Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Artemis! trojan removal


  • This topic is locked This topic is locked
22 replies to this topic

#1 WirePaladinSF

WirePaladinSF

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 25 January 2010 - 09:35 PM

This is a repost of original issue but with the dds.txt and attach.txt files attached.

Computer is older Gateway desktop, Operating system is MSWindowsXP Home edition, SP3 with Pentium 4 CPU 2.00GHz, 1GB Ram
I use McAfee Security Center and it updates regularly. It did not detect the download of the Artemis trojan. It did detect some of he havoc that resulted but would not detect the source of the problem. I could not use that machine to google anything about removing the trojans as every Google link was redirected. I had to use my laptop to download information about the virus. I also used it to download Anti Spyware applictions but none of them found the source. I tried SuperAntiSpyware, Malwarebytes, SpyBot, vcleaner.exe, ATF cleaner, HijackThis, Microsofts Windows-kb890830-v3.3, RUBotted, CCleaner, AVGfree software, System Mechanic, and Micorsoft Security Essentials. None of them got the root source of the virus. I unistalled McAffee since it could not find any problems in hopes of replacing it with AVG. However, AVG would not install - it could not make a necessary change in the registry. I found a web site that suggested ComboFix.. When I downloaded it, opening it said it had the Artemis virus. The instructions said to disable McAffee because that was a false positive... Yeah sure. So, I tried everything else again. Nothing worked and each one took over an hour for a full scan.
I found this forum and found mention of ComboFix again. I copied all my documents and critical data to memory stick. I downloaded ComboFix, unistalled McAfee. It said to install Microsoft Recovery Console from bootdisk. I did not have a boot disk so made one from MS Download website, copied it to the desktop and dropped the icon onto the Combofix icon as instructed. It "rooted out" the problem so to speak. It saved a bunch of viruses in a folder called Qoobox. I reinstalled McAfee, and ran it along with Malwarebytes, Spybot. McAfee found Artemis!CAEA654CEE4A (two copies Quarentined)
Artemis!3DD4ACDEA2A(repaired), FakeAlert-CK (two copies, repaired), Tool-NIRCmd (Cannot be repaired). Microsoft Securing Essentials found two viruses in a Quarantied file which it said it removed. SpyBot only found tracking cookies.
Then I looked to see if I should post to this forum. It instructed me to first run DDS.scr and RootRepeal.exe before posting. I downloaded DDS.scr, it loaded and ran. I saved the files to desktop. I moved on to download and run RootRepeal. Downloaded fine, but would not run. It just hangs up and takes over all the CPU activity. I tried four times, rebooting between each time to get it to run. I had to use TaskManager to End Process to get it to stop hanging (not responding).
Now, what do I do with all items in the Qoobox files, the quarantined files and Registry dat files? Can I use file shredder from SpyBot to shred them. Do I disable System restore before I do, shred, then re-enable system restore? Should I get rid of Registry back ups that were created by other applications during this process? Should I post the dds.txt and attach files? the ComboFix-quarantined-files.txt?

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 01 February 2010 - 07:38 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 WirePaladinSF

WirePaladinSF
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 02 February 2010 - 10:41 AM

m0le,
Thank you for working on this. I am still having issues, especially with IE8. This is the third try at reply, IE8 keeps hanging and crashing this morning.
I am still unable to run RootRepeal.exe
The C:\Qoobox directory has old malware in its Quarantine section. Do you have the ComboFix-quarantined-file.txt from my last post?
I have TrendMicros RUBotted on this, it tells me from time to time that a malacious site attempted to poll my computer. I run TrendMicros HouseCleaner and McAfee's scan and find nothing.
Don't know what to do next.
Thanks again for your help.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 02 February 2010 - 06:20 PM

IE8 is crashing and RootRepeal won't run.

These may be separate problems but let's see if we can get a rootkit scanner to run first.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#5 WirePaladinSF

WirePaladinSF
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 03 February 2010 - 12:42 PM

When I opened GMER it did as you said. When I scanned, it took ov two hours.
When I came back to the compter and clicked Save, it only saved the information that came up in the quick scan.
Is there another log somewhere that describes the ful scan?

Here is what was the log that I didsave:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-03 09:13:57
Windows 5.1.2600 Service Pack 3
Running: m2oo6zcf.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fxrdqpow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEE4B678A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEE4B6821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEE4B6738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEE4B674C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEE4B6835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEE4B6861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEE4B68CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEE4B68B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEE4B67CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEE4B68FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEE4B680D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEE4B6710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEE4B6724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEE4B679E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEE4B6937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEE4B68A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEE4B688D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEE4B684B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEE4B6923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEE4B690F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEE4B6776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEE4B6762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEE4B6877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEE4B67F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEE4B68E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEE4B67E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEE4B67B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EE4B67B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568EE9 5 Bytes JMP EE4B6811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A382 7 Bytes JMP EE4B6891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F600 5 Bytes JMP EE4B678E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570441 5 Bytes JMP EE4B6766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80572E9D 5 Bytes JMP EE4B6825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 805732AD 7 Bytes JMP EE4B693B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 805735A4 7 Bytes JMP EE4B68D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741D0 5 Bytes JMP EE4B6714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057457F 7 Bytes JMP EE4B67A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578606 5 Bytes JMP EE4B67E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A81 7 Bytes JMP EE4B67CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80579A43 7 Bytes JMP EE4B687B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP EE4B6750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B0 5 Bytes JMP EE4B67FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B58D 5 Bytes JMP EE4B6728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058BA5D 5 Bytes JMP EE4B68FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590669 7 Bytes JMP EE4B68BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D50 7 Bytes JMP EE4B6865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952BE 7 Bytes JMP EE4B6839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EE4B673C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD47 5 Bytes JMP EE4B677A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA6E 7 Bytes JMP EE4B68E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E394 7 Bytes JMP EE4B68A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E812 7 Bytes JMP EE4B684F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ED05 5 Bytes JMP EE4B6913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F16E 5 Bytes JMP EE4B6927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINNT\system32\services.exe[812] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010B0FE5
.text C:\WINNT\system32\services.exe[812] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010B0F9E
.text C:\WINNT\system32\services.exe[812] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010B0093
.text C:\WINNT\system32\services.exe[812] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010B006C
.text C:\WINNT\system32\services.exe[812] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010B005B
.text C:\WINNT\system32\services.exe[812] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010B0025
.text C:\WINNT\system32\services.exe[812] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010B00C1
.text C:\WINNT\system32\services.exe[812] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010B0F79
.text C:\WINNT\system32\services.exe[812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010B0F54
.text C:\WINNT\system32\services.exe[812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010B00E3
.text C:\WINNT\system32\services.exe[812] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010B0F39
.text C:\WINNT\system32\services.exe[812] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010B0040
.text C:\WINNT\system32\services.exe[812] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010B0FCA
.text C:\WINNT\system32\services.exe[812] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010B00A4
.text C:\WINNT\system32\services.exe[812] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 010B0FB9
.text C:\WINNT\system32\services.exe[812] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010B0000
.text C:\WINNT\system32\services.exe[812] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010B00D2
.text C:\WINNT\system32\services.exe[812] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010A0FAF
.text C:\WINNT\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010A0F5E
.text C:\WINNT\system32\services.exe[812] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010A0000
.text C:\WINNT\system32\services.exe[812] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010A0FD4
.text C:\WINNT\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010A0F6F
.text C:\WINNT\system32\services.exe[812] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010A0FE5
.text C:\WINNT\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 010A0011
.text C:\WINNT\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010A0F8A
.text C:\WINNT\system32\services.exe[812] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EF0053
.text C:\WINNT\system32\services.exe[812] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EF0042
.text C:\WINNT\system32\services.exe[812] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EF0027
.text C:\WINNT\system32\services.exe[812] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EF0000
.text C:\WINNT\system32\services.exe[812] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EF0FC8
.text C:\WINNT\system32\services.exe[812] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EF0FE3
.text C:\WINNT\system32\services.exe[812] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EE000A
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00FE5
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00076
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F00065
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00054
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00F97
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F0002F
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F000A2
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F00091
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F000D8
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00F35
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F00F24
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00FA8
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F00FD4
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F00F66
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F0000A
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F00FC3
.text C:\WINNT\system32\lsass.exe[824] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F000B3
.text C:\WINNT\system32\lsass.exe[824] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0025
.text C:\WINNT\system32\lsass.exe[824] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF0062
.text C:\WINNT\system32\lsass.exe[824] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF0FCA
.text C:\WINNT\system32\lsass.exe[824] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0FDB
.text C:\WINNT\system32\lsass.exe[824] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0051
.text C:\WINNT\system32\lsass.exe[824] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF0000
.text C:\WINNT\system32\lsass.exe[824] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EF0040
.text C:\WINNT\system32\lsass.exe[824] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0FAF
.text C:\WINNT\system32\lsass.exe[824] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE0FD4
.text C:\WINNT\system32\lsass.exe[824] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE005F
.text C:\WINNT\system32\lsass.exe[824] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE0FEF
.text C:\WINNT\system32\lsass.exe[824] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE0000
.text C:\WINNT\system32\lsass.exe[824] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0044
.text C:\WINNT\system32\lsass.exe[824] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE001D
.text C:\WINNT\system32\lsass.exe[824] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00ED0FEF
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0084
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0073
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0062
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FAF
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0047
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00B5
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F63
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F41
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00D0
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA00EB
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FC0
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0011
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F7E
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FDB
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA002C
.text C:\WINNT\System32\svchost.exe[896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F52
.text C:\WINNT\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0093000A
.text C:\WINNT\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F54
.text C:\WINNT\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FB9
.text C:\WINNT\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FD4
.text C:\WINNT\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0093001B
.text C:\WINNT\System32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINNT\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930F79
.text C:\WINNT\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINNT\System32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930F94
.text C:\WINNT\System32\svchost.exe[896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920058
.text C:\WINNT\System32\svchost.exe[896] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920047
.text C:\WINNT\System32\svchost.exe[896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092002C
.text C:\WINNT\System32\svchost.exe[896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINNT\System32\svchost.exe[896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FD7
.text C:\WINNT\System32\svchost.exe[896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920011
.text C:\WINNT\System32\svchost.exe[896] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900FE5
.text C:\WINNT\System32\svchost.exe[896] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900000
.text C:\WINNT\System32\svchost.exe[896] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900011
.text C:\WINNT\System32\svchost.exe[896] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900FC0
.text C:\WINNT\System32\svchost.exe[896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F86
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C00F97
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00065
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C0004A
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00FA8
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C000C4
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C000A7
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00104
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C000E9
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C00F46
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00039
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C00FDE
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00096
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00014
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00FC3
.text C:\WINNT\system32\svchost.exe[984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C00F61
.text C:\WINNT\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0FDB
.text C:\WINNT\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0F94
.text C:\WINNT\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF002C
.text C:\WINNT\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF001B
.text C:\WINNT\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0FA5
.text C:\WINNT\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000
.text C:\WINNT\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF0051
.text C:\WINNT\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FCA
.text C:\WINNT\system32\svchost.exe[984] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0038
.text C:\WINNT\system32\svchost.exe[984] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0027
.text C:\WINNT\system32\svchost.exe[984] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FD2
.text C:\WINNT\system32\svchost.exe[984] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0000
.text C:\WINNT\system32\svchost.exe[984] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FB7
.text C:\WINNT\system32\svchost.exe[984] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FE3
.text C:\WINNT\system32\svchost.exe[984] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0000
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FE5
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40F3C
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40F4D
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40F68
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40F79
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40025
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40EFA
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F21
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40EBD
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40ECE
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F40EA2
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40F9E
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40FD4
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F40042
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F40FB9
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F4000A
.text C:\WINNT\system32\svchost.exe[1060] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F40EE9
.text C:\WINNT\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F3002C
.text C:\WINNT\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F3005B
.text C:\WINNT\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F30FE5
.text C:\WINNT\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F3001B
.text C:\WINNT\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30F9E
.text C:\WINNT\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F30000
.text C:\WINNT\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F30FAF
.text C:\WINNT\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [13, 89]
.text C:\WINNT\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30FCA
.text C:\WINNT\system32\svchost.exe[1060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F20066
.text C:\WINNT\system32\svchost.exe[1060] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F2004B
.text C:\WINNT\system32\svchost.exe[1060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F20029
.text C:\WINNT\system32\svchost.exe[1060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20000
.text C:\WINNT\system32\svchost.exe[1060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F2003A
.text C:\WINNT\system32\svchost.exe[1060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20FEF
.text C:\WINNT\system32\svchost.exe[1060] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F10FEF
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02550000
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02550086
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02550F91
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0255005F
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02550FA2
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02550033
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02550F4A
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02550F5B
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025500C8
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025500AD
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02550F14
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0255004E
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02550011
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02550F76
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02550FD1
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02550022
.text C:\WINNT\System32\svchost.exe[1240] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02550F2F
.text C:\WINNT\System32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02340040
.text C:\WINNT\System32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02340FAF
.text C:\WINNT\System32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02340FE5
.text C:\WINNT\System32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0234001B
.text C:\WINNT\System32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0234006C
.text C:\WINNT\System32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02340000
.text C:\WINNT\System32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02340FD4
.text C:\WINNT\System32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [54, 8A]
.text C:\WINNT\System32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0234005B
.text C:\WINNT\System32\svchost.exe[1240] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 022F0070
.text C:\WINNT\System32\svchost.exe[1240] msvcrt.dll!system 77C293C7 5 Bytes JMP 022F0FE5
.text C:\WINNT\System32\svchost.exe[1240] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 022F003A
.text C:\WINNT\System32\svchost.exe[1240] msvcrt.dll!_open 77C2F566 5 Bytes JMP 022F000C
.text C:\WINNT\System32\svchost.exe[1240] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 022F004B
.text C:\WINNT\System32\svchost.exe[1240] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 022F001D
.text C:\WINNT\System32\svchost.exe[1240] WS2_32.dll!socket 71AB4211 5 Bytes JMP 022E0FEF
.text C:\WINNT\System32\svchost.exe[1240] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 022D0FEF
.text C:\WINNT\System32\svchost.exe[1240] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 022D0FDE
.text C:\WINNT\System32\svchost.exe[1240] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 022D0014
.text C:\WINNT\System32\svchost.exe[1240] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 022D0025
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0077000A
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00770F7C
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00770071
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00770F97
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00770FB2
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00770FC3
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007700A2
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00770F50
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00770F35
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007700CE
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00770F10
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0077004A
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0077001B
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00770F61
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00770FD4
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00770FE5
.text C:\WINNT\System32\svchost.exe[1324] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007700BD
.text C:\WINNT\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0076002F
.text C:\WINNT\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00760F9E
.text C:\WINNT\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00760FDE
.text C:\WINNT\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00760FEF
.text C:\WINNT\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0076005B
.text C:\WINNT\System32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0076000A
.text C:\WINNT\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0076004A
.text C:\WINNT\System32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00760FC3
.text C:\WINNT\System32\svchost.exe[1324] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00750038
.text C:\WINNT\System32\svchost.exe[1324] msvcrt.dll!system 77C293C7 5 Bytes JMP 00750FB7
.text C:\WINNT\System32\svchost.exe[1324] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00750FE3
.text C:\WINNT\System32\svchost.exe[1324] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00750000
.text C:\WINNT\System32\svchost.exe[1324] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00750FC8
.text C:\WINNT\System32\svchost.exe[1324] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0075001D
.text C:\WINNT\System32\svchost.exe[1324] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00740000
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00FEF
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00F6D
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00062
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00F94
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00051
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A0002F
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00F41
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00089
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A000AE
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00F15
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A000C9
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A00040
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00000
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00F52
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00FB9
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A00FCA
.text C:\WINNT\system32\svchost.exe[1516] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00F26
.text C:\WINNT\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0047
.text C:\WINNT\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0058
.text C:\WINNT\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0036
.text C:\WINNT\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0025
.text C:\WINNT\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0F9B
.text C:\WINNT\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F000A
.text C:\WINNT\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009F0FB6
.text C:\WINNT\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 88]
.text C:\WINNT\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0FD1
.text C:\WINNT\system32\svchost.exe[1516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0F88
.text C:\WINNT\system32\svchost.exe[1516] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0FA3
.text C:\WINNT\system32\svchost.exe[1516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E001D
.text C:\WINNT\system32\svchost.exe[1516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0000
.text C:\WINNT\system32\svchost.exe[1516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0FC8
.text C:\WINNT\system32\svchost.exe[1516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0FE3
.text C:\WINNT\system32\svchost.exe[1516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0000
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01910FE5
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01910076
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01910F77
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01910F94
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01910FA5
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01910036
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 019100AC
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01910F5A
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01910F1D
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01910F2E
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01910F0C
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01910047
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01910000
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01910087
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01910025
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01910FCA
.text C:\WINNT\Explorer.EXE[1780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01910F3F
.text C:\WINNT\Explorer.EXE[1780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01900047
.text C:\WINNT\Explorer.EXE[1780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 019000A9
.text C:\WINNT\Explorer.EXE[1780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01900036
.text C:\WINNT\Explorer.EXE[1780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0190001B
.text C:\WINNT\Explorer.EXE[1780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0190008E
.text C:\WINNT\Explorer.EXE[1780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0190000A
.text C:\WINNT\Explorer.EXE[1780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0190007D
.text C:\WINNT\Explorer.EXE[1780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01900062
.text C:\WINNT\Explorer.EXE[1780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 018A0FA6
.text C:\WINNT\Explorer.EXE[1780] msvcrt.dll!system 77C293C7 5 Bytes JMP 018A0FC1
.text C:\WINNT\Explorer.EXE[1780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 018A001D
.text C:\WINNT\Explorer.EXE[1780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 018A0FE3
.text C:\WINNT\Explorer.EXE[1780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 018A0FD2
.text C:\WINNT\Explorer.EXE[1780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 018A000C
.text C:\WINNT\Explorer.EXE[1780] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 014C0FEF
.text C:\WINNT\Explorer.EXE[1780] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 014C0FD4
.text C:\WINNT\Explorer.EXE[1780] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 014C0FAF
.text C:\WINNT\Explorer.EXE[1780] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 014C0F9E
.text C:\WINNT\Explorer.EXE[1780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0189000A
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011E0FEF
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011E0085
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011E006A
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011E0059
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011E0F90
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011E0FB2
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011E00A7
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011E0096
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011E0F44
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011E00DD
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011E0102
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011E0FA1
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011E0FDE
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011E0F75
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011E001E
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011E0FCD
.text C:\WINNT\System32\dllhost.exe[1932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011E00C2
.text C:\WINNT\System32\dllhost.exe[1932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011C007F
.text C:\WINNT\System32\dllhost.exe[1932] msvcrt.dll!system 77C293C7 5 Bytes JMP 011C0064
.text C:\WINNT\System32\dllhost.exe[1932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011C002E
.text C:\WINNT\System32\dllhost.exe[1932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011C0000
.text C:\WINNT\System32\dllhost.exe[1932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011C0049
.text C:\WINNT\System32\dllhost.exe[1932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011C001D
.text C:\WINNT\System32\dllhost.exe[1932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011D0FD4
.text C:\WINNT\System32\dllhost.exe[1932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011D0062
.text C:\WINNT\System32\dllhost.exe[1932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011D0FE5
.text C:\WINNT\System32\dllhost.exe[1932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011D001B
.text C:\WINNT\System32\dllhost.exe[1932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011D0FA5
.text C:\WINNT\System32\dllhost.exe[1932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011D000A
.text C:\WINNT\System32\dllhost.exe[1932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 011D0047
.text C:\WINNT\System32\dllhost.exe[1932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011D0036
.text C:\WINNT\System32\dllhost.exe[1932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011B0000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC000A
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC00AE
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0FB9
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0FCA
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0087
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0062
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F77
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F9E
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC00EB
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F52
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC00FC
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0FDB
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0025
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC00C9
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0047
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0036
.text C:\WINNT\System32\svchost.exe[3256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC00DA
.text C:\WINNT\System32\svchost.exe[3256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0040
.text C:\WINNT\System32\svchost.exe[3256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0FC3
.text C:\WINNT\System32\svchost.exe[3256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FEF
.text C:\WINNT\System32\svchost.exe[3256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB001B
.text C:\WINNT\System32\svchost.exe[3256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0080
.text C:\WINNT\System32\svchost.exe[3256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB000A
.text C:\WINNT\System32\svchost.exe[3256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB0065
.text C:\WINNT\System32\svchost.exe[3256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0FD4
.text C:\WINNT\System32\svchost.exe[3256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0033
.text C:\WINNT\System32\svchost.exe[3256] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0022
.text C:\WINNT\System32\svchost.exe[3256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0011
.text C:\WINNT\System32\svchost.exe[3256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0FEF
.text C:\WINNT\System32\svchost.exe[3256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0FBC
.text C:\WINNT\System32\svchost.exe[3256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0000
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60000
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60F8D
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60082
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60FA8
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C6005B
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C6002F
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C600CE
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C600B3
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60F46
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C600DF
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C600FA
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C6004A
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C60FEF
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60F7C
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60FC3
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C60FDE
.text C:\WINNT\System32\dllhost.exe[3544] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C60F61
.text C:\WINNT\System32\dllhost.exe[3544] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C40036
.text C:\WINNT\System32\dllhost.exe[3544] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C40FAB
.text C:\WINNT\System32\dllhost.exe[3544] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C40011
.text C:\WINNT\System32\dllhost.exe[3544] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C40FE3
.text C:\WINNT\System32\dllhost.exe[3544] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C40FBC
.text C:\WINNT\System32\dllhost.exe[3544] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C40000
.text C:\WINNT\System32\dllhost.exe[3544] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C50FAF
.text C:\WINNT\System32\dllhost.exe[3544] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C50F68
.text C:\WINNT\System32\dllhost.exe[3544] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C50000
.text C:\WINNT\System32\dllhost.exe[3544] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C50FD4
.text C:\WINNT\System32\dllhost.exe[3544] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C50F79
.text C:\WINNT\System32\dllhost.exe[3544] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C50FE5
.text C:\WINNT\System32\dllhost.exe[3544] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C50F94
.text C:\WINNT\System32\dllhost.exe[3544] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E5, 88] {IN EAX, 0x88}
.text C:\WINNT\System32\dllhost.exe[3544] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C5001B
.text C:\WINNT\System32\dllhost.exe[3544] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C30FE5

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1780] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [715BA16B] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [715B9E59] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [715BA067] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [715BA16B] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [715B9E59] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [715BA067] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [715BA16B] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [715BA067] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [715B9E59] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [715B9E59] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [715BA067] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [715B9E59] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [715BA067] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [715B9E59] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [715BA067] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [715BA16B] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [715B9F5D] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [715B9E59] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [715B9F5D] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [715BA16B] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [715BA067] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [715B9E59] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [715B9E59] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [715BA067] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [715BA16B] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [715B9F5D] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [715BA067] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [715B9F5D] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Owner\Desktop\m2oo6zcf.exe[3004] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [715B9E59] C:\WINNT\AppPatch\AcLayers.DLL (Windows Compatibility DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 03 February 2010 - 02:49 PM

That's the right log, WirePaladinSF thumbup2.gif

It's also a clean log.

You mentioned that you had Combofix on board.

First, can you find the log and post it.

Second, can you then uninstall it as below. This will remove the malware that may be lurking in other areas of the machine.
  • Disable any realtime antivirus or antispyware programs.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Please then run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks, so that's:

The Combofix log
Confirmation that you have uninstalled Combofix
The MBAM log

Edited by m0le, 03 February 2010 - 02:51 PM.

Posted Image
m0le is a proud member of UNITE

#7 WirePaladinSF

WirePaladinSF
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 06 February 2010 - 10:53 AM

m0le,
I can't find ComboFix anymore. I think I may have deleted the ComboFix.exe file without running uninstall.
Should I re-install and then uninstall to pick up any files I left behind?
Here is the ComboFix log:

2010-01-25 01:13:32 . 2010-01-25 01:13:32 542 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-tsnpstd.reg.dat
2010-01-25 01:13:32 . 2010-01-25 01:13:32 522 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-PROMon.reg.dat
2010-01-25 01:13:31 . 2010-01-25 01:13:31 646 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Microsoft Works Update Detection.reg.dat
2010-01-25 01:13:29 . 2010-01-25 01:13:29 602 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-AVG Anti-Spyware Guard.reg.dat
2010-01-25 01:13:29 . 2010-01-25 01:13:29 602 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-AVG Anti-Spyware Driver.reg.dat
2010-01-25 01:13:28 . 2010-01-25 01:13:28 546 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-9743WvRJX.reg.dat
2010-01-25 01:13:12 . 2010-01-25 01:13:12 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2010-01-25 00:58:12 . 2010-01-25 00:58:12 9,344 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-01-25 00:20:06 . 2010-01-25 00:20:06 0 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\24464.exe.vir
2010-01-25 00:00:06 . 2010-01-25 00:00:06 0 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\26962.exe.vir
2010-01-24 23:40:06 . 2010-01-24 23:40:06 0 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\29358.exe.vir
2010-01-24 23:20:05 . 2010-01-24 23:20:05 0 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\11478.exe.vir
2010-01-24 23:00:05 . 2010-01-24 23:00:05 0 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\15724.exe.vir
2010-01-24 22:40:05 . 2010-01-24 22:40:05 0 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\19169.exe.vir
2010-01-24 22:20:05 . 2010-01-24 22:20:05 0 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\26500.exe.vir
2010-01-24 22:00:04 . 2010-01-24 22:00:04 0 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\6334.exe.vir
2010-01-24 21:39:41 . 2010-01-24 21:39:41 0 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\18467.exe.vir
2010-01-24 21:19:20 . 2010-01-24 21:19:20 0 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\41.exe.vir
2010-01-24 21:18:37 . 2010-01-24 21:18:37 2,931 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\warning.html.vir
2010-01-24 21:18:23 . 2010-01-24 21:18:14 20,992 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\winlogon32.exe.vir
2010-01-24 21:18:21 . 2010-01-24 21:18:14 20,992 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\smss32.exe.vir
2010-01-23 16:59:03 . 2010-01-25 00:45:17 255 ----a-w- C:\Qoobox\Quarantine\catchme.log
2003-12-15 04:03:53 . 2003-12-15 04:03:53 972 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\msndata.dat.vir
2002-12-12 06:01:38 . 2002-12-12 06:01:38 6,777 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Temporary Mail Files (000A5831)\Clinical Gems Eye movement mirrors vertebral subluxations.email.vir
2002-12-10 04:54:21 . 2002-12-10 04:54:21 55,504 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Temporary Mail Files (000A5831)\Fwd_ Awesome!!(1).email.vir
2002-12-07 06:19:22 . 2002-12-07 06:19:22 55,504 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Temporary Mail Files (000A5831)\Fwd_ Awesome!!.email.vir
2002-12-05 15:52:11 . 2002-12-05 15:52:11 366,170 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Temporary Mail Files (000A5831)\Be Aware.email.vir
2002-11-22 15:25:23 . 2002-11-22 15:25:23 4,553 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Temporary Mail Files (000A5831)\Happy Thanksgiving.email.vir
2002-11-20 04:52:49 . 2002-11-20 04:52:49 6,784 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Temporary Mail Files (000A5831)\Aerophagia ( swallowing air ) and Chiropractic.email.vir
2002-11-05 17:02:38 . 2002-11-05 17:02:38 6,070 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Temporary Mail Files (000A5831)\Clinical Gems Dysdiadokokinesia and Chiropractic Adjustments.email.vir
2002-10-30 05:56:58 . 2002-10-30 05:56:58 3,433 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Temporary Mail Files (000A5831)\RE_ Bonus Weeks(1).email.vir
2002-10-30 05:56:44 . 2002-10-30 05:56:44 4,246 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Temporary Mail Files (000A5831)\[Fwd_ Bonus Weeks](1).email.vir
2002-10-23 00:07:07 . 2002-10-23 00:07:07 11,563 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Temporary Mail Files (000A5831)\Fw_ Subject_ Cigna Breast Cancer Donation.email.vir
2002-10-15 04:33:05 . 2002-10-15 04:33:05 3,433 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Temporary Mail Files (000A5831)\RE_ Bonus Weeks.email.vir
2002-10-15 04:32:50 . 2002-10-15 04:32:50 4,246 ----atw- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Temporary Mail Files (000A5831)\[Fwd_ Bonus Weeks].email.vir
2002-09-16 05:06:36 . 2003-12-15 04:03:54 26,790 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\msnuser.dat.vir
2002-09-10 05:02:55 . 2003-12-15 03:55:15 53 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\favcache.xml.vir
2002-09-10 05:02:55 . 2003-12-15 03:55:15 54 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\favorites.xml.vir
2002-09-10 04:59:08 . 2002-09-30 04:30:01 35 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\msnspell.dic.vir
2002-09-10 04:30:53 . 2002-11-04 01:33:12 46,628 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\contacts.dbx.vir
2002-09-10 04:30:52 . 2002-09-10 04:30:52 9,660 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\offline.dbx.vir
2002-09-10 04:30:50 . 2002-09-10 04:30:50 9,660 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Archived Mail.dbx.vir
2002-09-10 04:30:50 . 2002-09-10 04:30:50 9,660 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Bulk Mail.dbx.vir
2002-09-10 04:30:50 . 2002-12-05 16:46:23 684,428 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Sent Messages(1).dbx.vir
2002-09-10 04:30:50 . 2002-10-09 03:16:59 85,412 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Trash(1).dbx.vir
2002-09-10 04:30:50 . 2002-10-09 03:17:22 85,412 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Drafts.dbx.vir
2002-09-10 04:30:50 . 2002-09-10 04:30:50 9,660 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\MSN Announcements.dbx.vir
2002-09-10 04:30:50 . 2002-12-12 06:02:46 9,660 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Outbox.dbx.vir
2002-09-10 04:30:50 . 2002-12-18 15:11:18 2,357,764 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Trash.dbx.vir
2002-09-10 04:30:50 . 2003-03-04 21:11:17 502,748 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Inbox.dbx.vir
2002-09-10 04:30:50 . 2002-09-10 04:30:50 9,660 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Sent Messages.dbx.vir
2002-09-10 04:30:50 . 2002-12-18 15:11:30 22,052 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\folders.dbx.vir
2002-09-10 04:30:50 . 2003-03-04 21:11:13 155 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\Hotmail\Hotmail.ini.vir
2002-09-10 04:30:13 . 2009-08-18 05:09:07 66 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\au.ini.vir
2002-09-10 04:29:52 . 2003-12-15 04:00:10 202 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\fastsettings.dat.vir
2002-09-10 04:29:52 . 2003-12-15 04:03:37 1,520 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\localsettings.xml.vir
2002-09-10 04:29:52 . 2003-12-15 04:00:10 355 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\MSN6\UserData\{B52D1F82-5882-01C2-0200-0000C00A7882}\settings.xml.vir
2002-09-10 04:22:14 . 2009-08-18 05:10:39 161 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\MSN6\au.ini.vir
2002-07-17 14:44:04 . 2010-01-17 02:32:20 96,512 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\atapi.sys.vir
2002-07-17 14:44:04 . 2010-01-17 02:32:20 96,512 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\drivers\atapi.sys.vir_
1999-12-07 08:00:00 . 1999-12-07 08:00:00 24,975 ----a-w- C:\Qoobox\Quarantine\C\WINNT\twain_16.dll.vir

#8 WirePaladinSF

WirePaladinSF
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 06 February 2010 - 01:26 PM

M0le,
I reinstalled ComboFix, ran it again. Then properly uninstalled. Afterwards. I ran MalwareBytes, it found two infections.
I will add the logs, the latest ComboFix, followed by the Malwarebytes log.

ComboFix 10-02-05.04 - Owner 02/06/2010 8:22.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.504 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-01-29 17:51 . 2010-01-29 17:51 9352696 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{3E3A02D1-E17D-EFC0-78B4-EDA0C8823536}-PicasaUpdater_150d.exe
2010-01-29 17:51 . 2010-01-29 17:51 9195688 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{97A11D1E-921A-30A9-9045-DC2C09C6E66D}-PicasaUpdater_345e.exe
2010-01-29 17:50 . 2010-01-29 17:50 9496056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{79E643E2-8750-02C4-11FF-B7B4F9265192}-setup.exe
2010-01-29 04:03 . 2010-01-29 04:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-25 03:41 . 2008-03-02 11:28 206608 ----a-w- c:\winnt\system32\drivers\TMPassthru.sys
2010-01-25 03:41 . 2010-01-25 03:41 -------- d-----w- c:\program files\Trend Micro
2010-01-25 00:48 . 2010-01-25 00:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-01-24 18:32 . 2010-01-14 19:12 181120 ------w- c:\winnt\system32\MpSigStub.exe
2010-01-24 18:28 . 2010-01-24 18:29 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-01-24 17:00 . 2010-01-24 17:01 -------- d-----w- c:\program files\Cobian Backup 9
2010-01-24 16:54 . 2010-01-24 16:55 -------- d-----w- C:\Cobian Backup
2010-01-24 05:16 . 2009-07-16 20:32 120136 ----a-w- c:\winnt\system32\drivers\Mpfp.sys
2010-01-24 05:15 . 2010-01-24 05:16 -------- d-----w- c:\program files\Common Files\McAfee
2010-01-24 05:15 . 2010-01-24 05:15 -------- d-----w- c:\program files\McAfee.com
2010-01-24 02:47 . 2010-01-24 02:47 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-24 02:47 . 2010-01-24 02:47 -------- d-----w- c:\program files\TrendMicro
2010-01-24 00:45 . 2010-01-24 00:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-01-24 00:45 . 2010-01-24 00:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2010-01-23 20:05 . 2010-01-23 20:05 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2010-01-23 18:01 . 2010-01-23 18:01 -------- d-----w- c:\program files\CCleaner
2010-01-23 15:47 . 2010-01-23 15:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-23 15:46 . 2010-01-23 15:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-22 17:44 . 2010-01-23 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-22 17:44 . 2010-01-22 17:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-22 15:51 . 2010-01-22 15:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\System Tweaker
2010-01-22 14:55 . 2010-01-22 14:55 -------- d--h--w- c:\winnt\PIF
2010-01-19 04:29 . 2010-01-19 04:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-19 04:28 . 2010-01-08 00:07 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-01-19 04:28 . 2010-01-19 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-19 04:28 . 2010-01-08 00:07 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-01-18 06:57 . 2010-01-18 06:59 -------- dc-h--w- c:\winnt\ie8
2010-01-18 03:07 . 2010-01-23 20:38 -------- d-----w- c:\program files\a-squared Anti-Malware
2010-01-16 23:36 . 2010-01-16 23:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\iolo
2010-01-16 21:08 . 2010-01-16 21:08 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-16 21:08 . 2010-01-16 21:08 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-16 21:07 . 2010-01-16 21:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-16 21:07 . 2010-01-16 21:07 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-16 19:38 . 2010-01-16 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-16 19:38 . 2010-01-23 03:51 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-01-16 19:38 . 2010-01-23 03:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-16 16:53 . 2010-01-16 16:53 696832 ----a-w- c:\winnt\is-KBJ9P.exe
2010-01-13 14:37 . 2009-11-21 15:51 471552 ------w- c:\winnt\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-06 16:30 . 2009-11-11 15:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-02-06 16:00 . 2009-11-11 16:00 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-02-06 15:49 . 2009-05-13 00:45 -------- d-----w- c:\documents and settings\Owner\Application Data\StumbleUpon
2010-01-29 03:58 . 2006-04-23 19:00 -------- d-----w- c:\program files\Google
2010-01-26 13:37 . 2008-10-15 17:23 -------- d-----w- c:\program files\McAfee
2010-01-25 03:41 . 2002-07-17 14:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-24 20:55 . 2002-07-17 14:46 -------- d-----w- c:\program files\QUICKENW
2010-01-24 17:02 . 2003-03-04 20:48 -------- d-----w- c:\program files\Yahoo!
2010-01-24 05:22 . 2008-10-15 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-24 05:16 . 2002-07-17 14:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-18 02:12 . 2008-12-24 01:25 -------- d-----w- c:\program files\Safari
2010-01-17 02:32 . 2002-07-17 14:44 96512 ------w- c:\winnt\system32\drivers\atapi.sys
2010-01-16 16:52 . 2009-02-14 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2010-01-08 04:20 . 2009-09-05 21:30 93096 ----a-w- c:\winnt\system32\IncContxMenu.dll
2010-01-08 04:20 . 2009-02-14 17:45 2169256 ----a-w- c:\winnt\system32\Incinerator.dll
2010-01-07 05:45 . 2009-12-09 04:51 -------- d-----w- c:\program files\Common Files\Nero
2010-01-07 05:45 . 2009-12-09 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-01-07 03:59 . 2008-12-18 21:28 -------- d-----w- c:\program files\QuickTime
2009-12-30 18:31 . 2009-12-28 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-30 01:08 . 2008-12-18 21:28 -------- d-----w- c:\program files\Common Files\Apple
2009-12-30 01:05 . 2009-12-30 01:05 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-12-28 17:28 . 2002-07-17 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-28 17:28 . 2009-12-28 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-28 15:42 . 2009-12-28 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-28 15:39 . 2009-12-28 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-12-28 15:38 . 2009-12-28 15:38 -------- d-----w- c:\program files\NOS
2009-12-26 09:51 . 2009-11-12 07:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2009-12-21 19:14 . 1980-01-01 05:00 916480 ------w- c:\winnt\system32\wininet.dll
2009-12-16 16:34 . 2009-05-13 00:45 -------- d-----w- c:\program files\StumbleUpon
2009-12-16 14:17 . 2009-12-09 21:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Nero
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\winnt\system32\GPhotos.scr
2009-12-11 21:14 . 2009-12-11 21:14 -------- d-----w- c:\program files\Common Files\snpstd2
2009-12-11 21:14 . 2008-12-30 03:38 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield
2009-12-04 08:33 . 2009-12-04 08:33 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2009-11-21 15:51 . 1980-01-01 05:00 471552 ----a-w- c:\winnt\AppPatch\aclayers.dll
2009-11-19 19:48 . 2009-12-02 03:03 872960 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xolbof60.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 19:48 . 2009-12-02 03:03 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xolbof60.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 19:48 . 2009-12-02 03:03 340480 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xolbof60.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 19:48 . 2009-12-02 03:03 346624 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xolbof60.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-15 17:48 . 2009-02-14 18:46 1513 ----a-w- c:\documents and settings\Owner\Application Data\iolo\restore.bat
2009-11-13 22:57 . 2009-11-13 22:57 922112 ------w- c:\winnt\system32\imapi2fs.dll
2009-11-13 22:57 . 2009-11-13 22:57 426496 ------w- c:\winnt\system32\imapi2.dll
2009-11-11 16:00 . 2009-11-11 16:00 56 ---ha-w- c:\winnt\system32\ezsidmv.dat
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-15 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2003-11-18 155648]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2003-11-18 118784]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
backup=c:\winnt\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
backup=c:\winnt\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
backup=c:\winnt\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iTunes.lnk]
backup=c:\winnt\pss\iTunes.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\winnt\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
backup=c:\winnt\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\winnt\pss\Secunia PSI.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
backup=c:\winnt\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\winnt\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-02-28 13:47 675840 ----a-w- c:\program files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 19:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 06:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:45 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-10-31 03:43 623960 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCure]
2009-08-07 19:36 3993368 ----a-w- c:\program files\ParetoLogic\DriverCure\DriverCure.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT GWY]
2008-06-25 21:02 81920 ----a-w- c:\program files\Common Files\Portrait Displays\Shared\DT_Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
2002-05-07 00:12 65536 ----a-w- c:\winnt\GWMDMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hot Key Kbd 9910 Daemon]
2001-01-03 19:50 66048 ----a-w- c:\winnt\system32\SK9910DM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 20:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]
2009-07-09 04:22 5134864 ----a-w- c:\program files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2001-08-23 21:52 331830 ----a-w- c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2003-12-13 02:55 53248 ----a-w- c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
2001-07-25 15:00 241714 ----a-w- c:\program files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 19:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2001-10-06 00:34 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ioloFileInfoList"=2 (0x2)
"ioloSystemService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [2/10/2005 12:26 PM 258146]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/23/2010 9:21 PM 93320]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [1/24/2010 7:41 PM 582992]
R3 TMPassthruMP;TMPassthruMP;c:\winnt\system32\drivers\TMPassthru.sys [1/24/2010 7:41 PM 206608]
R3 VNA;Check Point Virtual Network Adapter;c:\winnt\system32\drivers\vna.sys [2/10/2005 12:26 PM 108400]
S1 9743WvRJX;9743WvRJX;\??\c:\winnt\system32\drivers\9743WvRJX.sys --> c:\winnt\system32\drivers\9743WvRJX.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 7:58 PM 135664]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [12/29/2008 7:16 PM 90112]
S3 qCUj38f;qCUj38f;\??\c:\winnt\system32\drivers\qCUj38f.sys --> c:\winnt\system32\drivers\qCUj38f.sys [?]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [12/8/2009 2:41 PM 120232]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\winnt\system32\drivers\TMPassthru.sys [1/24/2010 7:41 PM 206608]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SYMREDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-12-26 c:\winnt\Tasks\DriverCure.job
- c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2009-08-07 19:36]

2010-02-06 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 03:58]

2010-02-06 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 03:58]

2010-01-25 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-782189750-2574624155-677485609-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 03:31]

2010-02-06 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-782189750-2574624155-677485609-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 03:31]

2002-07-30 c:\winnt\Tasks\ISP signup reminder 1.job
- c:\winnt\System32\OOBE\oobebaln.exe [2001-10-09 00:12]

2002-07-30 c:\winnt\Tasks\ISP signup reminder 2.job
- c:\winnt\System32\OOBE\oobebaln.exe [2001-10-09 00:12]

2010-01-24 c:\winnt\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-24 20:22]

2010-02-01 c:\winnt\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-24 20:22]

2010-01-27 c:\winnt\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2009-12-26 c:\winnt\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

2010-02-06 c:\winnt\Tasks\User_Feed_Synchronization-{2DAE6ED9-9695-48E6-83CB-5457D49705A2}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xolbof60.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/|http://news.yahoo.com
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xolbof60.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 08:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\HID\Vid_046d&Pid_c00c\6&240daa58&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\winnt\system32\igfxsrvc.dll
c:\winnt\system32\hccutils.DLL

- - - - - - - > 'explorer.exe'(1740)
c:\winnt\system32\WININET.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\webcheck.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-06 08:34:34
ComboFix-quarantined-files.txt 2010-02-06 16:34
ComboFix2.txt 2010-01-25 01:16

Pre-Run: 8,538,447,872 bytes free
Post-Run: 8,617,730,048 bytes free

- - End Of File - - 11EAD110E53518008ED7C43FF092BCB3



And mbam log:

Malwarebytes' Anti-Malware 1.44
Database version: 3620
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/6/2010 10:05:55 AM
mbam-log-2010-02-06 (10-05-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 192078
Time elapsed: 59 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP20\A0004338.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP20\A0004389.sys (Malware.Trace) -> Quarantined and deleted successfully.

It said to delet the traces which I did...
Then restart. I will try to run RootRepeal when I do...


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 06 February 2010 - 09:10 PM

MBAM removed the system restore files where malware sometimes hides. That folder gets removed at the end of the fix anyway.

It looks good. How is the PC running?


Let's do an online scan with ESET, this should be clear.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Posted Image
m0le is a proud member of UNITE

#10 WirePaladinSF

WirePaladinSF
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 07 February 2010 - 02:36 PM

Yikes!
How did ComboFix miss this? And McAffee? And Malwarebytes? And HouseCleaner? And Microsoft Vcleaner? And Microsoft Security Essentials? And GMER? And Hijack This? And SpyBot? And RUbooted?

Anyway, here is the file:
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{4C42D5BE-4C27-440A-B06D-CCDCA42C8976}\Microsoft\Outlook Express\Inbox.dbx Win32/Sobig.E worm unable to clean

Do I point right to that file to with file shredder and shred it?

#11 WirePaladinSF

WirePaladinSF
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 07 February 2010 - 02:43 PM

I scanned the Inbox.dbx in Outlook express w/Malwarebytes and McAfee but they found nothing. Should I shred it anyway? I don't use Outlook Express for anything.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 07 February 2010 - 05:33 PM

QUOTE(WirePaladinSF @ Feb 7 2010, 07:36 PM) View Post
Yikes!
How did ComboFix miss this? And McAffee? And Malwarebytes? And HouseCleaner? And Microsoft Vcleaner? And Microsoft Security Essentials? And GMER? And Hijack This? And SpyBot? And RUbooted?


It's all about where these tools target. Only online scanners really bother with email folders and it's often the source of the infection but it's also not the best way to infect PCs. That's why we run an online scan at the end...

QUOTE
Anyway, here is the file:
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{4C42D5BE-4C27-440A-B06D-CCDCA42C8976}\Microsoft\Outlook Express\Inbox.dbx Win32/Sobig.E worm unable to clean

Do I point right to that file to with file shredder and shred it?


Yes. Delete it permanently. If you don't use Outlook you could delete any emails in the inbox with attachments if File Shredder doesn't work.

Let me know how that goes.
Posted Image
m0le is a proud member of UNITE

#13 WirePaladinSF

WirePaladinSF
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 08 February 2010 - 10:25 AM

m0le,
I shredded the file found by Eset online. I rescanned by Malwarebytes and nothing. I uninstalled and reinstalled IE8. I've cleaned out Temp cache etc. However, I have RUBotted running and daily get "Bot Found" notice with a date and time and the Activity Detected remarks: Detected DNS query of malicious domain. When I delete the remarks, it re-searches and returns a "no bots found" Later in the day it will warn me again that Bots were found. Any ideas?

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 08 February 2010 - 03:25 PM

This could be a false positive but could you post the RUBotted log that shows this attack?
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 11 February 2010 - 05:28 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users