Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected by Desktop Security 2010


  • This topic is locked This topic is locked
26 replies to this topic

#1 AUsome

AUsome

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 07 May 2010 - 09:15 PM

Desktop Security 2010 popped on my computer last night. as i'm sure you are aware, it looks legit at first (except that it misspells a lot of words) and it pops up messages in my system tray saying that i have a bunch of infected files, and asks me to buy the full version, etc. i researched for how to remove it.

as directed by the help i found online, i used rkill.com to stop the malware from running and then used MalwareBytes Anti-Malware to find and remove the infected files that were found. i tried this a total of 3 times, but Desktop Security 2010 would always be there again when i rebooted my computer.

the second time i tried the rkill/MBAM method, i also used http://www.411-spyware.com/remove-desktop-security-2010 to tell me to search for specific files and folders to delete. i deleted the files and folders listed on the site that i could find on my computer, but i did not do anything with the DLLs or registry values. files that i deleted that did not have the name "desktop security" in it somehow included the following:
  • %UserProfile%Application DataMicrosoftInternet ExplorerQuick LaunchDesktop Security 2010.lnk%UserProfile%Local SettingsTempgedx_ae09.exe
  • %UserProfile%Local SettingsTempjkbleepjs.exe
  • %UserProfile%Local SettingsTempkilslmd.exex
  • %UserProfile%Local SettingsTempkn.a.exe
also, when i searched for how to remove Desktop Security 2010 in google, the links to the search results would redirect me to random sites. however, whatever caused that problem seems to be gone now.

one more thing to mention...i had been using google chrome as my default browser, but it seems to be completely stove up by this malware. i've had to use firefox instead and it's been working fine.

now i've followed the guide from bleepingcomputer.com and including files/logs below and attached as requested.

thanks in advance for your help!

DDS.txt log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Humphrey at 19:00:23.31 on Fri 05/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.274 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:Program FilesTrusteerRapportbinRapportMgmtService.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAnalog DevicesCoresmax4pnp.exe
C:Program FilesCommon FilesJavaJava Updatejusched.exe
C:Program FilesIntelModem Event MonitorIntelMEM.exe
C:Program FilesMusicmatchMusicmatch Jukeboxmmtask.exe
C:Program FilesRealRealPlayerRealPlay.exe
C:WINDOWSsystem32dlatfswctrl.exe
C:Program FilesDellMedia ExperienceDMXLauncher.exe
C:Program FilesMcAfee.comAgentmcagent.exe
C:WINDOWSsystem32igfxpers.exe
C:Program FilesZuneZuneLauncher.exe
C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe
C:PROGRA~1DELLSU~1DSAgnt.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesMicrosoft Money PlusMNYCoreFilesmnybbsvc.exe
C:Program FilesCreative HomeHallmark Card Studio 2008PlannerPLNRnote.exe
C:Program FilesHewlett-PackardAiOhp psc 900 seriesBinhpobrt07.exe
C:Program FilesWestern DigitalWD SmartWareWD Drive ManagerWDDMStatus.exe
C:Program FilesWestern DigitalWD SmartWareFront ParlorWDSmartWare.exe
C:Program FilesHewlett-PackardAiOhp psc 900 seriesFRURemind32.exe
svchost.exe
C:Program FilesSymantecLiveUpdateALUSchedulerSvc.exe
C:PROGRA~1HEWLET~1HPSHAR~1hpgs2wnf.exe
C:PROGRA~1HEWLET~1AiOSharedBinhpoevm07.exe
C:Program FilesGemplusGemSafe LibrariesBINGCardSrvNT.exe
C:Program FilesHewlett-PackardAiOSharedbinhpOSTS07.exe
C:Program FilesHewlett-PackardAiOSharedbinhpOFXM07.exe
C:Program FilesGemplusGemSafe LibrariesBINGCardSrv.exe
C:Program FilesJavajre6binjqs.exe
c:PROGRA~1mcafeeSITEAD~1mcsacore.exe
C:PROGRA~1McAfeeMSCmcmscsvc.exe
c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
C:PROGRA~1McAfeeVIRUSS~1mcshield.exe
C:Program FilesMcAfeeMPFMPFSrv.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesWestern DigitalWD SmartWareWD Drive ManagerWDDMService.exe
C:Program FilesWestern DigitalWD SmartWareFront ParlorWDSmartWareBackgroundService.exe
c:WINDOWSsystem32ZuneBusEnum.exe
C:Program FilesCanonCALCALMAIN.exe
C:Program FilesCommon FilesSymantec SharedSecurity CenterSymWSC.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Program FilesTrusteerRapportbinRapportService.exe
C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:WINDOWSexplorer.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:WINDOWSsystem32hpoipm07.exe
C:Documents and SettingsHumphreyDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:progra~1mcafeesitead~1mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 6.0readeractivexAcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:windowssystem32dlatfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:program filesmcafeevirusscanscriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.5.4723.1820swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:progra~1mcafeesitead~1mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:progra~1mcafeesitead~1mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:windowssystem32Shdocvw.dll
uRun: [DellSupport] "c:progra~1dellsu~1DSAgnt.exe" /startup
uRun: [SUPERAntiSpyware] c:program filessuperantispywareSUPERAntiSpyware.exe
uRun: [EasyLinkAdvisor] "c:program fileslinksys easylink advisorLinksysAgent.exe" /startup
uRun: [ISUSPM] "c:program filescommon filesinstallshieldupdateserviceISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [msnmsgr] "c:program fileswindows livemessengermsnmsgr.exe" /background
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
uRun: [Google Update] "c:documents and settingshumphreylocal settingsapplication datagoogleupdateGoogleUpdate.exe" /c
uRun: [MoneyBackgoundBanking] "c:program filesmicrosoft money plusmnycorefilesmnybbsvc.exe"
uRun: [rle5r5uwco4w] c:documents and settingshumphreylocal settingstempm.21C.tmp.exe
uRun: [Desktop Security 2010] "c:documents and settingshumphreyapplication datadesktop security 2010Desktop Security 2010.exe" /STARTUP
uRun: [SecurityCenter] c:documents and settingshumphreyapplication datadesktop security 2010securitycenter.exe
mRun: [SoundMAXPnP] c:program filesanalog devicescoresmax4pnp.exe
mRun: [SunJavaUpdateSched] "c:program filescommon filesjavajava updatejusched.exe"
mRun: [IntelMeM] c:program filesintelmodem event monitorIntelMEM.exe
mRun: [mmtask] c:program filesmusicmatchmusicmatch jukeboxmmtask.exe
mRun: [RealTray] c:program filesrealrealplayerRealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [dla] c:windowssystem32dlatfswctrl.exe
mRun: [ISUSPM Startup] c:progra~1common~1instal~1update~1ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:program filescommon filesinstallshieldupdateserviceissch.exe" -start
mRun: [DMXLauncher] c:program filesdellmedia experienceDMXLauncher.exe
mRun: [mcagent_exe] "c:program filesmcafee.comagentmcagent.exe" /runkey
mRun: [McENUI] c:progra~1mcafeemhnMcENUI.exe /hide
mRun: [igfxtray] c:windowssystem32igfxtray.exe
mRun: [igfxhkcmd] c:windowssystem32hkcmd.exe
mRun: [igfxpers] c:windowssystem32igfxpers.exe
mRun: [gemstrmw] c:windowssystem32gemstrmw.exe /r
mRun: [Zune Launcher] "c:program fileszuneZuneLauncher.exe"
mRun: [Share-to-Web Namespace Daemon] c:program fileshewlett-packardhp share-to-webhpgs2wnd.exe
mRun: [UpdateSAUpdate] c:docume~1humphreylocals~1tempFXwk.exe
mRun: [QuickTimeQuickTime] c:program filesquicktimeqtsystemquicktime.resourcesda.lprojquicktimequicktime.exe
mRunServices: [SUPERAntiSpywareApplication] c:docume~1humphreylocals~1tempFXwk.exe
mRunServices: [GTCoachglfman] c:program fileswebcybercoachb_delleffectssildersilder10010.exe
mRunServices: [QuickTimeResourcesQuickTime] c:program filesquicktimeqtsystemquicktime3gppauthoring.resourcesru.lprojquicktimeresourcesquicktime.exe
mRunServices: [QuickTimeQuickTime] c:program filesquicktimeqtsystemquicktime.resourcesda.lprojquicktimequicktime.exe
StartupFolder: c:docume~1humphreystartm~1programsstartuphewlet~1.lnk - c:program fileshewlett-packardaiohp psc 900 seriesfruRemind32.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupeventp~1.lnk - c:windowsinstaller{747a6a10-da58-48c2-a1f0-c15514419c8a}Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuphpaiod~1.lnk - c:program fileshewlett-packardaiohp psc 900 seriesbinhpobrt07.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupwddmst~1.lnk - c:program fileswestern digitalwd smartwarewd drive managerWDDMStatus.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupwdsmar~1.lnk - c:program fileswestern digitalwd smartwarefront parlorWDSmartWare.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~4office11EXCEL.EXE/3000
IE: Google Sidewiki... - c:program filesgooglegoogle toolbarcomponentGoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~4office11REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:windowssystem32Shdocvw.dll
Trusted Zone: southernco.comclm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - c:docume~1humphreylocals~1temp45.tmp
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:progra~1mcafeesitead~1McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:progra~1mcafeesitead~1McIEPlg.dll
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:docume~1humphreyapplic~1mozillafirefoxprofiles2g0vlp6l.default
FF - component: c:program filesmcafeesiteadvisorcomponentsMcFFPlg.dll
FF - plugin: c:documents and settingshumphreylocal settingsapplication datagoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:program filesgoogleupdate1.2.183.13npGoogleOneClick8.dll
FF - plugin: c:program filesgoogleupdate1.2.183.17npGoogleOneClick8.dll
FF - plugin: c:program filesgoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:program filesviewpointviewpoint experience technologynpViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:windowssystem32driversmfehidk.sys [2010-2-15 214664]
R1 RapportKELL;RapportKELL;c:program filestrusteerrapportbinRapportKELL.sys [2010-3-23 58984]
R1 RapportPG;RapportPG;c:program filestrusteerrapportbinRapportPG.sys [2010-3-23 125160]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2010-1-5 68168]
R3 GTwinUSB;GTwinUSB;c:windowssystem32driversGTwinUSB.sys [2010-2-15 61776]
R3 mfeavfk;McAfee Inc. mfeavfk;c:windowssystem32driversmfeavfk.sys [2010-2-15 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:windowssystem32driversmfebopk.sys [2010-2-15 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:windowssystem32driversmfesmfk.sys [2010-2-15 40552]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:windowssystem32driverswdcsam.sys [2009-2-13 11520]
S1 SASDIFSV;SASDIFSV;c:program filessuperantispywareSASDIFSV.SYS [2010-1-5 12872]
S3 mferkdk;McAfee Inc. mferkdk;c:windowssystem32driversmferkdk.sys [2010-2-15 34248]
S3 SASENUM;SASENUM;c:program filessuperantispywareSASENUM.SYS [2010-1-5 12872]

=============== Created Last 30 ================

2010-05-07 23:57:06 0 ----a-w- c:documents and settingshumphreydefogger_reenable
2010-05-07 23:11:44 2897274 ----a-r- C:My Money Backup_2010-05-07_181133.mbf
2010-05-07 22:27:23 0 d-----w- c:docume~1humphreyapplic~1Desktop Security 2010
2010-04-30 03:14:06 0 d-----w- c:program filesMSECache
2010-04-22 22:17:12 3075629 ----a-r- C:My Money Backup_2010-04-22_171701.mbf
2010-04-15 03:09:36 0 d-----w- c:docume~1humphreyapplic~1Trusteer
2010-04-15 03:09:21 0 d-----w- c:program filesTrusteer
2010-04-15 03:08:13 0 d-----w- c:docume~1alluse~1applic~1Trusteer
2010-04-08 00:47:54 3124698 ----a-r- C:My Money Backup_2010-04-07_194744.mbf

==================== Find3M ====================

2010-04-29 20:39:38 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-03-10 06:15:52 420352 ----a-w- c:windowssystem32vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:windowssystem32dllcachevbscript.dll
2010-03-09 09:28:20 411368 ----a-w- c:windowssystem32deploytk.dll
2010-02-25 16:54:36 11070976 ------w- c:windowssystem32dllcacheieframe.dll
2010-02-24 13:11:07 455680 ------w- c:windowssystem32dllcachemrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:windowssystem32dllcacheie4uinit.exe
2010-02-17 14:10:28 2189952 ----a-w- c:windowssystem32ntoskrnl.exe
2010-02-17 14:10:28 2189952 ------w- c:windowssystem32dllcachentoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:windowssystem32dllcachentkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:windowssystem32dllcachentkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:windowssystem32dllcachentkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:windowssystem326to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:windowssystem32dllcache6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:windowssystem32dllcachetcpip6.sys
2004-08-04 10:00:00 94784 --sh--w- c:windowstwain.dll
2008-04-14 00:12:07 50688 --sh--w- c:windowstwain_32.dll
2008-04-14 00:11:56 1028096 --sh--w- c:windowssystem32mfc42.dll
2008-04-14 00:12:01 57344 --sh--w- c:windowssystem32msvcirt.dll
2008-04-14 00:12:01 413696 --sh--w- c:windowssystem32msvcp60.dll
2008-04-14 00:12:01 343040 --sh--w- c:windowssystem32msvcrt.dll
2008-04-14 00:12:02 551936 --sh--w- c:windowssystem32oleaut32.dll
2008-04-14 00:12:02 84992 --sh--w- c:windowssystem32olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:windowssystem32regsvr32.exe

============= FINISH: 19:03:43.18 ===============

update...just got a blue screen with the following message:

CODE
STOP: c000021a {Fatal System Error}
The Windows SubSystem system process terminated unexpectedly with a status of 0x
c00005 (0x00280fff0x012be064).
The system has been shutdown.

Attached Files


Edited by Budapest, 09 May 2010 - 05:21 PM.
Posts merged ~BP


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:06 PM

Posted 10 May 2010 - 04:22 PM


Hello AUsome smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


You are infected with a rootkit. Let's see what we can do to get it off.





Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.













Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 AUsome

AUsome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 10 May 2010 - 08:54 PM

thewall,
thanks for taking my case. i've done as you asked, but ran into some problems on the way. in the spirit of full disclosure, i'll outline what happened...

downloaded combofix and ran it.
downloaded Microsoft Windows Recovery Console through combofix.
combofix started running and i got a blue screen i've never seen before. see pic below. in case you can't read the codes and need to know them, they are...
0x000000c2 (0x00000007, 0xd0000CD4, 0x00000000, 0x805627E4)



so, i obviously had to restart my computer. when i did, the Desktop Security 2010 thing started running. it basically inactivated my desktop (it darkened my desktop and i couldn't click on anything) and wouldn't let me see any windows i opened when i right clicked start and clicked "explore".
the only way i could open anything was through the task manager (by pressing ctrl+shft+esc), then clicking new task. i did this to open combofix and nothing happened.
so, i was able to use task manager to open and run rkill.com to stop Desktop Security 2010 from running.
then i tried to run combofix again and got the blue screen again.

i then restarted my computer in safe mode and was able to successfully run combofix (which said it deleted Desktop Security 2010).
i couldn't get to this site in safe mode, so i had to restart my computer in normal mode and thankfully Desktop Security 2010 did no start back up like the other times i thought it was deleted (see first post).

i hope it was okay to run rkill again. i tried all other ways to run combofix without doing that.

anyway...here's the log you requested...



ComboFix 10-05-10.02 - Humphrey 05/10/2010 19:48:42.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.830 [GMT -5:00]
Running from: c:\documents and settings\Humphrey\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Humphrey\Application Data\Desktop Security 2010
c:\documents and settings\Humphrey\Application Data\Desktop Security 2010\Desktop Security 2010.exe
c:\documents and settings\Humphrey\Application Data\Desktop Security 2010\mfc71.dll
c:\documents and settings\Humphrey\Application Data\Desktop Security 2010\MFC71ENU.DLL
c:\documents and settings\Humphrey\Application Data\Desktop Security 2010\msvcp71.dll
c:\documents and settings\Humphrey\Application Data\Desktop Security 2010\msvcr71.dll
c:\documents and settings\Humphrey\Application Data\Desktop Security 2010\securitycenter.exe
c:\documents and settings\Humphrey\Application Data\Desktop Security 2010\securityhelper.exe
c:\documents and settings\Humphrey\Application Data\Desktop Security 2010\taskmgr.dll
c:\documents and settings\Humphrey\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop Security 2010.lnk
c:\documents and settings\Humphrey\Start Menu\Programs\Desktop Security 2010
c:\documents and settings\Humphrey\Start Menu\Programs\Desktop Security 2010.lnk
c:\documents and settings\Humphrey\Start Menu\Programs\Desktop Security 2010\Activate Desktop Security 2010.lnk
c:\documents and settings\Humphrey\Start Menu\Programs\Desktop Security 2010\Desktop Security 2010.lnk
c:\documents and settings\Humphrey\Start Menu\Programs\Desktop Security 2010\Help Desktop Security 2010.lnk
c:\documents and settings\Humphrey\Start Menu\Programs\Desktop Security 2010\How to Activate Desktop Security 2010.lnk

.
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-07 01:04 . 2010-05-07 01:04 -------- d-----w- c:\documents and settings\LocalService\Application Data\Gtek
2010-05-01 23:37 . 2010-05-01 23:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trusteer
2010-04-30 03:14 . 2010-04-30 03:14 -------- d-----w- c:\program files\MSECache
2010-04-22 00:00 . 2010-04-22 00:00 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-04-15 03:09 . 2010-04-15 03:09 -------- d-----w- c:\documents and settings\Humphrey\Application Data\Trusteer
2010-04-15 03:09 . 2010-04-15 03:09 -------- d-----w- c:\program files\Trusteer
2010-04-15 03:08 . 2010-04-15 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 22:31 . 2010-02-15 04:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-07 01:20 . 2010-02-15 04:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 10:06 . 2010-02-15 06:30 60936 ----a-w- c:\documents and settings\Humphrey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 20:39 . 2010-02-15 04:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-02-15 04:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 00:40 . 2010-02-15 23:19 -------- d-----w- c:\documents and settings\Humphrey\Application Data\AdobeUM
2010-03-31 23:26 . 2010-03-31 23:26 503808 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b5afb4-n\msvcp71.dll
2010-03-31 23:26 . 2010-03-31 23:26 499712 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b5afb4-n\jmc.dll
2010-03-31 23:26 . 2010-03-31 23:26 348160 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b5afb4-n\msvcr71.dll
2010-03-31 23:26 . 2010-03-31 23:26 61440 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-26021f3b-n\decora-sse.dll
2010-03-31 23:26 . 2010-03-31 23:26 12800 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-26021f3b-n\decora-d3d.dll
2010-03-31 23:26 . 2005-08-26 08:17 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 23:24 . 2005-08-26 08:17 -------- d-----w- c:\program files\Java
2010-03-31 23:10 . 2010-02-15 05:21 -------- d-----w- c:\program files\McAfee
2010-03-16 22:27 . 2010-02-24 01:11 -------- d-----w- c:\documents and settings\Humphrey\Application Data\ZoomBrowser EX
2010-03-16 22:18 . 2010-02-16 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-03-16 03:53 . 2010-03-16 03:53 -------- d-----w- c:\documents and settings\Humphrey\Application Data\Apple Computer
2010-03-16 03:38 . 2010-03-16 03:37 -------- d-----w- c:\program files\QuickTime
2010-03-16 03:37 . 2010-03-16 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-16 03:36 . 2010-03-16 03:36 -------- d-----w- c:\program files\Common Files\Apple
2010-03-16 03:35 . 2010-03-16 03:35 -------- d-----w- c:\program files\Apple Software Update
2010-03-16 03:35 . 2010-03-16 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-10 06:15 . 2004-08-10 17:51 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 09:28 . 2010-02-25 12:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-09 09:16 . 2010-03-02 00:30 128520 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-25 12:14 . 2010-02-25 12:14 152576 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-25 12:13 . 2010-02-25 12:13 79488 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-25 06:24 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-08-26 07:59 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 14:10 . 2004-08-10 17:51 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 03:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 12:54 . 2004-08-10 18:03 77915 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-15 04:57 . 2010-02-15 04:57 52224 ----a-w- c:\documents and settings\Humphrey\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 04:57 . 2010-02-15 04:57 117760 ----a-w- c:\documents and settings\Humphrey\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-12 04:33 . 2004-08-10 17:50 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-10 17:51 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2004-08-04 10:00 . 2004-08-10 17:51 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2004-08-10 17:51 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2004-08-10 17:51 1028096 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2004-08-10 17:51 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2004-08-10 17:51 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2004-08-10 17:51 343040 --sh--w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12 . 2004-08-10 17:51 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2004-08-10 17:51 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2004-08-10 17:51 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\progra~1\DELLSU~1\DSAgnt.exe" [2005-05-15 332800]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-07 2017280]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-16 39408]
"Google Update"="c:\documents and settings\Humphrey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-16 135664]
"MoneyBackgoundBanking"="c:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-26 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2004-09-15 24576]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]

c:\documents and settings\Humphrey\Start Menu\Programs\Startup\
Hewlett-Packard Recorder.lnk - c:\program files\Hewlett-Packard\AiO\hp psc 900 series\FRU\Remind32.exe [2000-8-24 67584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminder 2008.lnk - c:\windows\Installer\{747A6A10-DA58-48C2-A1F0-C15514419C8A}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe [2010-2-28 1718]
HPAiODevice(hp psc 900 series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe [2002-7-23 487484]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [3/23/2010 4:39 PM 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [3/23/2010 4:39 PM 125160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 68168]
S2 GemSAFE Card Server;GemSAFE Card Server;c:\program files\Gemplus\GemSafe Libraries\BIN\GCardSrvNT.exe [1/20/2006 7:15 PM 118784]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 11:44 PM 135664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2/15/2010 12:23 AM 93320]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [3/23/2010 4:39 PM 779496]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/13/2009 12:28 PM 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [2/15/2010 6:41 PM 61776]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2/13/2009 2:02 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 04:44]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 04:44]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1046537989-4078537269-3021646771-1006Core.job
- c:\documents and settings\Humphrey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-16 04:44]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1046537989-4078537269-3021646771-1006UA.job
- c:\documents and settings\Humphrey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-16 04:44]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-15 18:22]

2010-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-15 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: southernco.com\clm
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -
FF - ProfilePath - c:\documents and settings\Humphrey\Application Data\Mozilla\Firefox\Profiles\2g0vlp6l.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Humphrey\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SecurityCenter - c:\documents and settings\Humphrey\Application Data\Desktop Security 2010\securitycenter.exe
HKLM-Run-QuickTimeQuickTime - c:\program files\quicktime\qtsystem\quicktime.resources\da.lproj\quicktimequicktime.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 19:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(204)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-10 19:58:38
ComboFix-quarantined-files.txt 2010-05-11 00:58

Pre-Run: 50,869,600,256 bytes free
Post-Run: 51,078,074,368 bytes free

- - End Of File - - 6422A9BB752892504A16FA94FCE25989


#4 AUsome

AUsome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 10 May 2010 - 09:37 PM

QUOTE(AUsome @ May 7 2010, 09:15 PM) View Post
also, when i searched for how to remove Desktop Security 2010 in google, the links to the search results would redirect me to random sites. however, whatever caused that problem seems to be gone now.


forgot to mention...this problem is happening again. any google search results redirect me to random sites. i had this issue a few months ago and i had to basically reformat my computer to fix it. i actually used a tool on my dell that takes your computer back to the first day you got it. it wasn't too bad either, just had to reinstall a few programs.

#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:06 PM

Posted 10 May 2010 - 09:49 PM

Actually overall it looks like you did pretty good at getting it to run. I will do a little more checking into the screen shot.

It's OK if you run RKill more than once, it doesn't hurt anything.

Let's try a script to see if we can get at the rootkit which GMER showed.


Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
TDL::
C:\WINDOWS\System32\Drivers\Mpfp.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#6 AUsome

AUsome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 10 May 2010 - 10:35 PM

had to go to safe mode again to run it. combofix made me reboot twice during the process.

as requested, here's the log...(what's with the kitty had a snack and ate it stuff?!?)




ComboFix 10-05-10.02 - Humphrey 05/10/2010 22:13:02.2.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.825 [GMT -5:00]
Running from: c:\documents and settings\Humphrey\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Humphrey\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\System32\Drivers\Mpfp.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\Drivers\Mpfp.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
Infected copy of c:\windows\system32\drivers\Mpfp.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\System32\Drivers\Mpfp.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\Drivers\Mpfp.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
Infected copy of c:\windows\system32\drivers\Mpfp.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\System32\Drivers\Mpfp.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\Drivers\Mpfp.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
Infected copy of c:\windows\system32\drivers\Mpfp.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-07 01:04 . 2010-05-07 01:04 -------- d-----w- c:\documents and settings\LocalService\Application Data\Gtek
2010-05-01 23:37 . 2010-05-01 23:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trusteer
2010-04-30 03:14 . 2010-04-30 03:14 -------- d-----w- c:\program files\MSECache
2010-04-22 00:00 . 2010-04-22 00:00 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-04-15 03:09 . 2010-04-15 03:09 -------- d-----w- c:\documents and settings\Humphrey\Application Data\Trusteer
2010-04-15 03:09 . 2010-04-15 03:09 -------- d-----w- c:\program files\Trusteer
2010-04-15 03:08 . 2010-04-15 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 22:31 . 2010-02-15 04:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-07 01:20 . 2010-02-15 04:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 10:06 . 2010-02-15 06:30 60936 ----a-w- c:\documents and settings\Humphrey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 20:39 . 2010-02-15 04:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-02-15 04:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 00:40 . 2010-02-15 23:19 -------- d-----w- c:\documents and settings\Humphrey\Application Data\AdobeUM
2010-03-31 23:26 . 2010-03-31 23:26 503808 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b5afb4-n\msvcp71.dll
2010-03-31 23:26 . 2010-03-31 23:26 499712 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b5afb4-n\jmc.dll
2010-03-31 23:26 . 2010-03-31 23:26 348160 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43b5afb4-n\msvcr71.dll
2010-03-31 23:26 . 2010-03-31 23:26 61440 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-26021f3b-n\decora-sse.dll
2010-03-31 23:26 . 2010-03-31 23:26 12800 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-26021f3b-n\decora-d3d.dll
2010-03-31 23:26 . 2005-08-26 08:17 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 23:24 . 2005-08-26 08:17 -------- d-----w- c:\program files\Java
2010-03-31 23:10 . 2010-02-15 05:21 -------- d-----w- c:\program files\McAfee
2010-03-16 22:27 . 2010-02-24 01:11 -------- d-----w- c:\documents and settings\Humphrey\Application Data\ZoomBrowser EX
2010-03-16 22:18 . 2010-02-16 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-03-16 03:53 . 2010-03-16 03:53 -------- d-----w- c:\documents and settings\Humphrey\Application Data\Apple Computer
2010-03-16 03:38 . 2010-03-16 03:37 -------- d-----w- c:\program files\QuickTime
2010-03-16 03:37 . 2010-03-16 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-16 03:36 . 2010-03-16 03:36 -------- d-----w- c:\program files\Common Files\Apple
2010-03-16 03:35 . 2010-03-16 03:35 -------- d-----w- c:\program files\Apple Software Update
2010-03-16 03:35 . 2010-03-16 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-10 06:15 . 2004-08-10 17:51 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 09:28 . 2010-02-25 12:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-09 09:16 . 2010-03-02 00:30 128520 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-25 12:14 . 2010-02-25 12:14 152576 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-25 12:13 . 2010-02-25 12:13 79488 ----a-w- c:\documents and settings\Humphrey\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-25 06:24 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-08-26 07:59 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 14:10 . 2004-08-10 17:51 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 03:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 12:54 . 2004-08-10 18:03 77915 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-15 04:57 . 2010-02-15 04:57 52224 ----a-w- c:\documents and settings\Humphrey\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 04:57 . 2010-02-15 04:57 117760 ----a-w- c:\documents and settings\Humphrey\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-12 04:33 . 2004-08-10 17:50 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-10 17:51 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2004-08-04 10:00 . 2004-08-10 17:51 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2004-08-10 17:51 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2004-08-10 17:51 1028096 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2004-08-10 17:51 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2004-08-10 17:51 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2004-08-10 17:51 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2004-08-10 17:51 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2004-08-10 17:51 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\progra~1\DELLSU~1\DSAgnt.exe" [2005-05-15 332800]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-07 2017280]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-16 39408]
"Google Update"="c:\documents and settings\Humphrey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-16 135664]
"MoneyBackgoundBanking"="c:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-26 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2004-09-15 24576]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]

c:\documents and settings\Humphrey\Start Menu\Programs\Startup\
Hewlett-Packard Recorder.lnk - c:\program files\Hewlett-Packard\AiO\hp psc 900 series\FRU\Remind32.exe [2000-8-24 67584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminder 2008.lnk - c:\windows\Installer\{747A6A10-DA58-48C2-A1F0-C15514419C8A}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe [2010-2-28 1718]
HPAiODevice(hp psc 900 series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe [2002-7-23 487484]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [3/23/2010 4:39 PM 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [3/23/2010 4:39 PM 125160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 68168]
S2 GemSAFE Card Server;GemSAFE Card Server;c:\program files\Gemplus\GemSafe Libraries\BIN\GCardSrvNT.exe [1/20/2006 7:15 PM 118784]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 11:44 PM 135664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2/15/2010 12:23 AM 93320]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [3/23/2010 4:39 PM 779496]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/13/2009 12:28 PM 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [2/15/2010 6:41 PM 61776]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2/13/2009 2:02 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 04:44]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 04:44]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1046537989-4078537269-3021646771-1006Core.job
- c:\documents and settings\Humphrey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-16 04:44]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1046537989-4078537269-3021646771-1006UA.job
- c:\documents and settings\Humphrey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-16 04:44]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-15 18:22]

2010-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-15 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: southernco.com\clm
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -
FF - ProfilePath - c:\documents and settings\Humphrey\Application Data\Mozilla\Firefox\Profiles\2g0vlp6l.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Humphrey\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 22:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1728)
c:\windows\system32\WININET.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2010-05-10 22:28:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-11 03:28
ComboFix2.txt 2010-05-11 00:58

Pre-Run: 51,029,176,320 bytes free
Post-Run: 51,006,074,880 bytes free

- - End Of File - - 957496158B8FCA361C2A608065E3CBCE


#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:06 PM

Posted 10 May 2010 - 11:32 PM

Please run GMER for me once again and post the log.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 AUsome

AUsome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 11 May 2010 - 06:58 PM

i'm having some trouble running gmer.

with the computer in normal mode, i've attempted to run gmer with and without anti-virus and anti-spware turned on and it gives me this blue screen each time.




i can run gmer in safe mode, but i can't get to the Save... button because the windows are so big.
i tried to change the screen resolution, but it wouldn't let me set it above 640 x 480.
i also tried to tab over to the Save... button, but could only toggle back and forth between OK and Cancel.

not sure what to do at this point.

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:06 PM

Posted 11 May 2010 - 07:40 PM

Try it once more with everything unchecked except Sections. See if it will run then.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 AUsome

AUsome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 11 May 2010 - 08:28 PM

here's the log with ONLY sections checked...



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-11 20:26:39
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Humphrey\LOCALS~1\Temp\axldifog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 144 804E27B0 8 Bytes JMP 58EEA305
.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP EE9A57BC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DDD9 5 Bytes JMP EE9A576A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP EE9A57E8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP EE9A57D2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP EE9A5754 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B14AC 5 Bytes JMP EE9A5740 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF7992760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF6E82F80]
init C:\WINDOWS\System32\Drivers\GTwinUSB.sys entry point in "init" section [0xF7821C90]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070096
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070085
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0007005E
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007004D
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700D3
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700C2
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070109
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F66
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0007011A
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FA1
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000700A7
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700E4
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0006005B
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[704] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050033
.text C:\WINDOWS\system32\services.exe[704] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FB2
.text C:\WINDOWS\system32\services.exe[704] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[704] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[704] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050022
.text C:\WINDOWS\system32\services.exe[704] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FD7
.text C:\WINDOWS\system32\services.exe[704] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F0008A
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F00F8B
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F0006F
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00FB2
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F0004A
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00F70
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F000B8
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F000D3
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00F44
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F000F8
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00FC3
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F0000A
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F0009B
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F00FD4
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F00025
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F00F55
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0FB2
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF0043
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF0FC3
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0FD4
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0F7C
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF0FE5
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EF001E
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0F97
.text C:\WINDOWS\system32\lsass.exe[716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE003A
.text C:\WINDOWS\system32\lsass.exe[716] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE0FAF
.text C:\WINDOWS\system32\lsass.exe[716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE0029
.text C:\WINDOWS\system32\lsass.exe[716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\lsass.exe[716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0FCA
.text C:\WINDOWS\system32\lsass.exe[716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\lsass.exe[716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0075
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0F8A
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0F9B
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0058
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0036
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0F5B
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD00A1
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD0F1B
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD00BE
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD00CF
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0047
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD0086
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0025
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0014
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F4A
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FC0FD4
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FC0F94
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FC001B
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FC0051
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FC0040
.text C:\WINDOWS\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FC0FC3
.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FB0075
.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FB0064
.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FB0038
.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FB0049
.text C:\WINDOWS\system32\svchost.exe[896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FB001D
.text C:\WINDOWS\system32\svchost.exe[896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FA000A
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DF0056
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DF0F61
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DF0F7C
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DF002F
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DF0F8D
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DF0F1F
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DF0071
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DF009D
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DF0F04
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DF0EE9
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DF001E
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DF0FDE
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DF0F46
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DF0FB2
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DF0FC3
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DF0082
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DE0036
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DE0F9B
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DE0025
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DE0FC0
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DE0062
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DE0051
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DD0F9A
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DD0025
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DD0FB5
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DD0FE3
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DD000A
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DD0FC6
.text C:\WINDOWS\system32\svchost.exe[960] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DC0000
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1108] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00412220 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1108] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1108] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1108] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71680022
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02E90FEF
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02E90F4E
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02E90043
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02E90F5F
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02E90F7C
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02E90FA1
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02E90085
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02E9005E
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02E90EFD
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02E90F18
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02E90EEC
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02E9001E
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02E90FDE
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02E90F33
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02E90FB2
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02E90FCD
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02E90096
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02CF0FC3
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02CF005B
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02CF0FD4
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02CF0FEF
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02CF0F9E
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02CF0000
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02CF0040
.text C:\WINDOWS\System32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02CF002F
.text C:\WINDOWS\System32\svchost.exe[1196] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02AA0FC1
.text C:\WINDOWS\System32\svchost.exe[1196] msvcrt.dll!system 77C293C7 5 Bytes JMP 02AA0042
.text C:\WINDOWS\System32\svchost.exe[1196] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02AA001D
.text C:\WINDOWS\System32\svchost.exe[1196] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02AA0FEF
.text C:\WINDOWS\System32\svchost.exe[1196] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02AA0FD2
.text C:\WINDOWS\System32\svchost.exe[1196] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02AA0000
.text C:\WINDOWS\System32\svchost.exe[1196] WS2_32.dll!socket 71AB4211 5 Bytes JMP 029F0000
.text C:\WINDOWS\System32\svchost.exe[1196] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02660000
.text C:\WINDOWS\System32\svchost.exe[1196] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02660011
.text C:\WINDOWS\System32\svchost.exe[1196] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02660FDB
.text C:\WINDOWS\System32\svchost.exe[1196] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02660022
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650F5A
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0065004F
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650F75
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650F86
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650FB2
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00650F24
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650F35
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00650EE7
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00650F02
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00650ECC
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00650F97
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00650060
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650FC3
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00650FD4
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00650F13
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00640F9E
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640F68
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00640FB9
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640FCA
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640F79
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0064001B
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630F90
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630011
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00630FC6
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00630FA1
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00630FD7
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0093
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0082
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0065
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE004A
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FB2
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F68
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F79
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F3C
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00D5
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00E6
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0039
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE00A4
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F57
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F6B
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0F7C
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0F8D
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88]
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FA8
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0F9C
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0027
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FD2
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FB7
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0FE3
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\system32\svchost.exe[1284] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0F6F
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0F94
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0FA5
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0FC0
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0058
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B00A1
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B0090
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B0F34
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B00CD
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B00DE
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0FD1
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B0011
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B007F
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B003D
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0022
.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B00BC
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A002C
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0F9E
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A001B
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A000A
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A0FAF
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007A0051
.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0FCA
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790FA3
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!system 77C293C7 5 Bytes JMP 0079002E
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0079001D
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00790FBE
.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0F41
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0040
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0F66
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0F83
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0FAF
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0082
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C0F30
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C0F0E
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00A7
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C0EFD
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0F9E
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C000A
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C005B
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C001B
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0FCA
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C0F1F
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0051
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B007D
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0040
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B0025
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0FC0
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009B006C
.text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0066
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0055
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A003A
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0FE5
.text C:\WINDOWS\system32\svchost.exe[1628] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A001D
.text C:\WINDOWS\system32\svchost.exe[1628] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01930FEF
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0193007F
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01930064
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01930047
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01930F8A
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01930FC0
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 019300B7
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 019300A6
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01930F1E
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01930F2F
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 019300D2
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01930F9B
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01930000
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01930F6F
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01930022
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01930011
.text C:\WINDOWS\Explorer.EXE[1656] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01930F4A
.text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0192001B
.text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01920051
.text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0192000A
.text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01920FD4
.text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01920F94
.text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01920FEF
.text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01920036
.text C:\WINDOWS\Explorer.EXE[1656] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01920FA5
.text C:\WINDOWS\Explorer.EXE[1656] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01910031
.text C:\WINDOWS\Explorer.EXE[1656] msvcrt.dll!system 77C293C7 5 Bytes JMP 01910FA6
.text C:\WINDOWS\Explorer.EXE[1656] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01910FD2
.text C:\WINDOWS\Explorer.EXE[1656] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01910FEF
.text C:\WINDOWS\Explorer.EXE[1656] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01910FC1
.text C:\WINDOWS\Explorer.EXE[1656] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01910000
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0174000A
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01740FEF
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01740FCA
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0174001B
.text C:\WINDOWS\Explorer.EXE[1656] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01750FE5
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1700] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00439530 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1700] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1700] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1700] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 716E0022
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3096] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3096] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FE5
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F54
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C00F79
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00F8A
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00F9B
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C0002C
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C0008B
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F39
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C000AD
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00F14
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C00EF9
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C0003D
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C00FCA
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00064
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00011
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[3256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C0009C
.text C:\WINDOWS\system32\svchost.exe[3256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[3256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF005B
.text C:\WINDOWS\system32\svchost.exe[3256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0014
.text C:\WINDOWS\system32\svchost.exe[3256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\svchost.exe[3256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0040
.text C:\WINDOWS\system32\svchost.exe[3256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[3256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF002F
.text C:\WINDOWS\system32\svchost.exe[3256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0F9E
.text C:\WINDOWS\system32\svchost.exe[3256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0045
.text C:\WINDOWS\system32\svchost.exe[3256] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FB0
.text C:\WINDOWS\system32\svchost.exe[3256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FC1
.text C:\WINDOWS\system32\svchost.exe[3256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[3256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0020
.text C:\WINDOWS\system32\svchost.exe[3256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FD2
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F63
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0058
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F74
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A003D
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F28
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A007A
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0EFC
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F0D
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00B0
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A002C
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0069
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A001B
.text C:\WINDOWS\system32\dllhost.exe[4156] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A008B
.text C:\WINDOWS\system32\dllhost.exe[4156] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0029003B
.text C:\WINDOWS\system32\dllhost.exe[4156] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290020
.text C:\WINDOWS\system32\dllhost.exe[4156] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FC1
.text C:\WINDOWS\system32\dllhost.exe[4156] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\dllhost.exe[4156] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FB0
.text C:\WINDOWS\system32\dllhost.exe[4156] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FDE
.text C:\WINDOWS\system32\dllhost.exe[4156] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\dllhost.exe[4156] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F72
.text C:\WINDOWS\system32\dllhost.exe[4156] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A000A
.text C:\WINDOWS\system32\dllhost.exe[4156] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\system32\dllhost.exe[4156] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0F83
.text C:\WINDOWS\system32\dllhost.exe[4156] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[4156] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0F9E
.text C:\WINDOWS\system32\dllhost.exe[4156] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\system32\dllhost.exe[4156] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0FAF
.text C:\WINDOWS\system32\dllhost.exe[4156] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F61
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F72
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0040
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F83
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F1A
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F2B
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0EEE
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A007D
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0ED3
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0025
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F3C
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\system32\dllhost.exe[5784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0EFF
.text C:\WINDOWS\system32\dllhost.exe[5784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290F92
.text C:\WINDOWS\system32\dllhost.exe[5784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FA3
.text C:\WINDOWS\system32\dllhost.exe[5784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0029001D
.text C:\WINDOWS\system32\dllhost.exe[5784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\WINDOWS\system32\dllhost.exe[5784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FC8
.text C:\WINDOWS\system32\dllhost.exe[5784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FE3
.text C:\WINDOWS\system32\dllhost.exe[5784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\system32\dllhost.exe[5784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A007D
.text C:\WINDOWS\system32\dllhost.exe[5784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FDB
.text C:\WINDOWS\system32\dllhost.exe[5784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0011
.text C:\WINDOWS\system32\dllhost.exe[5784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0062
.text C:\WINDOWS\system32\dllhost.exe[5784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\dllhost.exe[5784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0047
.text C:\WINDOWS\system32\dllhost.exe[5784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0036
.text C:\WINDOWS\system32\dllhost.exe[5784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000

---- EOF - GMER 1.0.15 ----


#11 AUsome

AUsome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 11 May 2010 - 08:52 PM

fyi...about 15-20 minutes after i posted that gmer log, i got another blue screen. this one just a little different from the last one...



#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:06 PM

Posted 11 May 2010 - 08:54 PM

That looks better, how is the computer running now?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 AUsome

AUsome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 11 May 2010 - 09:04 PM

it's been running fine.
chrome is working fine now, too.
links in google search results are taking me to the correct sites, no redirecting.

my only concern is the last blue screen i got. looks like we posted at about the same time a few minutes ago, so i'll give you a chance to respond to that last post about the blue screen.

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:06 PM

Posted 11 May 2010 - 09:10 PM

Not sure that has anything to do with Malware but we'll see what we can find out. It might be after I get you cleaned up you may have to get the good folks over on the XP forum to help out with that. They are much more up to date on some of those kind of things. I'll still see what I can find out. Let's go ahead and run the following scan to see if anything else is hiding from us.




It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the ... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the ... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the ... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 AUsome

AUsome
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 12 May 2010 - 06:20 AM

here is the KAVScan report...




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, May 12, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, May 12, 2010 00:05:07
Records in database: 4097379
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 111991
Threats found: 2
Infected objects found: 9
Suspicious objects found: 0
Scan duration: 03:24:46


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Humphrey\Application Data\Desktop Security 2010\securitycenter.exe.vir Infected: Packed.Win32.Katusha.l 1
C:\Qoobox\Quarantine\C\Documents and Settings\Humphrey\Application Data\Desktop Security 2010\taskmgr.dll.vir Infected: Packed.Win32.Katusha.l 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\Mpfp.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP116\A0016745.exe Infected: Packed.Win32.Katusha.l 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP116\A0016747.dll Infected: Packed.Win32.Katusha.l 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP116\A0017930.sys Infected: Rootkit.Win32.TDSS.ap 1
F:\WD_SmartWare\65F30F3033C247BD834DC25F107DE219\C_\Qoobox\Quarantine\C\Documents and Settings\Humphrey\Application Data\Desktop Security 2010\securitycenter.exe.vir Infected: Packed.Win32.Katusha.l 1
F:\WD_SmartWare\65F30F3033C247BD834DC25F107DE219\C_\Qoobox\Quarantine\C\Documents and Settings\Humphrey\Application Data\Desktop Security 2010\taskmgr.dll.vir Infected: Packed.Win32.Katusha.l 1
F:\WD_SmartWare\65F30F3033C247BD834DC25F107DE219\C_\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\Mpfp.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.

Edited by AUsome, 12 May 2010 - 06:22 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users