Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacker Trouble... I'm Exhausted :(


  • This topic is locked This topic is locked
11 replies to this topic

#1 ihateraking

ihateraking

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 19 February 2010 - 05:04 PM

Please help... I'm exhausted.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:02 PM, on 2/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Print Tracker\PMonitor.exe
C:\Program Files\Print Tracker\PMonitor.kpr
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_comm_customer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sYSteM32\SvchOst.eXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Kyocera\FileUtility\nsCatCom.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_system_customer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_user_customer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Print Tracker\PMonitor.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\windows\freddy101.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_host.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sfgate.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\SpyBot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [LMI Print Monitor] "C:\Program Files\Print Tracker\PMonitor.exe" /AsUser
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld16.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy101.exe
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Luis Rivas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Scanner File Utility.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\SpyBot\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\SpyBot\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: B3467D2D-E10C-41A6-B671-2B07A1445DC4 - file://C:\DOCUME~1\LUISRI~1\LOCALS~1\Temp\cmW32client.cab
O16 - DPF: {03A89EFD-E023-A100-A22D-45F77558EB4C} (ILINCInstall101 Class) - https://content9.mitel-nhwc.com/download/AXCltInstall.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.allocationmaster.com/client/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205903891819
O16 - DPF: {A37BF4BE-8CF4-47BF-9A7D-4E8318447929} (AutoInstall.SonexisAutoInstall) - https://www.orcameeting.com/downloads/SonexisAutoInstall.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://premconf.webex.com/client/T25L10NSP...bex/ieatgpc.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist Express Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Print Tracker Monitor2 (LMIPrintTracker) - Print Tracker (866) 629-3342 - C:\Program Files\Print Tracker\PMonitor.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SFUSVC - KYOCERA MITA CORPORATION - C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
O23 - Service: Sonexis Application Sharing Driver Service - Sonexis, Inc. - C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11792 bytes

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:34 PM

Posted 19 February 2010 - 06:47 PM

Hello ihateraking,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download Malwarebytes Anti-Malware (v1.43) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

2.
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)
    Double-click ATF-Cleaner.exe to run the program.
    Under Main "Select Files to Delete" choose: Select All.
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3.
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

4.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

5.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.


Things to include in your next reply:
MBAM log
SAS log
Gmer log
DDS.txt
Attach.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 ihateraking

ihateraking
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 20 February 2010 - 10:52 AM

Hi Fireman,

Thank you for your help, I appreciate it very much. I "got it bad", but fine folks such as yourself willing to help really gives me hope. Thanks again for your time and your willingness to help.

I'm infected with Koob Face, probably from a recent visit to a friends Facebook page. I followed your instructions and here's what I have so far:

I ran MalWareBytes which found and quarantined 18 infections (log file posted below). I remove all instances from MalWareBytes when the scan completed. I'm currently running SuperAntiSpyware and Gmer -- 10 hours and counting. I will post those results when the scans finish. Finally, I posted below the results from DDS.txt and Attached.txt.

I look forward to hearing back from you. Thanks!

Bob


MalWareBytes Log

Malwarebytes' Anti-Malware 1.44
Database version: 3699
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/19/2010 1:14:23 PM
mbam-log-2010-02-19 (13-14-23).txt

Scan type: Quick Scan
Objects scanned: 127983
Time elapsed: 28 minute(s), 35 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
C:\WINDOWS\freddy101.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\freddy101.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis Rivas\Local Settings\Temp\zpskon_1266471927.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146111103.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146114101.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\01011201014650115.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\bk23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ld16.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis Rivas\Local Settings\Temp\zpskon_1266466837.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266448777.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266448835.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266513740.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266513761.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266513766.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266600562.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266600875.exe (Worm.Koobface) -> Quarantined and deleted successfully.


DDS.txt

DDS (Ver_09-12-01.01) - NTFSx86
Run by Luis Rivas at 22:23:32.44 on Fri 02/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.467 [GMT -8:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_comm_customer.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Print Tracker\PMonitor.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_system_customer.exe
C:\Program Files\Print Tracker\PMonitor.kpr
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\sYSteM32\SvchOst.eXE -k okogrp
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
C:\Program Files\Kyocera\FileUtility\nsCatCom.exe
C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_host.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_user_customer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Print Tracker\PMonitor.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\SuperSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Gmer\or1r310z.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DDS\dds.pif

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.sfgate.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [GoToMeeting] c:\program files\citrix\gotomeeting\320\g2mstart.exe "/Trigger RunAtLogon"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\luis rivas\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [LMI Print Monitor] "c:\program files\print tracker\PMonitor.exe" /AsUser
mRun: [Kaseya Agent Service Helper] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\kyocera\fileutility\NsCatCom.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{4c271126-c295-4828-a901-5910ae0c258b}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot\spybot - search & destroy\SDHelper.dll
Trusted Zone: salesforce.com
DPF: B3467D2D-E10C-41A6-B671-2B07A1445DC4 - file://c:\docume~1\luisri~1\locals~1\temp\cmW32client.cab
DPF: {03A89EFD-E023-A100-A22D-45F77558EB4C} - hxxps://content9.mitel-nhwc.com/download/AXCltInstall.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://www.allocationmaster.com/client/iftwclix.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205903891819
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A37BF4BE-8CF4-47BF-9A7D-4E8318447929} - hxxps://www.orcameeting.com/downloads/SonexisAutoInstall.CAB
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://premconf.webex.com/client/T25L10NSP41EP2-premconf/webex/ieatgpc.cab
Notify: !SASWinLogon - c:\program files\superspyware\SASWINLO.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist express customer\209\g2ax_winlogon.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superspyware\SASSEH.DLL
Hosts: 192.168.1.10 HP001E0B4D5BB6

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\luisri~1\applic~1\mozilla\firefox\profiles\0ehza0ff.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-2 64160]
R1 oko6;oko6;c:\windows\system32\drivers\oko6.sys [2010-2-17 32768]
R1 SASDIFSV;SASDIFSV;c:\program files\superspyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superspyware\SASKUTIL.SYS [2010-2-17 66632]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-10-21 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-10-21 38528]
R2 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\citrix\gotoassist express customer\209\g2ax_service.exe [2009-11-19 161144]
R2 KaseyaAgent;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2009-3-3 610304]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R2 LMIPrintTracker;Print Tracker Monitor2;c:\program files\print tracker\PMonitor.exe [2008-10-23 499712]
R2 okosrv;okosrv;c:\windows\system32\SvchOst.eXE -k okogrp [2003-7-16 14336]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-5 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-8-21 98304]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2009-3-3 20792]
R3 SASENUM;SASENUM;c:\program files\superspyware\SASENUM.SYS [2010-2-17 12872]
R3 SonMirrorftas;ConferenceManager AppShare Filter Driver;c:\windows\system32\drivers\SonMirrorftas.sys [2009-2-12 3840]
R3 SonVMDas;SonVMDas;c:\windows\system32\drivers\SonVMDas.sys [2009-2-12 2560]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-30 135664]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2009-3-21 3968]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-21 14976]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"

=============== Created Last 30 ================

2010-02-20 06:05:05 0 d-----w- c:\program files\DDS
2010-02-20 05:59:15 0 d-----w- c:\program files\Gmer
2010-02-20 04:37:53 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-20 04:12:22 0 d-----w- c:\docume~1\luisri~1\applic~1\SUPERAntiSpyware.com
2010-02-20 04:08:25 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-20 04:04:10 0 d-----w- c:\program files\SuperSpyware
2010-02-20 04:04:09 0 d-----w- c:\program files\New Folder
2010-02-19 20:52:25 0 d-----w- c:\program files\Trend Micro
2010-02-17 23:20:27 101888 ----a-w- c:\windows\system32\oko6.dll
2010-02-17 23:20:26 32768 ----a-w- c:\windows\system32\drivers\oko6.sys
2010-02-07 03:34:54 0 dc----w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 17:48:53 28372 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-25 03:29:32 15688 ----a-w- c:\windows\system32\lsdelete.exe
2008-12-08 21:15:20 3432264 ----a-w- c:\program files\zviewer_inst-v21.exe
2008-12-08 21:13:12 684544 -c--a-w- c:\program files\sample-office-v21.zvw
2008-07-25 17:25:08 4880248 ----a-w- c:\program files\WindowsDesktopSearch-KB917013-V301-XP-x86-enu.exe
2008-07-17 18:56:44 29287263 ----a-w- c:\program files\KYOCERA_KX_V4_4_2K_XP_Vista_x86_EN.exe
2008-03-31 21:47:34 49152 ----a-w- c:\program files\Setup.exe
2008-03-20 05:18:18 1489 -c--a-r- c:\program files\KmInst32.pnf
2008-03-15 08:29:58 16819 -c--a-r- c:\program files\KmInstall.ini
2008-03-14 01:56:32 124407 -c--a-r- c:\program files\lang.dat
2008-03-12 03:47:32 1040384 ----a-r- c:\program files\KmInstall.exe
2008-03-12 03:27:40 333824 ----a-r- c:\program files\KmInst64.exe
2008-03-12 03:23:16 446464 ----a-r- c:\program files\KmUninstallVista.exe
2008-03-12 03:02:56 430080 ----a-r- c:\program files\KmUninstall.exe
2008-03-12 02:59:40 266240 ----a-r- c:\program files\KmInst32.exe
2008-03-12 02:58:06 1044480 ----a-r- c:\program files\KmInstallVista.exe
2008-02-14 02:55:08 47114 -c--a-r- c:\program files\KmInstall.str
2008-01-31 02:08:14 593 -c--a-r- c:\program files\KX.pnf
2008-01-30 02:41:12 114688 -c--a-r- c:\program files\KmDiscover.dll
2007-08-31 06:35:44 6912 -c--a-r- c:\program files\KmInst32.str
2007-06-14 06:43:28 110592 -c--a-r- c:\program files\KmUsb.dll
2008-08-21 18:38:01 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082120080822\index.dat

============= FINISH: 22:28:07.80 ===============


Attached.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/18/2008 10:35:45 PM
System Uptime: 2/19/2010 8:31:15 PM (2 hours ago)

Motherboard: Dell Computer Corporation | | 0F3553
Processor: Mobile Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 1594/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 10.453 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP392: 11/25/2009 5:34:25 AM - Software Distribution Service 3.0
RP393: 12/14/2009 2:41:00 PM - Software Distribution Service 3.0
RP394: 12/30/2009 1:32:01 PM - System Checkpoint
RP395: 1/14/2010 3:37:42 PM - Software Distribution Service 3.0
RP396: 1/22/2010 7:50:21 AM - Software Distribution Service 3.0
RP397: 1/22/2010 10:13:17 AM - Software Distribution Service 3.0
RP398: 1/24/2010 7:15:41 PM - System Checkpoint
RP399: 2/2/2010 3:17:42 AM - System Checkpoint
RP400: 2/7/2010 9:09:20 AM - System Checkpoint
RP401: 2/10/2010 6:38:37 PM - Software Distribution Service 3.0
RP402: 2/13/2010 2:52:33 PM - System Checkpoint
RP403: 2/14/2010 3:42:13 PM - System Checkpoint
RP404: 2/15/2010 4:08:14 PM - System Checkpoint
RP405: 2/19/2010 8:12:13 PM - Installed SUPERAntiSpyware Free Edition

==== Installed Programs ======================


7500_7600_7700_Help
Ad-Aware
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Contribute CS3
Adobe Default Language CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Help Viewer CS3
Adobe PDF Library Files
Adobe Reader 8.1.6
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BCM V.92 56K Modem
Bonjour
BPD_HPSU
BPD_Scan
BPDfax
BPDSoftware
BPDSoftware_Ini
Broadcom 440x 10/100 Integrated Controller
BufferChm
Choice Guard
Cisco Systems VPN Client 5.0.03.0530
ConferenceManager Application Sharing Driver 8.0.15.0
ConferenceManager Print Driver
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
Dell Wireless WLAN Card
DemoMate
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
eSupportQFolder
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GoToAssist Express Customer 1.3.0.209
GoToMeeting 4.0.0.320
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Imaging Device Functions 7.0
HP Officejet Pro All-In-One Series
HP SNMP Proxy
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevicesMFC
Intel® Extreme Graphics 2 Driver
iPhone Configuration Utility
iTunes
Java™ 6 Update 13
Kaseya Agent
Kyocera Scanner File Utility
L7600
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Flight Simulator 2000
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money Plus
Microsoft Money Shared Libraries
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mitel Hosted Web Conferencing Client
MobileMe Control Panel
Mozilla Firefox (2.0.0.12)
MPM
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OCR Software by I.R.I.S 7.0
OpenOffice.org Installer 1.0
PanoStandAlone
PowerDVD 5.1
PrimoPDF
Print Tracker
ProductContext
QuickTime
Retriever for the Desktop
Safari
Scan
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SigmaTel AC97 Audio Drivers
SmartDraw 2008
SmartDraw 2009
SmartDraw PDF Filter
SolutionCenter
Sophos Anti-Virus
Sophos AutoUpdate
Spybot - Search & Destroy
Status
SUPERAntiSpyware Free Edition
TestDrive Client
Toolbox
TrayApp
TurboTax 2008 wcalbpm
TurboTax 2008 wcapbpm
TurboTax 2008 WinBizFedFormset
TurboTax 2008 WinBizProgramHelp
TurboTax 2008 WinBizReleaseEngine
TurboTax 2008 WinBizTaxSupport
TurboTax 2008 WinBizUserEducation
TurboTax 2008 wrapper
TurboTax Business 2008
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Outlook 2007 Junk Email Filter (kb977719)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebEx
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
Yahoo! Install Manager
Yahoo! Toolbar
Z-Viewer

==== Event Viewer Messages From Past Week ========

2/18/2010 9:22:57 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
2/16/2010 9:43:18 AM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{D00351A8-076D-4398-B7AE-C75F062AB2E8} because another computer on the network has the same name. The server could not start.
2/16/2010 9:41:56 AM, error: Print [19] - Sharing printer failed + 1722, Printer SmartDraw PDF Filter share name Printer.
2/13/2010 8:16:04 AM, error: Dhcp [1002] - The IP address lease 192.168.168.193 for the Network Card with network address 009096C3A4CC has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
2/13/2010 8:14:25 AM, error: Dhcp [1002] - The IP address lease 192.168.168.179 for the Network Card with network address 000F1F1B85DD has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:34 PM

Posted 20 February 2010 - 02:40 PM

Hello,

Thanks for the update and logs, however I need the steps to be done in order given. I will need a new DDS log after SAS and Gmer have finished.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 ihateraking

ihateraking
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 20 February 2010 - 05:41 PM

Fireman,

OK, not a problem. As you requested, below are the full scan results from MalwareBytes, SuperAntiSpyware, GMER and DDS (both DDS.txt and Attach.txt):

Thanks again for your help, I truly appreciate it.

All the best,

Bob





MalwareBytes Scan

Malwarebytes' Anti-Malware 1.44
Database version: 3699
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/19/2010 1:14:23 PM
mbam-log-2010-02-19 (13-14-23).txt

Scan type: Quick Scan
Objects scanned: 127983
Time elapsed: 28 minute(s), 35 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
C:\WINDOWS\freddy101.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\freddy101.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis Rivas\Local Settings\Temp\zpskon_1266471927.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146111103.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146114101.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\01011201014650115.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\bk23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ld16.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Luis Rivas\Local Settings\Temp\zpskon_1266466837.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266448777.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266448835.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266513740.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266513761.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266513766.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266600562.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1266600875.exe (Worm.Koobface) -> Quarantined and deleted successfully.





SuperAntiSpyware Scan

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/20/2010 at 11:51 AM

Application Version : 4.34.1000

Core Rules Database Version : 4603
Trace Rules Database Version: 2415

Scan type : Complete Scan
Total Scan Time : 15:05:15

Memory items scanned : 591
Memory threats detected : 0
Registry items scanned : 5690
Registry threats detected : 0
File items scanned : 104085
File threats detected : 0




GMER Scan

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-20 14:16:27
Windows 5.1.2600 Service Pack 3
Running: or1r310z.exe; Driver: C:\DOCUME~1\LUISRI~1\LOCALS~1\Temp\pfrcrpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\savonaccesscontrol.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc) ZwCreateKey [0xB2A52FA0]
SSDT \SystemRoot\system32\DRIVERS\savonaccesscontrol.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc) ZwDeleteKey [0xB2A530F6]
SSDT \SystemRoot\system32\DRIVERS\savonaccesscontrol.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc) ZwSetValueKey [0xB2A5315C]
SSDT \??\C:\Program Files\SuperSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB12C8320]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[300] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 7 Bytes JMP 00365100 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0036AD00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0036AA80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0036AC60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0036AC40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 0036ABC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0036ABA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0036AB80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 0036ACE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0036AAA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 0036B8F0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0036AB20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0036ABE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!ExitThread 7C80C0F8 7 Bytes JMP 0036AB00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!GlobalAlloc 7C80FDCD 7 Bytes JMP 0036AB60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 0036ACA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0036AAE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0036AAC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!ResumeThread 7C832927 5 Bytes JMP 0036AC00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!GetThreadContext 7C83973D 5 Bytes JMP 0036AB40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 0036ACC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0036AC80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 0036AC20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 0036AE20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!bind 71AB4480 3 Bytes JMP 0036AE00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!bind + 4 71AB4484 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!connect 71AB4A07 3 Bytes JMP 0036AE40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!connect + 4 71AB4A0B 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!send 71AB4C27 3 Bytes JMP 0036AEC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!send + 4 71AB4C2B 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!recv 71AB676F 3 Bytes JMP 0036AEA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!recv + 4 71AB6773 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!WSAStartup 71AB6A55 7 Bytes JMP 0036ADC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!WSASocketA 71AB8B6A 3 Bytes JMP 0036ADA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!WSASocketA + 4 71AB8B6E 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!listen 71AB8CD3 3 Bytes JMP 0036AE80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!listen + 4 71AB8CD7 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!getpeername 71AC0B68 5 Bytes JMP 0036AE60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[300] WS2_32.dll!accept 71AC1040 5 Bytes JMP 0036ADE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 7 Bytes JMP 00365100 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0036AD00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0036AA80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0036AC60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0036AC40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 0036ABC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0036ABA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0036AB80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 0036ACE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0036AAA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 0036B8F0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0036AB20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0036ABE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!ExitThread 7C80C0F8 7 Bytes JMP 0036AB00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!GlobalAlloc 7C80FDCD 7 Bytes JMP 0036AB60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 0036ACA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0036AAE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0036AAC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!ResumeThread 7C832927 5 Bytes JMP 0036AC00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!GetThreadContext 7C83973D 5 Bytes JMP 0036AB40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 0036ACC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0036AC80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 0036AC20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 0036AE20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!bind 71AB4480 3 Bytes JMP 0036AE00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!bind + 4 71AB4484 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!connect 71AB4A07 3 Bytes JMP 0036AE40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!connect + 4 71AB4A0B 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!send 71AB4C27 3 Bytes JMP 0036AEC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!send + 4 71AB4C2B 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!recv 71AB676F 3 Bytes JMP 0036AEA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!recv + 4 71AB6773 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!WSAStartup 71AB6A55 7 Bytes JMP 0036ADC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!WSASocketA 71AB8B6A 3 Bytes JMP 0036ADA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!WSASocketA + 4 71AB8B6E 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!listen 71AB8CD3 3 Bytes JMP 0036AE80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!listen + 4 71AB8CD7 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!getpeername 71AC0B68 5 Bytes JMP 0036AE60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[316] WS2_32.dll!accept 71AC1040 5 Bytes JMP 0036ADE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 7 Bytes JMP 00365100 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0036AD00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0036AA80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0036AC60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0036AC40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 0036ABC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0036ABA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0036AB80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 0036ACE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0036AAA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 0036B8F0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0036AB20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0036ABE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!ExitThread 7C80C0F8 7 Bytes JMP 0036AB00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!GlobalAlloc 7C80FDCD 7 Bytes JMP 0036AB60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 0036ACA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0036AAE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0036AAC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!ResumeThread 7C832927 5 Bytes JMP 0036AC00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!GetThreadContext 7C83973D 5 Bytes JMP 0036AB40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 0036ACC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0036AC80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 0036AC20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 0036AE20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8E]
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!bind 71AB4480 3 Bytes JMP 0036AE00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!bind + 4 71AB4484 1 Byte [8E]
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!connect 71AB4A07 3 Bytes JMP 0036AE40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!connect + 4 71AB4A0B 1 Byte [8E]
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!send 71AB4C27 3 Bytes JMP 0036AEC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!send + 4 71AB4C2B 1 Byte [8E]
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!recv 71AB676F 3 Bytes JMP 0036AEA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!recv + 4 71AB6773 1 Byte [8E]
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!WSAStartup 71AB6A55 7 Bytes JMP 0036ADC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!WSASocketA 71AB8B6A 3 Bytes JMP 0036ADA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!WSASocketA + 4 71AB8B6E 1 Byte [8E]
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!listen 71AB8CD3 3 Bytes JMP 0036AE80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!listen + 4 71AB8CD7 1 Byte [8E]
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!getpeername 71AC0B68 5 Bytes JMP 0036AE60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WS2_32.dll!accept 71AC1040 5 Bytes JMP 0036ADE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0036AD80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 0036AD60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0036AD20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\sYSteM32\SvchOst.eXE[356] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0036AD40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 7 Bytes JMP 00365100 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0036AD00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0036AA80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0036AC60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0036AC40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 0036ABC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0036ABA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0036AB80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 0036ACE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0036AAA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 0036B8F0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0036AB20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0036ABE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!ExitThread 7C80C0F8 7 Bytes JMP 0036AB00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!GlobalAlloc 7C80FDCD 7 Bytes JMP 0036AB60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 0036ACA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0036AAE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0036AAC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!ResumeThread 7C832927 5 Bytes JMP 0036AC00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!GetThreadContext 7C83973D 5 Bytes JMP 0036AB40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 0036ACC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0036AC80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 0036AC20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 0036AE20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!bind 71AB4480 3 Bytes JMP 0036AE00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!bind + 4 71AB4484 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!connect 71AB4A07 3 Bytes JMP 0036AE40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!connect + 4 71AB4A0B 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!send 71AB4C27 3 Bytes JMP 0036AEC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!send + 4 71AB4C2B 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!recv 71AB676F 3 Bytes JMP 0036AEA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!recv + 4 71AB6773 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!WSAStartup 71AB6A55 7 Bytes JMP 0036ADC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!WSASocketA 71AB8B6A 3 Bytes JMP 0036ADA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!WSASocketA + 4 71AB8B6E 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!listen 71AB8CD3 3 Bytes JMP 0036AE80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!listen + 4 71AB8CD7 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!getpeername 71AC0B68 5 Bytes JMP 0036AE60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!accept 71AC1040 5 Bytes JMP 0036ADE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 7 Bytes JMP 00365100 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0036AD00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0036AA80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0036AC60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0036AC40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 0036ABC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0036ABA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0036AB80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 0036ACE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0036AAA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 0036B8F0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0036AB20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0036ABE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!ExitThread 7C80C0F8 7 Bytes JMP 0036AB00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!GlobalAlloc 7C80FDCD 7 Bytes JMP 0036AB60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 0036ACA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0036AAE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0036AAC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!ResumeThread 7C832927 5 Bytes JMP 0036AC00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!GetThreadContext 7C83973D 5 Bytes JMP 0036AB40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 0036ACC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0036AC80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 0036AC20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 0036AE20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8E]
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!bind 71AB4480 3 Bytes JMP 0036AE00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!bind + 4 71AB4484 1 Byte [8E]
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!connect 71AB4A07 3 Bytes JMP 0036AE40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!connect + 4 71AB4A0B 1 Byte [8E]
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!send 71AB4C27 3 Bytes JMP 0036AEC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!send + 4 71AB4C2B 1 Byte [8E]
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!recv 71AB676F 3 Bytes JMP 0036AEA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!recv + 4 71AB6773 1 Byte [8E]
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!WSAStartup 71AB6A55 7 Bytes JMP 0036ADC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!WSASocketA 71AB8B6A 3 Bytes JMP 0036ADA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!WSASocketA + 4 71AB8B6E 1 Byte [8E]
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!listen 71AB8CD3 3 Bytes JMP 0036AE80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!listen + 4 71AB8CD7 1 Byte [8E]
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!getpeername 71AC0B68 5 Bytes JMP 0036AE60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\lsass.exe[1284] WS2_32.dll!accept 71AC1040 5 Bytes JMP 0036ADE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 7 Bytes JMP 00365100 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0036AD00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0036AA80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0036AC60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0036AC40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 0036ABC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0036ABA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0036AB80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 0036ACE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0036AAA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 0036B8F0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0036AB20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0036ABE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!ExitThread 7C80C0F8 7 Bytes JMP 0036AB00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GlobalAlloc 7C80FDCD 7 Bytes JMP 0036AB60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 0036ACA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0036AAE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0036AAC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!ResumeThread 7C832927 5 Bytes JMP 0036AC00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetThreadContext 7C83973D 5 Bytes JMP 0036AB40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 0036ACC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0036AC80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 0036AC20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 0036AE20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!bind 71AB4480 3 Bytes JMP 0036AE00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!bind + 4 71AB4484 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!connect 71AB4A07 3 Bytes JMP 0036AE40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!connect + 4 71AB4A0B 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!send 71AB4C27 3 Bytes JMP 0036AEC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!send + 4 71AB4C2B 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!recv 71AB676F 3 Bytes JMP 0036AEA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!recv + 4 71AB6773 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!WSAStartup 71AB6A55 7 Bytes JMP 0036ADC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!WSASocketA 71AB8B6A 3 Bytes JMP 0036ADA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!WSASocketA + 4 71AB8B6E 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!listen 71AB8CD3 3 Bytes JMP 0036AE80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!listen + 4 71AB8CD7 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!getpeername 71AC0B68 5 Bytes JMP 0036AE60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!accept 71AC1040 5 Bytes JMP 0036ADE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 7 Bytes JMP 00365100 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0036AD00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0036AA80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0036AC60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0036AC40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 0036ABC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0036ABA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0036AB80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 0036ACE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0036AAA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 0036B8F0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0036AB20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0036ABE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!ExitThread 7C80C0F8 7 Bytes JMP 0036AB00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GlobalAlloc 7C80FDCD 7 Bytes JMP 0036AB60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 0036ACA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0036AAE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0036AAC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!ResumeThread 7C832927 5 Bytes JMP 0036AC00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!GetThreadContext 7C83973D 5 Bytes JMP 0036AB40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 0036ACC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0036AC80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 0036AC20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 0036AE20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!bind 71AB4480 3 Bytes JMP 0036AE00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!bind + 4 71AB4484 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!connect 71AB4A07 3 Bytes JMP 0036AE40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!connect + 4 71AB4A0B 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!send 71AB4C27 3 Bytes JMP 0036AEC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!send + 4 71AB4C2B 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!recv 71AB676F 3 Bytes JMP 0036AEA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!recv + 4 71AB6773 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!WSAStartup 71AB6A55 7 Bytes JMP 0036ADC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!WSASocketA 71AB8B6A 3 Bytes JMP 0036ADA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!WSASocketA + 4 71AB8B6E 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!listen 71AB8CD3 3 Bytes JMP 0036AE80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!listen + 4 71AB8CD7 1 Byte [8E]
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!getpeername 71AC0B68 5 Bytes JMP 0036AE60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\system32\svchost.exe[1548] WS2_32.dll!accept 71AC1040 5 Bytes JMP 0036ADE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 7 Bytes JMP 00365100 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0036AD00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0036AA80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0036AC60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0036AC40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 0036ABC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0036ABA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0036AB80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 0036ACE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0036AAA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 0036B8F0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0036AB20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0036ABE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!ExitThread 7C80C0F8 7 Bytes JMP 0036AB00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!GlobalAlloc 7C80FDCD 7 Bytes JMP 0036AB60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 0036ACA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0036AAE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0036AAC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!ResumeThread 7C832927 5 Bytes JMP 0036AC00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!GetThreadContext 7C83973D 5 Bytes JMP 0036AB40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 0036ACC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0036AC80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 0036AC20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0036AD80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 0036AD60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0036AD20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0036AD40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 0036AE20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!bind 71AB4480 3 Bytes JMP 0036AE00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!bind + 4 71AB4484 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!connect 71AB4A07 3 Bytes JMP 0036AE40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!connect + 4 71AB4A0B 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!send 71AB4C27 3 Bytes JMP 0036AEC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!send + 4 71AB4C2B 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!recv 71AB676F 3 Bytes JMP 0036AEA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!recv + 4 71AB6773 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!WSAStartup 71AB6A55 7 Bytes JMP 0036ADC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!WSASocketA 71AB8B6A 3 Bytes JMP 0036ADA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!WSASocketA + 4 71AB8B6E 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!listen 71AB8CD3 3 Bytes JMP 0036AE80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!listen + 4 71AB8CD7 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!getpeername 71AC0B68 5 Bytes JMP 0036AE60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1668] WS2_32.dll!accept 71AC1040 5 Bytes JMP 0036ADE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 7 Bytes JMP 00365100 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0036AD00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0036AA80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0036AC60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0036AC40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 0036ABC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0036ABA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0036AB80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 0036ACE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0036AAA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 0036B8F0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0036AB20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0036ABE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!ExitThread 7C80C0F8 7 Bytes JMP 0036AB00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!GlobalAlloc 7C80FDCD 7 Bytes JMP 0036AB60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 0036ACA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0036AAE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0036AAC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!ResumeThread 7C832927 5 Bytes JMP 0036AC00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!GetThreadContext 7C83973D 5 Bytes JMP 0036AB40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 0036ACC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0036AC80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 0036AC20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 0036AE20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!bind 71AB4480 3 Bytes JMP 0036AE00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!bind + 4 71AB4484 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!connect 71AB4A07 3 Bytes JMP 0036AE40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!connect + 4 71AB4A0B 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!send 71AB4C27 3 Bytes JMP 0036AEC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!send + 4 71AB4C2B 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!recv 71AB676F 3 Bytes JMP 0036AEA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!recv + 4 71AB6773 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!WSAStartup 71AB6A55 7 Bytes JMP 0036ADC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!WSASocketA 71AB8B6A 3 Bytes JMP 0036ADA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!WSASocketA + 4 71AB8B6E 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!listen 71AB8CD3 3 Bytes JMP 0036AE80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!listen + 4 71AB8CD7 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!getpeername 71AC0B68 5 Bytes JMP 0036AE60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WS2_32.dll!accept 71AC1040 5 Bytes JMP 0036ADE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0036AD80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 0036AD60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0036AD20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[1740] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0036AD40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 7 Bytes JMP 00365100 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0036AD00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0036AA80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0036AC60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0036AC40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 0036ABC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0036ABA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0036AB80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 0036ACE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0036AAA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 0036B8F0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0036AB20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0036ABE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!ExitThread 7C80C0F8 7 Bytes JMP 0036AB00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!GlobalAlloc 7C80FDCD 7 Bytes JMP 0036AB60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 0036ACA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0036AAE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0036AAC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!ResumeThread 7C832927 5 Bytes JMP 0036AC00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!GetThreadContext 7C83973D 5 Bytes JMP 0036AB40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 0036ACC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0036AC80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 0036AC20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 0036AE20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!bind 71AB4480 3 Bytes JMP 0036AE00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!bind + 4 71AB4484 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!connect 71AB4A07 3 Bytes JMP 0036AE40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!connect + 4 71AB4A0B 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!send 71AB4C27 3 Bytes JMP 0036AEC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!send + 4 71AB4C2B 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!recv 71AB676F 3 Bytes JMP 0036AEA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!recv + 4 71AB6773 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!WSAStartup 71AB6A55 7 Bytes JMP 0036ADC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!WSASocketA 71AB8B6A 3 Bytes JMP 0036ADA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!WSASocketA + 4 71AB8B6E 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!listen 71AB8CD3 3 Bytes JMP 0036AE80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!listen + 4 71AB8CD7 1 Byte [8E]
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!getpeername 71AC0B68 5 Bytes JMP 0036AE60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2032] WS2_32.dll!accept 71AC1040 5 Bytes JMP 0036ADE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 7 Bytes JMP 00365100 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0036AD00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0036AA80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0036AC60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0036AC40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 0036ABC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0036ABA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0036AB80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 0036ACE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0036AAA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 0036B8F0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0036AB20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0036ABE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!ExitThread 7C80C0F8 7 Bytes JMP 0036AB00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!GlobalAlloc 7C80FDCD 7 Bytes JMP 0036AB60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 0036ACA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0036AAE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0036AAC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!ResumeThread 7C832927 5 Bytes JMP 0036AC00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!GetThreadContext 7C83973D 5 Bytes JMP 0036AB40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 0036ACC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0036AC80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 0036AC20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 7 Bytes JMP 00375100 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0037AD00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0037AA80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0037AC60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0037AC40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 0037ABC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0037ABA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0037AB80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 0037ACE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0037AAA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 0037B8F0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0037ABE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!ExitThread 7C80C0F8 7 Bytes JMP 0037AB00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!GlobalAlloc 7C80FDCD 7 Bytes JMP 0037AB60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 0037ACA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 0037AAE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!CreateProcessInternalA 7C81D54E 5 Bytes JMP 0037AAC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!ResumeThread 7C832927 5 Bytes JMP 0037AC00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!GetThreadContext 7C83973D 5 Bytes JMP 0037AB40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 0037ACC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0037AC80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] kernel32.dll!SetThreadContext 7C863C09 5 Bytes JMP 0037AC20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0037AD80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 0037AD60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0037AD20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0037AD40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0037AE20 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] ws2_32.dll!bind 71AB4480 5 Bytes JMP 0037AE00 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 0037AE40 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0037AEC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] ws2_32.dll!recv 71AB676F 5 Bytes JMP 0037AEA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] ws2_32.dll!WSAStartup 71AB6A55 7 Bytes JMP 0037ADC0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] ws2_32.dll!WSASocketA 71AB8B6A 5 Bytes JMP 0037ADA0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] ws2_32.dll!listen 71AB8CD3 5 Bytes JMP 0037AE80 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] ws2_32.dll!getpeername 71AC0B68 3 Bytes JMP 0037AE60 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] ws2_32.dll!getpeername + 4 71AC0B6C 1 Byte [8E]
.text C:\WINDOWS\Explorer.EXE[3248] ws2_32.dll!accept 71AC1040 3 Bytes JMP 0037ADE0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[3248] ws2_32.dll!accept + 4 71AC1044 1 Byte [8E]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)
AttachedDevice \Driver\Tcpip \Device\Ip oko6.sys (Service Application Printer Application/PowerISO Computing, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp oko6.sys (Service Application Printer Application/PowerISO Computing, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp oko6.sys (Service Application Printer Application/PowerISO Computing, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp oko6.sys (Service Application Printer Application/PowerISO Computing, Inc.)

Device \FileSystem\Fastfat \Fat B0DE4D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BE814C515767eb242B3B829125AD10D4\Usage@Main 1012106798

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Luis Rivas\Application Data\Macromedia\Flash Player\#SharedObjects\PT7KXE9V\coolclimate.berkeley.edu.\2AD7EB0A-9423-49AE-99A9-4B4747B90CBF_NAMES_.sol 93 bytes
File C:\Documents and Settings\Luis Rivas\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#coolclimate.berkeley.edu.\settings.sol 95 bytes

---- EOF - GMER 1.0.15 ----




DDS.txt Scan

DDS (Ver_09-12-01.01) - NTFSx86
Run by Luis Rivas at 14:27:27.77 on Sat 02/20/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.534 [GMT -8:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_comm_customer.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Print Tracker\PMonitor.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_system_customer.exe
C:\Program Files\Print Tracker\PMonitor.kpr
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\sYSteM32\SvchOst.eXE -k okogrp
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
C:\Program Files\Kyocera\FileUtility\nsCatCom.exe
C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_user_customer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Print Tracker\PMonitor.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\SuperSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Gmer\or1r310z.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_host.exe
C:\Program Files\DDS\dds.pif

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.sfgate.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [GoToMeeting] c:\program files\citrix\gotomeeting\320\g2mstart.exe "/Trigger RunAtLogon"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\luis rivas\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [LMI Print Monitor] "c:\program files\print tracker\PMonitor.exe" /AsUser
mRun: [Kaseya Agent Service Helper] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\kyocera\fileutility\NsCatCom.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{4c271126-c295-4828-a901-5910ae0c258b}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot\spybot - search & destroy\SDHelper.dll
Trusted Zone: salesforce.com
DPF: B3467D2D-E10C-41A6-B671-2B07A1445DC4 - file://c:\docume~1\luisri~1\locals~1\temp\cmW32client.cab
DPF: {03A89EFD-E023-A100-A22D-45F77558EB4C} - hxxps://content9.mitel-nhwc.com/download/AXCltInstall.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://www.allocationmaster.com/client/iftwclix.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205903891819
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A37BF4BE-8CF4-47BF-9A7D-4E8318447929} - hxxps://www.orcameeting.com/downloads/SonexisAutoInstall.CAB
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://premconf.webex.com/client/T25L10NSP41EP2-premconf/webex/ieatgpc.cab
Notify: !SASWinLogon - c:\program files\superspyware\SASWINLO.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist express customer\209\g2ax_winlogon.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superspyware\SASSEH.DLL
Hosts: 192.168.1.10 HP001E0B4D5BB6

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\luisri~1\applic~1\mozilla\firefox\profiles\0ehza0ff.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-2 64160]
R1 oko6;oko6;c:\windows\system32\drivers\oko6.sys [2010-2-17 32768]
R1 SASDIFSV;SASDIFSV;c:\program files\superspyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superspyware\SASKUTIL.SYS [2010-2-17 66632]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-10-21 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-10-21 38528]
R2 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\citrix\gotoassist express customer\209\g2ax_service.exe [2009-11-19 161144]
R2 KaseyaAgent;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2009-3-3 610304]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R2 LMIPrintTracker;Print Tracker Monitor2;c:\program files\print tracker\PMonitor.exe [2008-10-23 499712]
R2 okosrv;okosrv;c:\windows\system32\SvchOst.eXE -k okogrp [2003-7-16 14336]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-5 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-8-21 98304]
R2 Sonexis Application Sharing Driver Service;Sonexis Application Sharing Driver Service;c:\program files\sonexis\applicationsharing\AppDriverService.exe [2009-2-12 163840]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-6-11 172032]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2009-3-3 20792]
R3 SASENUM;SASENUM;c:\program files\superspyware\SASENUM.SYS [2010-2-17 12872]
R3 SonMirrorftas;ConferenceManager AppShare Filter Driver;c:\windows\system32\drivers\SonMirrorftas.sys [2009-2-12 3840]
R3 SonVMDas;SonVMDas;c:\windows\system32\drivers\SonVMDas.sys [2009-2-12 2560]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-30 135664]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2009-3-21 3968]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-21 14976]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"

=============== Created Last 30 ================

2010-02-20 06:05:05 0 d-----w- c:\program files\DDS
2010-02-20 05:59:15 0 d-----w- c:\program files\Gmer
2010-02-20 04:37:53 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-20 04:12:22 0 d-----w- c:\docume~1\luisri~1\applic~1\SUPERAntiSpyware.com
2010-02-20 04:08:25 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-20 04:04:10 0 d-----w- c:\program files\SuperSpyware
2010-02-20 04:04:09 0 d-----w- c:\program files\New Folder
2010-02-19 20:52:25 0 d-----w- c:\program files\Trend Micro
2010-02-17 23:20:27 101888 ----a-w- c:\windows\system32\oko6.dll
2010-02-17 23:20:26 32768 ----a-w- c:\windows\system32\drivers\oko6.sys
2010-02-07 03:34:54 0 dc----w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 17:48:53 28372 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-25 03:29:32 15688 ----a-w- c:\windows\system32\lsdelete.exe
2008-12-08 21:15:20 3432264 ----a-w- c:\program files\zviewer_inst-v21.exe
2008-12-08 21:13:12 684544 -c--a-w- c:\program files\sample-office-v21.zvw
2008-07-25 17:25:08 4880248 ----a-w- c:\program files\WindowsDesktopSearch-KB917013-V301-XP-x86-enu.exe
2008-07-17 18:56:44 29287263 ----a-w- c:\program files\KYOCERA_KX_V4_4_2K_XP_Vista_x86_EN.exe
2008-03-31 21:47:34 49152 ----a-w- c:\program files\Setup.exe
2008-03-20 05:18:18 1489 -c--a-r- c:\program files\KmInst32.pnf
2008-03-15 08:29:58 16819 -c--a-r- c:\program files\KmInstall.ini
2008-03-14 01:56:32 124407 -c--a-r- c:\program files\lang.dat
2008-03-12 03:47:32 1040384 ----a-r- c:\program files\KmInstall.exe
2008-03-12 03:27:40 333824 ----a-r- c:\program files\KmInst64.exe
2008-03-12 03:23:16 446464 ----a-r- c:\program files\KmUninstallVista.exe
2008-03-12 03:02:56 430080 ----a-r- c:\program files\KmUninstall.exe
2008-03-12 02:59:40 266240 ----a-r- c:\program files\KmInst32.exe
2008-03-12 02:58:06 1044480 ----a-r- c:\program files\KmInstallVista.exe
2008-02-14 02:55:08 47114 -c--a-r- c:\program files\KmInstall.str
2008-01-31 02:08:14 593 -c--a-r- c:\program files\KX.pnf
2008-01-30 02:41:12 114688 -c--a-r- c:\program files\KmDiscover.dll
2007-08-31 06:35:44 6912 -c--a-r- c:\program files\KmInst32.str
2007-06-14 06:43:28 110592 -c--a-r- c:\program files\KmUsb.dll
2008-08-21 18:38:01 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082120080822\index.dat

============= FINISH: 14:28:13.93 ===============




DDS Attach.txt Scan

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/18/2008 10:35:45 PM
System Uptime: 2/19/2010 8:31:15 PM (18 hours ago)

Motherboard: Dell Computer Corporation | | 0F3553
Processor: Mobile Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2797/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 9.001 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP392: 11/25/2009 5:34:25 AM - Software Distribution Service 3.0
RP393: 12/14/2009 2:41:00 PM - Software Distribution Service 3.0
RP394: 12/30/2009 1:32:01 PM - System Checkpoint
RP395: 1/14/2010 3:37:42 PM - Software Distribution Service 3.0
RP396: 1/22/2010 7:50:21 AM - Software Distribution Service 3.0
RP397: 1/22/2010 10:13:17 AM - Software Distribution Service 3.0
RP398: 1/24/2010 7:15:41 PM - System Checkpoint
RP399: 2/2/2010 3:17:42 AM - System Checkpoint
RP400: 2/7/2010 9:09:20 AM - System Checkpoint
RP401: 2/10/2010 6:38:37 PM - Software Distribution Service 3.0
RP402: 2/13/2010 2:52:33 PM - System Checkpoint
RP403: 2/14/2010 3:42:13 PM - System Checkpoint
RP404: 2/15/2010 4:08:14 PM - System Checkpoint
RP405: 2/19/2010 8:12:13 PM - Installed SUPERAntiSpyware Free Edition

==== Installed Programs ======================


7500_7600_7700_Help
Ad-Aware
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Contribute CS3
Adobe Default Language CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Help Viewer CS3
Adobe PDF Library Files
Adobe Reader 8.1.6
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BCM V.92 56K Modem
Bonjour
BPD_HPSU
BPD_Scan
BPDfax
BPDSoftware
BPDSoftware_Ini
Broadcom 440x 10/100 Integrated Controller
BufferChm
Choice Guard
Cisco Systems VPN Client 5.0.03.0530
ConferenceManager Application Sharing Driver 8.0.15.0
ConferenceManager Print Driver
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
Dell Wireless WLAN Card
DemoMate
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
eSupportQFolder
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GoToAssist Express Customer 1.3.0.209
GoToMeeting 4.0.0.320
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Imaging Device Functions 7.0
HP Officejet Pro All-In-One Series
HP SNMP Proxy
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevicesMFC
Intel® Extreme Graphics 2 Driver
iPhone Configuration Utility
iTunes
Java™ 6 Update 13
Kaseya Agent
Kyocera Scanner File Utility
L7600
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Flight Simulator 2000
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money Plus
Microsoft Money Shared Libraries
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mitel Hosted Web Conferencing Client
MobileMe Control Panel
Mozilla Firefox (2.0.0.12)
MPM
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OCR Software by I.R.I.S 7.0
OpenOffice.org Installer 1.0
PanoStandAlone
PowerDVD 5.1
PrimoPDF
Print Tracker
ProductContext
QuickTime
Retriever for the Desktop
Safari
Scan
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SigmaTel AC97 Audio Drivers
SmartDraw 2008
SmartDraw 2009
SmartDraw PDF Filter
SolutionCenter
Sophos Anti-Virus
Sophos AutoUpdate
Spybot - Search & Destroy
Status
SUPERAntiSpyware Free Edition
TestDrive Client
Toolbox
TrayApp
TurboTax 2008 wcalbpm
TurboTax 2008 wcapbpm
TurboTax 2008 WinBizFedFormset
TurboTax 2008 WinBizProgramHelp
TurboTax 2008 WinBizReleaseEngine
TurboTax 2008 WinBizTaxSupport
TurboTax 2008 WinBizUserEducation
TurboTax 2008 wrapper
TurboTax Business 2008
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Outlook 2007 Junk Email Filter (kb977719)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebEx
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
Yahoo! Install Manager
Yahoo! Toolbar
Z-Viewer

==== Event Viewer Messages From Past Week ========

2/19/2010 9:26:51 AM, error: Print [19] - Sharing printer failed + 1722, Printer Microsoft XPS Document Writer share name Printer3.
2/19/2010 10:28:33 PM, error: SAVOnAccessFilter [63] - Failed to obtain volume information from mount manager.
2/19/2010 1:19:41 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
2/18/2010 9:22:57 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
2/18/2010 9:22:57 AM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/18/2010 9:22:57 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
2/16/2010 9:43:18 AM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{D00351A8-076D-4398-B7AE-C75F062AB2E8} because another computer on the network has the same name. The server could not start.
2/16/2010 9:41:56 AM, error: Print [19] - Sharing printer failed + 1722, Printer SmartDraw PDF Filter share name Printer.
2/13/2010 8:16:04 AM, error: Dhcp [1002] - The IP address lease 192.168.168.193 for the Network Card with network address 009096C3A4CC has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
2/13/2010 8:14:25 AM, error: Dhcp [1002] - The IP address lease 192.168.168.179 for the Network Card with network address 000F1F1B85DD has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:34 PM

Posted 20 February 2010 - 06:51 PM

Hello ihateraking,

Thanks for the logs. We still have some leftover stuff we need to deal with.


1.
We need to execute an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :Processes
    explorer.exe
    SvchOst.eXE
    :Services
    okosrv
    oko6
    :Files
    c:\windows\system32\oko6.dll
    c:\windows\system32\drivers\oko6.sys
    :commands
    [EmptyTemp]
    [Reboot]
  4. Push the large button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

2.
Please update Malwarebytes_Anti-Malware and do a Full Scan then posts the results of that log.

3.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply:
OTM log
MBAM log
Eset log
A new DDS.txt
No need for a Attach.txt
How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 ihateraking

ihateraking
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 21 February 2010 - 05:04 PM

Hi Fireman,

I ran the new scans, results below. When i ran the OTM scan (3 times) a log was created but I was unable to capture it due to the restart. I went to the folder C/OTM and there were three folders created, but no log file. The folders were empty, I searched for *log as well -- no file. MalwareBytes found 5 instance of KoobFace, and ESET Online scan didn't give me an option to save a log file. However, the scanner ran for about 7 hours and found no threats. I ran DDS as instructed and copied the DDS scan results below.

My computer is running much better this morning, I can definitely see an improvement in speed and browser stability. I've done a minimal amount of web browsing, and have not attempted to Google search to test the browser. I'm a very patient fellow and will wait to hear from you.

Thanks again for all that you do -- wonderful!

Bob



MalwareBytes Scan Results

Malwarebytes' Anti-Malware 1.44
Database version: 3768
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/21/2010 6:57:54 AM
mbam-log-2010-02-21 (06-57-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 249495
Time elapsed: 3 hour(s), 45 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oko6 (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OKO6 (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\okogrp (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\oko6.dll (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\oko6.sys (Worm.Koobface) -> Quarantined and deleted successfully.



ESET Scan Results

No threats found.



DDS Scan Results


DDS (Ver_09-12-01.01) - NTFSx86
Run by Luis Rivas at 13:58:52.38 on Sun 02/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.569 [GMT -8:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Print Tracker\PMonitor.exe
C:\Program Files\Print Tracker\PMonitor.kpr
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_comm_customer.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_system_customer.exe
C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Kyocera\FileUtility\nsCatCom.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_host.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_user_customer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Print Tracker\PMonitor.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\DDS\dds.pif

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.sfgate.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [GoToMeeting] c:\program files\citrix\gotomeeting\320\g2mstart.exe "/Trigger RunAtLogon"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [LMI Print Monitor] "c:\program files\print tracker\PMonitor.exe" /AsUser
mRun: [Kaseya Agent Service Helper] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\kyocera\fileutility\NsCatCom.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{4c271126-c295-4828-a901-5910ae0c258b}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot\spybot - search & destroy\SDHelper.dll
Trusted Zone: salesforce.com
DPF: B3467D2D-E10C-41A6-B671-2B07A1445DC4 - file://c:\docume~1\luisri~1\locals~1\temp\cmW32client.cab
DPF: {03A89EFD-E023-A100-A22D-45F77558EB4C} - hxxps://content9.mitel-nhwc.com/download/AXCltInstall.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://www.allocationmaster.com/client/iftwclix.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205903891819
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A37BF4BE-8CF4-47BF-9A7D-4E8318447929} - hxxps://www.orcameeting.com/downloads/SonexisAutoInstall.CAB
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://premconf.webex.com/client/T25L10NSP41EP2-premconf/webex/ieatgpc.cab
Notify: !SASWinLogon - c:\program files\superspyware\SASWINLO.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist express customer\209\g2ax_winlogon.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superspyware\SASSEH.DLL
Hosts: 192.168.1.10 HP001E0B4D5BB6

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\luisri~1\applic~1\mozilla\firefox\profiles\0ehza0ff.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-2 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superspyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superspyware\SASKUTIL.SYS [2010-2-17 66632]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-10-21 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-10-21 38528]
R2 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\citrix\gotoassist express customer\209\g2ax_service.exe [2009-11-19 161144]
R2 KaseyaAgent;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2009-3-3 610304]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R2 LMIPrintTracker;Print Tracker Monitor2;c:\program files\print tracker\PMonitor.exe [2008-10-23 499712]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-5 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-8-21 98304]
R2 Sonexis Application Sharing Driver Service;Sonexis Application Sharing Driver Service;c:\program files\sonexis\applicationsharing\AppDriverService.exe [2009-2-12 163840]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-6-11 172032]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2009-3-3 20792]
R3 SonMirrorftas;ConferenceManager AppShare Filter Driver;c:\windows\system32\drivers\SonMirrorftas.sys [2009-2-12 3840]
R3 SonVMDas;SonVMDas;c:\windows\system32\drivers\SonVMDas.sys [2009-2-12 2560]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-30 135664]
S3 SASENUM;SASENUM;c:\program files\superspyware\SASENUM.SYS [2010-2-17 12872]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2009-3-21 3968]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-21 14976]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"

=============== Created Last 30 ================

2010-02-21 15:21:29 0 d-----w- c:\program files\ESET
2010-02-21 03:14:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-21 03:14:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-21 02:06:46 0 d-----w- C:\_OTM
2010-02-21 00:22:58 0 d-----w- c:\program files\OTM
2010-02-20 06:05:05 0 d-----w- c:\program files\DDS
2010-02-20 05:59:15 0 d-----w- c:\program files\Gmer
2010-02-20 04:37:53 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-20 04:12:22 0 d-----w- c:\docume~1\luisri~1\applic~1\SUPERAntiSpyware.com
2010-02-20 04:08:25 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-20 04:04:10 0 d-----w- c:\program files\SuperSpyware
2010-02-20 04:04:09 0 d-----w- c:\program files\New Folder
2010-02-19 20:52:25 0 d-----w- c:\program files\Trend Micro
2010-02-07 03:34:54 0 dc----w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 17:48:53 28372 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-25 03:29:32 15688 ----a-w- c:\windows\system32\lsdelete.exe
2008-12-08 21:15:20 3432264 ----a-w- c:\program files\zviewer_inst-v21.exe
2008-12-08 21:13:12 684544 -c--a-w- c:\program files\sample-office-v21.zvw
2008-07-25 17:25:08 4880248 ----a-w- c:\program files\WindowsDesktopSearch-KB917013-V301-XP-x86-enu.exe
2008-07-17 18:56:44 29287263 ----a-w- c:\program files\KYOCERA_KX_V4_4_2K_XP_Vista_x86_EN.exe
2008-03-31 21:47:34 49152 ----a-w- c:\program files\Setup.exe
2008-03-20 05:18:18 1489 -c--a-r- c:\program files\KmInst32.pnf
2008-03-15 08:29:58 16819 -c--a-r- c:\program files\KmInstall.ini
2008-03-14 01:56:32 124407 -c--a-r- c:\program files\lang.dat
2008-03-12 03:47:32 1040384 ----a-r- c:\program files\KmInstall.exe
2008-03-12 03:27:40 333824 ----a-r- c:\program files\KmInst64.exe
2008-03-12 03:23:16 446464 ----a-r- c:\program files\KmUninstallVista.exe
2008-03-12 03:02:56 430080 ----a-r- c:\program files\KmUninstall.exe
2008-03-12 02:59:40 266240 ----a-r- c:\program files\KmInst32.exe
2008-03-12 02:58:06 1044480 ----a-r- c:\program files\KmInstallVista.exe
2008-02-14 02:55:08 47114 -c--a-r- c:\program files\KmInstall.str
2008-01-31 02:08:14 593 -c--a-r- c:\program files\KX.pnf
2008-01-30 02:41:12 114688 -c--a-r- c:\program files\KmDiscover.dll
2007-08-31 06:35:44 6912 -c--a-r- c:\program files\KmInst32.str
2007-06-14 06:43:28 110592 -c--a-r- c:\program files\KmUsb.dll
2008-08-21 18:38:01 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082120080822\index.dat

============= FINISH: 14:00:13.85 ===============


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:34 PM

Posted 21 February 2010 - 06:12 PM

Hello ihateraking,

Your logs look alot better now. We are now going to do some updating and some further checking to make sure you are all clean.

1.
New Adobe Reader Installation:
  • Go here and click on the Download button to download the latest version of Adobe Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.

2.
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 18 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

3.
Once again update Malwarebytes' Anti-Malware and do a quick scan. We like to see all 0's

4.
Play around with your browser and do some searches make sure everything is ok.

Things to inlcude in your next reply:
MBAM log
A new DDS log
How is your machine running now? Any redirects?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 ihateraking

ihateraking
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 21 February 2010 - 08:01 PM

Fireman... you are a genius! How can I ever thank you for your help? I updated MWBytes and ran a scan -- nothing found. I updated JAVA and Acrobat as instructed. I also ran a new DDS scan, text is below.

I tried Google Search with great results so far. I will use the computer for the next few hours and follow-up with you tomorrow.

Again, thank you for all of your help, your knowledge and your patience. I'm very grateful!

All the best,

Bob


MalwareBytes Scan

Malwarebytes' Anti-Malware 1.44
Database version: 3772
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/21/2010 3:59:27 PM
mbam-log-2010-02-21 (15-59-27).txt

Scan type: Quick Scan
Objects scanned: 127453
Time elapsed: 53 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



DDS Scan


DDS (Ver_09-12-01.01) - NTFSx86
Run by Luis Rivas at 16:48:37.49 on Sun 02/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.644 [GMT -8:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Print Tracker\PMonitor.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_comm_customer.exe
C:\Program Files\Print Tracker\PMonitor.kpr
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_system_customer.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Kyocera\FileUtility\nsCatCom.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_host.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_user_customer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Print Tracker\PMonitor.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Java JRE\bin\jqs.exe
C:\Program Files\DDS\dds.pif

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.sfgate.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java jre\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java jre\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [GoToMeeting] c:\program files\citrix\gotomeeting\320\g2mstart.exe "/Trigger RunAtLogon"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [LMI Print Monitor] "c:\program files\print tracker\PMonitor.exe" /AsUser
mRun: [Kaseya Agent Service Helper] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\kyocera\fileutility\NsCatCom.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{4c271126-c295-4828-a901-5910ae0c258b}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot\spybot - search & destroy\SDHelper.dll
Trusted Zone: salesforce.com
DPF: B3467D2D-E10C-41A6-B671-2B07A1445DC4 - file://c:\docume~1\luisri~1\locals~1\temp\cmW32client.cab
DPF: {03A89EFD-E023-A100-A22D-45F77558EB4C} - hxxps://content9.mitel-nhwc.com/download/AXCltInstall.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://www.allocationmaster.com/client/iftwclix.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205903891819
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A37BF4BE-8CF4-47BF-9A7D-4E8318447929} - hxxps://www.orcameeting.com/downloads/SonexisAutoInstall.CAB
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://premconf.webex.com/client/T25L10NSP41EP2-premconf/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superspyware\SASWINLO.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist express customer\209\g2ax_winlogon.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superspyware\SASSEH.DLL
Hosts: 192.168.1.10 HP001E0B4D5BB6

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\luisri~1\applic~1\mozilla\firefox\profiles\0ehza0ff.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-2 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superspyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superspyware\SASKUTIL.SYS [2010-2-17 66632]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-10-21 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-10-21 38528]
R2 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\citrix\gotoassist express customer\209\g2ax_service.exe [2009-11-19 161144]
R2 KaseyaAgent;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2009-3-3 610304]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R2 LMIPrintTracker;Print Tracker Monitor2;c:\program files\print tracker\PMonitor.exe [2008-10-23 499712]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-5 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-8-21 98304]
R2 Sonexis Application Sharing Driver Service;Sonexis Application Sharing Driver Service;c:\program files\sonexis\applicationsharing\AppDriverService.exe [2009-2-12 163840]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-6-11 172032]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2009-3-3 20792]
R3 SonMirrorftas;ConferenceManager AppShare Filter Driver;c:\windows\system32\drivers\SonMirrorftas.sys [2009-2-12 3840]
R3 SonVMDas;SonVMDas;c:\windows\system32\drivers\SonVMDas.sys [2009-2-12 2560]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-30 135664]
S3 SASENUM;SASENUM;c:\program files\superspyware\SASENUM.SYS [2010-2-17 12872]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2009-3-21 3968]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-21 14976]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"

=============== Created Last 30 ================

2010-02-22 00:47:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-21 23:36:26 0 d-----w- c:\program files\Java JRE
2010-02-21 03:14:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-21 03:14:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-21 00:22:58 0 d-----w- c:\program files\OTM
2010-02-20 06:05:05 0 d-----w- c:\program files\DDS
2010-02-20 05:59:15 0 d-----w- c:\program files\Gmer
2010-02-20 04:37:53 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-20 04:12:22 0 d-----w- c:\docume~1\luisri~1\applic~1\SUPERAntiSpyware.com
2010-02-20 04:08:25 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-20 04:04:10 0 d-----w- c:\program files\SuperSpyware
2010-02-20 04:04:09 0 d-----w- c:\program files\New Folder
2010-02-19 20:52:25 0 d-----w- c:\program files\Trend Micro
2010-02-07 03:34:54 0 dc----w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

==================== Find3M ====================

2010-02-22 00:46:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 17:48:53 28372 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-25 03:29:32 15688 ----a-w- c:\windows\system32\lsdelete.exe
2008-12-08 21:15:20 3432264 ----a-w- c:\program files\zviewer_inst-v21.exe
2008-12-08 21:13:12 684544 -c--a-w- c:\program files\sample-office-v21.zvw
2008-07-25 17:25:08 4880248 ----a-w- c:\program files\WindowsDesktopSearch-KB917013-V301-XP-x86-enu.exe
2008-07-17 18:56:44 29287263 ----a-w- c:\program files\KYOCERA_KX_V4_4_2K_XP_Vista_x86_EN.exe
2008-03-31 21:47:34 49152 ----a-w- c:\program files\Setup.exe
2008-03-20 05:18:18 1489 -c--a-r- c:\program files\KmInst32.pnf
2008-03-15 08:29:58 16819 -c--a-r- c:\program files\KmInstall.ini
2008-03-14 01:56:32 124407 -c--a-r- c:\program files\lang.dat
2008-03-12 03:47:32 1040384 ----a-r- c:\program files\KmInstall.exe
2008-03-12 03:27:40 333824 ----a-r- c:\program files\KmInst64.exe
2008-03-12 03:23:16 446464 ----a-r- c:\program files\KmUninstallVista.exe
2008-03-12 03:02:56 430080 ----a-r- c:\program files\KmUninstall.exe
2008-03-12 02:59:40 266240 ----a-r- c:\program files\KmInst32.exe
2008-03-12 02:58:06 1044480 ----a-r- c:\program files\KmInstallVista.exe
2008-02-14 02:55:08 47114 -c--a-r- c:\program files\KmInstall.str
2008-01-31 02:08:14 593 -c--a-r- c:\program files\KX.pnf
2008-01-30 02:41:12 114688 -c--a-r- c:\program files\KmDiscover.dll
2007-08-31 06:35:44 6912 -c--a-r- c:\program files\KmInst32.str
2007-06-14 06:43:28 110592 -c--a-r- c:\program files\KmUsb.dll
2008-08-21 18:38:01 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082120080822\index.dat

============= FINISH: 16:49:38.41 ===============


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:34 PM

Posted 21 February 2010 - 08:28 PM

Hello,

QUOTE
Fireman... you are a genius! How can I ever thank you for your help? I updated MWBytes and ran a scan -- nothing found. I updated JAVA and Acrobat as instructed. I also ran a new DDS scan, text is below.

I tried Google Search with great results so far. I will use the computer for the next few hours and follow-up with you tomorrow.

Again, thank you for all of your help, your knowledge and your patience. I'm very grateful!


Glad I could help! clapping.gif Now we will clean up our tools. and wait for you to test your browser some more before closing this thread. whistling.gif

1.
Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall



    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

2.
Congratulations! You now appear clean! specool.gif

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Recommendations
Below are some recommendations to lower your chances of (re)infection.
  1. Install and maintain an outbound firewall
  2. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  3. Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  4. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  5. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    1. Click the "Start Menu" (or Windows Orb)
    2. Click "All Programs"
    3. Click "Windows Update"
    4. On the left, choose "Change Settings"
    5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    6. Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    7. Click "Check for Updates" in the upper left corner.
    8. Follow the instructions to install the latest updates.
    9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  6. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  7. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 ihateraking

ihateraking
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 21 February 2010 - 11:17 PM

Hi Fireman,

So far, so good. I uninstalled all but two programs, SuperAntiSpyware and HiJackThis. I cleaned up with OTC as well. My IE browser is stable and running very well... I'm confident that the system is clean. I've done this before with some success, some failure -- I'm thrilled that this time around I can bask in victory!

Thank you once again, I couldn't have done it without your kind assistance.

All the best,

Bob

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:34 PM

Posted 22 February 2010 - 05:16 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users