16:03 0 ----a-w- c:\windows\system32\6334.exe
2009-12-02 02:55:37 0 ----a-w- c:\windows\system32\18467.exe
2009-12-02 02:52:53 0 d-----w- c:\docume~1\family\applic~1\Malwarebytes
2009-12-02 02:52:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-02 02:52:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 02:52:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-02 02:52:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-02 02:40:46 0 d-----w- c:\windows\pss
2009-12-02 02:33:55 0 d-----w- c:\documents and settings\all users\Microsoft PData

==================== Find3M ====================

2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 16:02:34.19 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:26 PM

Posted 10 January 2010 - 07:41 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 McGrumpy

McGrumpy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 11 January 2010 - 09:09 PM

No worried about the delay Myrti, I am glad there are people that are willing to help out others when they get these nasties on their machines.
OTL.txt
OTL logfile created on: 1/11/2010 8:40:28 PM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\family\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 107.07 Gb Total Space | 66.97 Gb Free Space | 62.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KAITY
Current User Name: family
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/11 20:39:33 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\family\Desktop\OTL.exe
PRC - [2010/01/07 19:23:56 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/08/19 10:23:24 | 07,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/08/19 10:23:22 | 07,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2008/12/12 11:41:06 | 00,157,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2008/12/12 11:41:02 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/30 07:50:00 | 00,144,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2006/11/30 07:50:00 | 00,112,216 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2006/11/30 07:50:00 | 00,054,872 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2006/11/17 12:40:56 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2006/11/17 12:39:58 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2006/11/17 12:37:44 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2006/11/17 02:06:00 | 00,086,016 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\Mctray.exe
PRC - [2006/11/01 19:48:12 | 01,392,640 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\WLTRAY.EXE
PRC - [2006/11/01 19:48:12 | 00,020,480 | ---- | M] () -- C:\WINDOWS\system32\WLTRYSVC.EXE
PRC - [2006/11/01 19:48:10 | 01,253,376 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\BCMWLTRY.EXE
PRC - [2006/10/11 16:48:50 | 00,532,480 | ---- | M] ( ) -- C:\WINDOWS\system32\dlcxcoms.exe
PRC - [2006/09/23 03:49:08 | 00,401,408 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2006/09/22 12:47:54 | 00,761,947 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2006/09/22 12:06:26 | 00,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2006/08/23 17:14:42 | 01,032,192 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2006/08/23 17:13:28 | 00,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2006/01/02 18:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2005/12/09 21:29:52 | 00,049,152 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
PRC - [2005/09/08 06:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2004/07/27 17:50:18 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2003/10/29 03:06:00 | 00,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/01/11 20:39:33 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\family\Desktop\OTL.exe
MOD - [2006/08/23 17:14:58 | 00,073,728 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/12/12 11:41:18 | 05,117,568 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2008/12/12 11:41:08 | 00,243,840 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2008/12/12 11:41:02 | 00,060,032 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2006/11/30 07:50:00 | 00,144,960 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2006/11/30 07:50:00 | 00,054,872 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2006/11/17 12:37:44 | 00,104,000 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2006/11/01 19:48:12 | 00,020,480 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2006/10/11 16:48:50 | 00,532,480 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\dlcxcoms.exe -- (dlcx_device)
SRV - [2006/09/23 03:49:08 | 00,401,408 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2006/08/23 17:13:28 | 00,380,928 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)


========== Driver Services (SafeList) ==========

DRV - [2009/06/30 09:37:16 | 00,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2008/11/10 11:09:32 | 00,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2008/04/13 13:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 11:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/11/30 07:50:00 | 00,168,776 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2006/11/30 07:50:00 | 00,072,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2006/11/30 07:50:00 | 00,064,360 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2006/11/30 07:50:00 | 00,052,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2006/11/30 07:50:00 | 00,034,152 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2006/11/30 07:50:00 | 00,031,944 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2006/11/02 06:00:08 | 00,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/10/12 22:28:42 | 00,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/09/23 03:56:40 | 01,681,920 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/09/22 12:47:52 | 00,191,872 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/09/22 12:06:26 | 01,171,464 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/08/17 14:55:16 | 00,044,544 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/07/01 23:39:40 | 00,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005/12/01 08:40:56 | 00,936,960 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2005/12/01 08:40:12 | 00,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2005/12/01 08:40:08 | 00,669,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2005/10/05 05:57:08 | 00,012,544 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2005/09/12 04:30:00 | 00,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/09/08 06:20:00 | 00,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 06:20:00 | 00,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 06:20:00 | 00,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 06:20:00 | 00,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 06:20:00 | 00,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 06:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 06:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 13:16:52 | 00,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 13:16:16 | 00,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/12 18:50:46 | 00,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/08/12 06:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/07/15 00:58:14 | 00,028,544 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/01/26 03:03:00 | 00,020,576 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2004/08/10 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/03 23:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2001/08/23 14:00:00 | 00,022,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)
DRV - [2001/08/17 15:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 13:12:10 | 00,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-4007019867-3781143930-1711286004-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
IE - HKU\S-1-5-21-4007019867-3781143930-1711286004-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://twilightguide.com/tg/
IE - HKU\S-1-5-21-4007019867-3781143930-1711286004-1006\S-1-5-21-4007019867-3781143930-1711286004-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4007019867-3781143930-1711286004-1006\S-1-5-21-4007019867-3781143930-1711286004-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://twilightguide.com/tg/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:3.3.19
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5
FF - prefs.js..extensions.enabledItems: optout@dubfire.net:2.0
FF - prefs.js..extensions.enabledItems: {3EC9C995-8072-4fc0-953E-4F30620D17F3}:2.0.0.4

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/08 06:30:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/07 19:24:04 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/08/21 09:05:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2009/08/07 18:38:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\family\Application Data\Mozilla\Extensions
[2009/08/07 18:38:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\family\Application Data\Mozilla\Extensions\IMVUClientXUL@imvu.com
[2010/01/11 17:45:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\family\Application Data\Mozilla\Firefox\Profiles\0496pt4l.default\extensions
[2009/12/11 16:53:51 | 00,000,000 | ---D | M] (Flagfox) -- C:\Documents and Settings\family\Application Data\Mozilla\Firefox\Profiles\0496pt4l.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2009/07/02 09:38:40 | 00,000,000 | ---D | M] (WeatherBug) -- C:\Documents and Settings\family\Application Data\Mozilla\Firefox\Profiles\0496pt4l.default\extensions\{3EC9C995-8072-4fc0-953E-4F30620D17F3}
[2010/01/08 06:30:14 | 00,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\family\Application Data\Mozilla\Firefox\Profiles\0496pt4l.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/07/29 13:04:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\family\Application Data\Mozilla\Firefox\Profiles\0496pt4l.default\extensions\optout@dubfire.net
[2009/12/15 17:35:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\family\Application Data\Mozilla\Firefox\Profiles\0496pt4l.default\extensions\personas@christopher.beard
[2010/01/11 15:19:48 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (371817 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 12818 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-4007019867-3781143930-1711286004-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-4007019867-3781143930-1711286004-1006\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DLCXCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.DLL ()
O4 - HKLM..\Run: [dlcxmon.exe] C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe ()
O4 - HKLM..\Run: [DVDLauncher] C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Dell PC Fax\fm3032.exe ()
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-4007019867-3781143930-1711286004-1006..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\family\Start Menu\Programs\Startup\IMVU.lnk = C:\Documents and Settings\family\Application Data\IMVUClient\IMVUClient.exe File not found
O4 - Startup: C:\Documents and Settings\family\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\family\Start Menu\Programs\Startup\Registration Dogz 5 - Catz 5 Compilation Jewelcase.LNK = D:\RegistrationReminder.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4007019867-3781143930-1711286004-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\family\Start Menu\Programs\IMVU\Run IMVU.lnk File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-4007019867-3781143930-1711286004-1006\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = penguin.tzo.org
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\family\My Documents\My Pictures\luv jacob.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\family\My Documents\My Pictures\luv jacob.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 05:43:04 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/11 20:39:32 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\family\Desktop\OTL.exe
[2010/01/03 13:29:59 | 00,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/01/03 13:28:54 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2009/12/31 15:57:06 | 00,000,000 | ---D | C] -- C:\Program Files\Runtime Software
[2009/12/31 15:55:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\family\Desktop\Home
[2009/12/27 07:47:12 | 00,000,000 | ---D | C] -- C:\Program Files\JRE
[2009/12/27 07:46:55 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/12/27 07:43:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\sun
[2009/12/26 18:20:18 | 00,000,000 | ---D | C] -- C:\Program Files\Ubi Soft
[2009/08/11 08:16:18 | 00,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxinpa.dll
[2009/08/11 08:16:18 | 00,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxhcp.dll
[2009/08/11 08:16:17 | 01,224,704 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxserv.dll
[2009/08/11 08:16:17 | 00,991,232 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxusb1.dll
[2009/08/11 08:16:17 | 00,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxiesc.dll
[2009/08/11 08:16:16 | 00,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxpmui.dll
[2009/08/11 08:16:16 | 00,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxlmpm.dll
[2009/08/11 08:16:16 | 00,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxprox.dll
[2009/08/11 08:16:16 | 00,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxpplc.dll
[2009/08/11 08:16:15 | 00,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxhbn3.dll
[2009/08/11 08:16:13 | 00,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxcomc.dll
[2009/08/11 08:16:13 | 00,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcxcomm.dll
[2008/09/22 20:39:45 | 00,090,112 | R--- | C] ( ) -- C:\WINDOWS\System32\SCCD3X02.DLL
[2008/08/26 05:41:17 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/08/23 22:22:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2005/08/16 05:49:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2005/08/16 05:30:12 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[6 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[282 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/11 20:39:33 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\family\Desktop\OTL.exe
[2010/01/10 13:11:52 | 00,460,864 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/10 13:11:52 | 00,079,886 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/10 13:11:51 | 00,550,154 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/10 13:09:37 | 07,340,032 | -H-- | M] () -- C:\Documents and Settings\family\NTUSER.DAT
[2010/01/10 13:07:10 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/10 13:07:06 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/10 13:07:01 | 20,112,79360 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/09 18:31:11 | 00,371,817 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/09 18:21:07 | 00,371,817 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100109-183111.backup
[2010/01/09 17:13:08 | 00,371,817 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100109-182107.backup
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/03 18:25:56 | 00,371,233 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100109-171308.backup
[2010/01/03 13:19:58 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\family\Local Settings\Application Data\housecall.guid.cache
[2009/12/29 11:38:14 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/27 08:08:25 | 00,284,520 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/27 08:06:50 | 06,919,772 | -H-- | M] () -- C:\Documents and Settings\family\Local Settings\Application Data\IconCache.db
[2009/12/27 07:50:38 | 00,000,905 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\OpenOffice.org 3.1.lnk
[2009/12/26 19:12:32 | 00,016,554 | ---- | M] () -- C:\Documents and Settings\family\Desktop\Crock Pot Santa Fe Chicken.odt
[2009/12/26 18:26:11 | 00,000,585 | ---- | M] () -- C:\Documents and Settings\family\Start Menu\Programs\Startup\Registration Dogz 5 - Catz 5 Compilation Jewelcase.LNK
[2009/12/26 18:25:48 | 00,002,043 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Register Petz 5.lnk
[2009/12/26 18:25:34 | 00,001,811 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Petz 5.lnk
[2009/12/26 18:25:34 | 00,000,116 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ubi Soft Website.url
[2009/12/23 21:20:26 | 00,370,657 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100103-182556.backup
[2009/12/23 21:17:39 | 00,370,657 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20091223-212026.backup
[2009/12/22 18:49:23 | 00,366,461 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20091223-211739.backup
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[282 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/03 13:19:58 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\family\Local Settings\Application Data\housecall.guid.cache
[2009/12/26 19:12:30 | 00,016,554 | ---- | C] () -- C:\Documents and Settings\family\Desktop\Crock Pot Santa Fe Chicken.odt
[2009/12/26 18:26:11 | 00,000,585 | ---- | C] () -- C:\Documents and Settings\family\Start Menu\Programs\Startup\Registration Dogz 5 - Catz 5 Compilation Jewelcase.LNK
[2009/12/26 18:25:48 | 00,002,043 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Register Petz 5.lnk
[2009/12/26 18:25:34 | 00,001,811 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Petz 5.lnk
[2009/12/26 18:25:34 | 00,000,116 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ubi Soft Website.url
[2009/12/26 18:20:40 | 00,778,240 | ---- | C] () -- C:\WINDOWS\System32\Petz 5.scr
[2009/08/11 08:20:32 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlcxvs.dll
[2009/08/11 08:20:28 | 00,344,064 | ---- | C] () -- C:\WINDOWS\System32\dlcxcoin.dll
[2009/08/11 08:19:49 | 00,692,224 | ---- | C] () -- C:\WINDOWS\System32\dlcxdrs.dll
[2009/08/11 08:19:49 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcxcaps.dll
[2009/08/11 08:19:48 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\dlcxcnv4.dll
[2009/08/11 08:18:10 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\DLPRMON.DLL
[2009/08/11 08:18:10 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\DLPMONUI.DLL
[2009/08/11 08:16:18 | 00,274,432 | ---- | C] () -- C:\WINDOWS\System32\dlcxinst.dll
[2009/08/11 08:16:17 | 00,454,656 | ---- | C] () -- C:\WINDOWS\System32\dlcxutil.dll
[2009/08/11 08:16:16 | 00,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlcxinsb.dll
[2009/08/11 08:16:16 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\dlcxjswr.dll
[2009/08/11 08:16:16 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlcxinsr.dll
[2009/08/11 08:16:15 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\dlcxgrd.dll
[2009/08/11 08:16:15 | 00,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlcxins.dll
[2009/08/11 08:16:14 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcxcub.dll
[2009/08/11 08:16:14 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcxcu.dll
[2009/08/11 08:16:14 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcxcur.dll
[2009/08/11 08:16:13 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\DLCXcfg.dll
[2009/08/10 14:26:54 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2008/09/22 20:39:45 | 00,131,072 | R--- | C] () -- C:\WINDOWS\System32\SCCD3X01.DLL
[2008/08/23 23:16:56 | 00,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2008/08/23 21:47:51 | 00,000,129 | ---- | C] () -- C:\Documents and Settings\family\Local Settings\Application Data\fusioncache.dat
[2008/08/23 20:38:21 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\family\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/11/28 10:20:04 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/11/28 10:09:01 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/11/28 10:03:58 | 00,000,194 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/11/28 09:50:49 | 00,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2006/11/28 09:22:54 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/11/28 09:22:50 | 00,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/11/28 09:22:16 | 00,000,390 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 09:56:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 05:37:24 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 05:18:37 | 00,022,040 | ---- | C] () -- C:\WINDOWS\System32\_003165_.tmp.dll
[2005/08/16 05:18:22 | 00,249,270 | ---- | C] () -- C:\WINDOWS\System32\_003197_.tmp.dll
[2005/08/05 15:01:54 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2001/08/23 14:00:00 | 00,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
< End of report >

Extra.txt
OTL Extras logfile created on: 1/11/2010 8:40:28 PM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\family\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 107.07 Gb Total Space | 66.97 Gb Free Space | 62.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KAITY
Current User Name: family
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-4007019867-3781143930-1711286004-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\WINDOWS\system32\dlcxcoms.exe" = C:\WINDOWS\system32\dlcxcoms.exe:*:Enabled:Dell 926 Server -- ( )


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0959198E-9CB6-4BF2-905A-D275DDDED3DC}" = Petz 5
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 17
"{2D37F6AE-D201-4580-B91A-6BF9BB93ED2D}" = The Sims™ 2 Double Deluxe
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{4817189D-1785-4627-A33C-39FD90919300}" = The Sims 2 Pets
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.7
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC6AE077-1566-4655-BE73-38A869C150DC}" = ATI Catalyst Control Center
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6F5B704-06D3-4687-90F3-6195304AD755}" = The Sims™ 2 Apartment Life
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{E8C06CB3-5DB2-4689-B1DC-4A0220DEA96C}" = Consumer Complete Care Services Agreement
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}" = Broadcom Management Programs
"{FF70513F-E3A7-402F-84FB-B7810A064BE2}" = Zune
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATI Display Driver" = ATI Display Driver
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"Cooking Dash" = Cooking Dash (remove only)
"Dell PC Fax" = Dell PC Fax
"Dell Photo AIO Printer 926" = Dell Photo AIO Printer 926
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Uninstall_is1" = Uninstall 1.0.0.1
"UnityWebPlayer" = Unity Web Player
"VLC media player" = VLC media player 0.9.9
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
"Zoo Tycoon 1.0" = Zoo Tycoon: Complete Collection
"Zune" = Zune

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4007019867-3781143930-1711286004-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/6/2009 8:32:09 PM | Computer Name = KAITY | Source = McLogEvent | ID = 1008
Description = The McShield service terminated unexpectedly. Please review event 5019
or 5051 for details. The McShield service will be restarted in 5 seconds;

Error - 9/7/2009 7:10:14 PM | Computer Name = KAITY | Source = McLogEvent | ID = 5019
Description = Exception in McShield.Exe! Exception details follow : VSCORE.13.3.1.100
Exception
Code : 0XC0000005 Exception Address : 0X0040AE3D Exception Parameters :
2 Param 1 = 00000000 Param 2 = 00000000 More information : Exception in UpdateCallback
thread.

Error - 9/7/2009 7:11:42 PM | Computer Name = KAITY | Source = WmiAdapter | ID = 4099
Description = Open of service failed.

Error - 9/7/2009 7:11:50 PM | Computer Name = KAITY | Source = McLogEvent | ID = 1008
Description = The McShield service terminated unexpectedly. Please review event 5019
or 5051 for details. The McShield service will be restarted in 5 seconds;

Error - 9/15/2009 4:09:29 PM | Computer Name = KAITY | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184),
hr = 8007041d: InitEventCollector fail

Error - 10/21/2009 6:17:39 PM | Computer Name = KAITY | Source = WmiAdapter | ID = 4099
Description = Open of service failed.

Error - 10/31/2009 8:49:47 AM | Computer Name = KAITY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 10/31/2009 8:51:48 AM | Computer Name = KAITY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 11/11/2009 9:29:56 PM | Computer Name = KAITY | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184),
hr = 8007041d: InitEventCollector fail

Error - 11/16/2009 1:36:59 AM | Computer Name = KAITY | Source = McLogEvent | ID = 259
Description = The scan found detections. Scan engine version 5301.4018 DAT version
5803.

[ System Events ]
Error - 1/10/2010 1:17:51 AM | Computer Name = KAITY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 1/10/2010 2:15:32 AM | Computer Name = KAITY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 1/10/2010 4:28:54 AM | Computer Name = KAITY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 1/10/2010 5:26:25 AM | Computer Name = KAITY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 1/10/2010 7:28:47 AM | Computer Name = KAITY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 1/11/2010 12:15:19 AM | Computer Name = KAITY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 1/11/2010 5:14:20 AM | Computer Name = KAITY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 1/11/2010 10:19:41 AM | Computer Name = KAITY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 1/11/2010 2:20:49 PM | Computer Name = KAITY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.

Error - 1/11/2010 7:25:51 PM | Computer Name = KAITY | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort2, did not respond within the timeout
period.


< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:26 PM

Posted 11 January 2010 - 09:26 PM

Hi,

that log looks rather clean. Please run an rootkit scan, to see what else is present:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 McGrumpy

McGrumpy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 13 January 2010 - 08:17 AM

I ran GMER 3 times and it hung each time I tried to save the report. I will try the safe mode tonight...just wanted to update to keep this thread alive.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:26 PM

Posted 13 January 2010 - 09:01 AM

Hi,

no problem. :(

If gmer also freezes in safe mode, please run the following tool instead:

Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 McGrumpy

McGrumpy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 14 January 2010 - 08:17 PM

Here is the log from GMER, Mcafee would not let me disable it or mess with the services...so it was active during the scan...sorry

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-14 06:32:13
Windows 5.1.2600 Service Pack 3
Running: mk3x6olj.exe; Driver: C:\DOCUME~1\family\LOCALS~1\Temp\fxtdqpow.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort0 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort2 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort3 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fastfat \Fat AD2B4D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAD5CE35B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAD5CE2DB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAD5CE385]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAD5CE2EF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAD5CE31B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAD5CE3AF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAD5CE2C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAD5CE36F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAD5CE305]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAD5CE331]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAD5CE347]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAD5CE3C5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAD5CE399]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 020D0FBD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 020D0044
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 020D0055
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 020D0FAC
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [2D, 8A]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 020D0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 020D0022
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 020D0033
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 020D0011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 020E0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 020E0FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 020E0FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!CreateNamedPipeW 7C82F0DD 3 Bytes JMP 020E001E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!CreateNamedPipeW + 4 7C82F0E1 1 Byte [85]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 020E0F4B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 020E0078
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 020E0089
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 020E00A4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 020E0F30
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 020E0F1F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 020E002F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 020E005B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 020E0F92
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 020E004A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 020E0F81
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 020E0F5C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 020E0EFA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 020C001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 020C0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 020C0FC6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 020C0FE3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 020C0FAB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] msvcrt.dll!system 77C293C7 5 Bytes JMP 020C0040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 020A0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 020A0022
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 020A003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 020A0011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 020B0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01030F8D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01030014
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01030F61
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01030F72
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [23, 89]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01030FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01030FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01030FA8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01030FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01040FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01040FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01040000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01040011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01040084
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010400DF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01040F46
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010400F0
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0104009F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010400B0
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01040036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01040058
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01040F9B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01040047
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01040F7E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01040073
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01040F57
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10022
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10FD7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10FC6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F10047
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EF0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EF0FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00EF001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EF0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[756] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 022F004A
.text C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 022F0076
.text C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 022F0091
.text C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 022F0065
.text C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 022F0000
.text C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 022F0FEF
.text C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 022F0FDE
.text C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 022F0025
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027C0000
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 027C0FE5
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 027C0FCA
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 027C001B
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 027C0076
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027C0F15
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027C00AE
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027C00BF
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027C0F4B
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027C0F30
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027C002C
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027C0FAF
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027C0F92
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 027C0051
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027C0F81
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027C0F5C
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 027C0093
.text C:\WINDOWS\Explorer.EXE[1768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 022E0018
.text C:\WINDOWS\Explorer.EXE[1768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 022E0FEF
.text C:\WINDOWS\Explorer.EXE[1768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 022E0033
.text C:\WINDOWS\Explorer.EXE[1768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 022E0FDE
.text C:\WINDOWS\Explorer.EXE[1768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 022E0044
.text C:\WINDOWS\Explorer.EXE[1768] msvcrt.dll!system 77C293C7 5 Bytes JMP 022E0FB9
.text C:\WINDOWS\Explorer.EXE[1768] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 022C0000
.text C:\WINDOWS\Explorer.EXE[1768] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 022C0FDB
.text C:\WINDOWS\Explorer.EXE[1768] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 022C0FCA
.text C:\WINDOWS\Explorer.EXE[1768] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 022C0011
.text C:\WINDOWS\Explorer.EXE[1768] WS2_32.dll!socket 71AB4211 5 Bytes JMP 022D0000
.text C:\WINDOWS\system32\dllhost.exe[3784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0081004A
.text C:\WINDOWS\system32\dllhost.exe[3784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00810080
.text C:\WINDOWS\system32\dllhost.exe[3784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00810FC3
.text C:\WINDOWS\system32\dllhost.exe[3784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0081005B
.text C:\WINDOWS\system32\dllhost.exe[3784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00810000
.text C:\WINDOWS\system32\dllhost.exe[3784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00810025
.text C:\WINDOWS\system32\dllhost.exe[3784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00810FD4
.text C:\WINDOWS\system32\dllhost.exe[3784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00810FE5
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00820000
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00820FDB
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0082001B
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00820FCA
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00820079
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00820F2E
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00820F13
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008200C7
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0082008A
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0082009B
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00820036
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00820FA8
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00820F97
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00820FB9
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00820F7A
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00820F69
.text C:\WINDOWS\system32\dllhost.exe[3784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008200AC
.text C:\WINDOWS\system32\dllhost.exe[3784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0080001D
.text C:\WINDOWS\system32\dllhost.exe[3784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0080000C
.text C:\WINDOWS\system32\dllhost.exe[3784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0080002E
.text C:\WINDOWS\system32\dllhost.exe[3784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00800FE3
.text C:\WINDOWS\system32\dllhost.exe[3784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0080003F
.text C:\WINDOWS\system32\dllhost.exe[3784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00800FBE
.text C:\WINDOWS\system32\dllhost.exe[3784] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00670FEF
.text C:\WINDOWS\system32\dllhost.exe[3784] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0067002F
.text C:\WINDOWS\system32\dllhost.exe[3784] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00670040
.text C:\WINDOWS\system32\dllhost.exe[3784] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00670014
.text C:\WINDOWS\system32\dllhost.exe[3784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00870000

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xB9F21780]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010D0040
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010D006C
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010D0087
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 010D005B
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010D0FEF
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010D0025
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010D0FDE
.text C:\WINDOWS\system32\lsass.exe[916] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010D000A
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010E000A
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010E001B
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010E002C
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateNamedPipeW 7C82F0DD 3 Bytes JMP 010E0047
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateNamedPipeW + 4 7C82F0E1 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010E00DA
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010E0F94
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010E012D
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010E013E
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010E00F7
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010E0108
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010E0058
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010E008E
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010E009F
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010E007D
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010E0FD1
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010E0FC0
.text C:\WINDOWS\system32\lsass.exe[916] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010E0FA5
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010C003A
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010C0000
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010C0FEF
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010C0029
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010C0FC3
.text C:\WINDOWS\system32\lsass.exe[916] msvcrt.dll!system 77C293C7 5 Bytes JMP 010C0FDE
.text C:\WINDOWS\system32\lsass.exe[916] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 010A0FE5
.text C:\WINDOWS\system32\lsass.exe[916] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 010A0FC0
.text C:\WINDOWS\system32\lsass.exe[916] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 010A0FAF
.text C:\WINDOWS\system32\lsass.exe[916] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 010A0000
.text C:\WINDOWS\system32\lsass.exe[916] WS2_32.dll!socket 71AB4211 5 Bytes JMP 010B0000
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F7C
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C80089
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C800C8
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C800D9
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C800F4
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C8009A
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C800B7
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80FC3
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C8005B
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C8006C
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C80040
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80F9E
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80F79
.text C:\WINDOWS\system32\services.exe[904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C80F54
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FB5
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FC6
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060F90
.text C:\WINDOWS\system32\services.exe[904] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[904] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00040036
.text C:\WINDOWS\system32\services.exe[904] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[904] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0004001B
.text C:\WINDOWS\system32\services.exe[904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0122001B
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01220F83
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01220040
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01220F94
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [42, 89]
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01220FE5
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01220FB9
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0122000A
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01220FCA
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01280FEF
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01280FDE
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01280014
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01280025
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01280F99
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0128010B
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01280F72
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01280F61
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012800C4
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012800D5
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01280036
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0128006C
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0128007D
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01280051
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0128008E
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012800A9
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012800F0
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01210029
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01210FEF
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01210FD4
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0121000C
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0121004B
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 0121003A
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 011F0FE5
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 011F0FCA
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 011F001B
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 011F0000
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01200FEF
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0FA8
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0F7C
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0F6B
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FF0F8D
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1F, 89]
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01090FEF
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01090FDE
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01090FCD
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01090FBC
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0109006F
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01090F38
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010900DB
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01090F27
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01090080
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01090091
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01090FAB
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01090032
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01090043
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01090F90
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01090054
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01090F55
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010900B6
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0029
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE003A
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0018
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0066
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0055
.text C:\WINDOWS\system32\svchost.exe[1220] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\svchost.exe[1220] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EB0FCA
.text C:\WINDOWS\system32\svchost.exe[1220] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\svchost.exe[1220] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EB0FEF
.text C:\WINDOWS\system32\svchost.exe[1220] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD000A
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02D70011
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02D70F76
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02D70033
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02D70022
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02D70FEF
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02D70FCA
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02D70FAF
.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02D70000
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02F50000
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02F50FE5
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02F5001B
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02F50FCA
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02F50F4D
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02F50095
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02F500A6
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02F50EF2
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02F50084
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02F50F32
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02F50036
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02F50FA5
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02F50F94
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02F50047
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02F50F79
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02F50F5E
.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02F50F21
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02D60000
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02D60FE3
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02D60FA1
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02D60FD2
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02D6001B
.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 02D60F90
.text C:\WINDOWS\System32\svchost.exe[1300] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02D40000
.text C:\WINDOWS\System32\svchost.exe[1300] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02D40FD4
.text C:\WINDOWS\System32\svchost.exe[1300] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02D40025
.text C:\WINDOWS\System32\svchost.exe[1300] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02D40FEF
.text C:\WINDOWS\System32\svchost.exe[1300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02D50FEF
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0098001E
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0098002F
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00980F7C
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00980F97
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B8, 88]
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00980FEF
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00980FC3
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00980FB2
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00980FD4
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0099001B
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00990FDE
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00990F63
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009900D0
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00990F37
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00990F1C
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0099008E
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009900AB
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00990FB9
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00990FA8
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0099005B
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0099004A
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0099006C
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0099007D
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00990F48
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0097002E
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00970FD9
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00970011
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00970FB7
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!system 77C293C7 5 Bytes JMP 00970FC8
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0096000A
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00960025
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00960FDE
.text C:\WINDOWS\system32\svchost.exe[1352] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00960FEF
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F10FB2
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F10F83
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F1004A
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F1002F
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F10FE5
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F10FC3
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F1001E
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F10FD4
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F2001B
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F20040
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F20F70
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F200C7
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F200E2
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F20F2E
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F20F49
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F2009B
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F20FD4
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F20FA8
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F20065
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F20FB9
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F20F8B
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F20080
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F200B6
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F00FD2
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F00027
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F00FE3
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F00FB7
.text C:\WINDOWS\system32\svchost.exe[1504] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F00042
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EE0FCA
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00EE0FB9
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EE0FDB
.text C:\WINDOWS\system32\svchost.exe[1504] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF0FE5
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A5003D
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A50FAC
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A50069
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A50058
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A50011
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A5002C
.text C:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AA0FE5
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AA0FCA
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AA0FAF
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AA0F3C
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA00A4
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA00B5
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AA00C6
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AA0067
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AA0078
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AA0F94
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AA0F72
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA002F
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AA0F83
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AA004C
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AA0F57
.text C:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AA0093
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A40011
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A40FB2
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A40F8D
.text C:\WINDOWS\system32\svchost.exe[1632] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A40022
.text C:\WINDOWS\system32\svchost.exe[1632] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1632] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A20FCD
.text C:\WINDOWS\system32\svchost.exe[1632] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00A20014
.text C:\WINDOWS\system32\svchost.exe[1632] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A20FDE
.text C:\WINDOWS\system32\svchost.exe[1632] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EB0FB9
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EB0047
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EB0062
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EB0036
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EB0FCA
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0FDE
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0014
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC002F
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC0076
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0F2E
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC00BD
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC00CE
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0F3F
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0091
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0040
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0FC3
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0FA8
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC005B
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0F81
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0F66
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC00AC
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA003A
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0055
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0029
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA008B
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0070
.text C:\WINDOWS\system32\svchost.exe[1740] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E8000A
.text C:\WINDOWS\system32\svchost.exe[1740] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E80025
.text C:\WINDOWS\system32\svchost.exe[1740] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E80036
.text C:\WINDOWS\system32\svchost.exe[1740] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D90FA8
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D90039
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D9004A
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D90F8D
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F9, 88]
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D90FC3
.text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DA000A
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DA0FDE
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DA0FB9
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DA0F30
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DA0EDD
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DA0076
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DA0091
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DA0F1F
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DA0065
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DA0025
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DA0F9E
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DA0F83
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DA0040
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DA0F5C
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DA0F4B
.text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DA0F02
.text C:\WINDOWS\system32\svchost.exe[1800] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D8001D
.text C:\WINDOWS\system32\svchost.exe[1800] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D80FE3
.text C:\WINDOWS\system32\svchost.exe[1800] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D80FBE
.text C:\WINDOWS\system32\svchost.exe[1800] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D8000C
.text C:\WINDOWS\system32\svchost.exe[1800] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D8003F
.text C:\WINDOWS\system32\svchost.exe[1800] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D8002E
.text C:\WINDOWS\system32\svchost.exe[1800] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[1800] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D70FDB
.text C:\WINDOWS\system32\svchost.exe[1800] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D70FCA
.text C:\WINDOWS\system32\svchost.exe[1800] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00880022
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0088004E
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0088005F
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0088003D
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00880FE5
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00880011
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00880FC0
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00880000
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D90FE5
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D9001B
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D90FCA
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D90087
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D900D3
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D900E4
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D90F26
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D900A4
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D90F5C
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D90036
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90F9E
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90F81
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D90FB9
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D9005B
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D9006C
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D90F4B
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00870022
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00870000
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00870FC3
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00870011
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00870FA8
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!system 77C293C7 5 Bytes JMP 0087003D
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00850FEF
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00850025
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00850FDE
.text C:\WINDOWS\system32\svchost.exe[1968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00860FEF

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4007019867-3781143930-1711286004-1006@RefCount 24

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP AD5CE35F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP AD5CE3B3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 5 Bytes JMP AD5CE2DF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP AD5CE389 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP AD5CE2F3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP AD5CE31F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP AD5CE2CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP AD5CE373 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP AD5CE309 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP AD5CE335 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP AD5CE34B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP AD5CE3C9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP AD5CE39D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:26 PM

Posted 14 January 2010 - 08:28 PM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 McGrumpy

McGrumpy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 15 January 2010 - 09:57 AM

I was afraid of that...I am going to chalk this up as a lesson in "Safe Computing" for my daughter and put her through the hassle of wiping and rebuilding a machine.
It will be a good learning experience for her :(

On a side note, what in the attached log clued you into the problem?

Thanks for you time.

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:26 PM

Posted 15 January 2010 - 04:38 PM

Hi,

you've got the very popular tdl3-rootkit: http://www.prevx.com/blog/139/Tdss-rootkit...ns-the-net.html

It infects and replaces part of your disk controller, in this case the atapi.sys. I only used the gmer log for confirmation that the infection is active though, since tdlcmd.dll is a known file of said rootkit.

The revealing lines are these:

Device \Driver\atapi \Device\Ide\IdePort0 [B9F14B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification


Depending on the version of the infection and the setup of your system, these lines may not be present even when infected. The last line usually is a pretty good indicator that something is seriously rotten on the system thouhg.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 McGrumpy

McGrumpy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 18 January 2010 - 12:40 PM

Thanks again for the assistance.

We (yes I made my 12 year old help) rebuilt the machine this weekend. Having the pain of reloading games, applications and personal settings will hopefully teach her a lesson on being more responsible and cautious when browsing the internet.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:26 PM

Posted 19 January 2010 - 10:20 AM

Hi,

oh my, I hope that won't leave any permanent scars on her. :( It'll sure be a good learning experience for her, I'm sure she will be more careful in the future. I'm sure she will also have seen that a reformat is something she can do on her own and that it is nothing she needs to be scared off, which is a good thing. :)

I have a couple more tips, which may help her (and everybody else) from getting reinfected:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:26 PM

Posted 23 January 2010 - 08:53 PM

Since the issue seems resolved, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users