Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:Alureon-FZ


  • This topic is locked This topic is locked
14 replies to this topic

#1 thespitsmaster

thespitsmaster

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 02 June 2010 - 10:52 AM

Good day to all.

The other day i was infected by Rootkit.TDSS.Gen which i believe i successfully cleaned using TDSSKiller that i found in one of your posts here. Yesterday i scanned the work computer using Malwarebytes when all of sudden Avast! gave me this:



As you can see, The Object is C:\windows\system\drivers\pci.sys and the Process is C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe. I believe this is the same object that TDSSKiller was able to clean out.

This is the log with Malwarebytes:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4161

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/1/2010 4:46:59 PM
mbam-log-2010-06-01 (16-46-59).txt

Scan type: Full scan (C:\|)
Objects scanned: 177594
Time elapsed: 22 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I ran TDSS again and it come up with nothing. I unplugged the computer for the network and the internet.

I ran a DDS and here is the log


DDS (Ver_10-03-17.01) - NTFSx86
Run by Mike at 17:21:18.35 on Tue 06/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3543.2252 [GMT -5:00]

AV: Total Protection *On-access scanning enabled* (Outdated) {8C354827-2F54-4E28-90DC-AD391E77808C}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Total Protection *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\ENGINE~1.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\PROGRA~1\McAfee\MANAGE~1\Agent\myAgtTry.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\explorer.exe
V:\VtWin\VisiTrack.exe
C:\Program Files\VisionShare\SESD Interactive\interactive.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows NT\HYPERTRM.EXE
C:\Documents and Settings\Mike\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://32.71.31.38:82/cgi/mainhtml.exe
uSearch Page = hxxp://www.bing.com
uSearch Bar = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6173\SiteAdv.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6173\SiteAdv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NetSP - restore settings on power failure] "c:\program files\at&t global network client\NetSP.exe" -show
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NortonOnlineBackupReminder] "c:\program files\symantec\norton online backup\activation\NobuActivation.exe" UNATTENDED
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [MVS Splash] c:\program files\mcafee\managed virusscan\agent\Splash.exe
mRun: [McAfee Managed Services Tray] c:\program files\mcafee\managed virusscan\agent\StartMyAgtTry.Exe
mRun: [SiteAdvisor] c:\program files\siteadvisor\6173\SiteAdv.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\myRmProt4.9.2.358.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6173\SiteAdv.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\cna6ezdj.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - component: c:\program files\siteadvisor\6173\ff\components\FFHook.dll
FF - plugin: c:\documents and settings\mike\local settings\application data\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-19 164048]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-3-30 214024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-19 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-19 40384]
R2 EngineServer;EngineServer;c:\progra~1\mcafee\manage~1\vscan\ENGINE~1.EXE [2010-3-30 14144]
R2 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2010-3-30 540776]
R2 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2010-3-30 144704]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2010-3-30 221024]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2010-3-30 635416]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-3-30 2066968]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-19 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-19 40384]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-3-30 149600]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-12-18 44800]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2010-3-30 79816]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2010-3-30 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2010-3-30 34248]

=============== Created Last 30 ================

2010-06-01 19:13:00 0 d-----w- c:\program files\VideoLAN
2010-05-14 14:05:43 3158 ----a-w- C:\MFW2.xml
2010-05-10 18:44:08 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-10 18:44:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-10 15:21:22 3253 ----a-w- c:\windows\system32\wbem\Outlook_01caf0547269d31c.mof
2010-05-06 18:11:52 2997 ----a-w- C:\MFW1.xml
2010-05-03 22:34:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-03 14:01:50 0 d-----w- c:\program files\iPod
2010-05-03 14:01:48 0 d-----w- c:\program files\iTunes
2010-05-03 13:59:22 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-22 16:20:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-21 17:42:29 56136 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-19 23:05:50 4874240 ------w- c:\windows\system32\dllcache\wmp.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll

============= FINISH: 17:21:46.96 ===============


and here is the GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-02 10:30:26
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Mike\LOCALS~1\Temp\pwloraod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA867DC7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA867DB36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA867E0EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA867E014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA867D70C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA867DC10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA867D64C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA867D6B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA867DD30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA867E1B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA867DCF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA867DE70]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA87554ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8755498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA87554B1]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA868A8EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA868AA24]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA875552D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA8755501]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA87554D9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA87554C5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA875555C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA8755543]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA8755517]
Code \??\C:\DOCUME~1\Mike\LOCALS~1\Temp\catchme.sys pIofCallDriver
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CCC 80504568 4 Bytes JMP 54A867E0
.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP A875551B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A87554F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 2 Bytes JMP A868AA28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwLoadDriver + 3 8058413D 4 Bytes JMP 4C8051AA
PAGE ntkrnlpa.exe!NtCreateSection 805AB38E 7 Bytes JMP A868A8EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP A8755531 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP A8755547 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83CA 7 Bytes JMP A8755505 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC502 5 Bytes JMP A8686536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2F86 5 Bytes JMP A8687EC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE44 5 Bytes JMP A87554C9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP A87554B5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11EA 5 Bytes JMP A875549C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D16F4 5 Bytes JMP A87554DD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP A8755560 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\DOCUME~1\Mike\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\Mike\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80098
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E80F99
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E8007D
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80062
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80FD1
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E80F46
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E80F61
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E80F13
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E80F24
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E80EEE
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E80FC0
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E80011
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E80F88
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E8003D
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E80022
.text C:\WINDOWS\system32\services.exe[920] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E80F35
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0007004E
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0007003D
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007002C
.text C:\WINDOWS\system32\services.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FBC
.text C:\WINDOWS\system32\services.exe[920] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FCD
.text C:\WINDOWS\system32\services.exe[920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060029
.text C:\WINDOWS\system32\services.exe[920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060018
.text C:\WINDOWS\system32\services.exe[920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E30F79
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E30F8A
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E30058
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E30F9B
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E30033
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E30F52
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E3009A
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E30F26
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E300BF
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E300D0
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E30FB6
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E30011
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E30089
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E30022
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E30FD1
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E30F37
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E2001B
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E20058
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E20FD4
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E2000A
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E20047
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E20FA5
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [02, 89]
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E2002C
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60F9C
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60FB7
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FD9
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60FC8
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60011
.text C:\WINDOWS\system32\lsass.exe[932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0093
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0078
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0067
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F79
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00B5
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F68
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00F7
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0112
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B00A4
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[1000] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00DC
.text C:\WINDOWS\system32\wuauclt.exe[1000] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0038
.text C:\WINDOWS\system32\wuauclt.exe[1000] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A001D
.text C:\WINDOWS\system32\wuauclt.exe[1000] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A000C
.text C:\WINDOWS\system32\wuauclt.exe[1000] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FE3
.text C:\WINDOWS\system32\wuauclt.exe[1000] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FAD
.text C:\WINDOWS\system32\wuauclt.exe[1000] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\system32\wuauclt.exe[1000] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\wuauclt.exe[1000] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B005F
.text C:\WINDOWS\system32\wuauclt.exe[1000] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[1000] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[1000] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B004E
.text C:\WINDOWS\system32\wuauclt.exe[1000] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[1000] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B003D
.text C:\WINDOWS\system32\wuauclt.exe[1000] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B002C
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B2000A
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B2008C
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B2007B
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B20F97
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B20054
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B20FC3
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B20F75
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B20F86
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B200FA
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B200DF
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B20F3C
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B20FB2
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B200B1
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B2002F
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B20FDE
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B200CE
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B10025
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B1005B
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B10FD4
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B1004A
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B1000A
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B10FA8
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D1, 88]
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B10FB9
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B00FC1
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B00FD2
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B00027
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B0000C
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B00038
.text C:\WINDOWS\system32\svchost.exe[1100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D0000A
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D00FAF
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D000A4
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D00093
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D00076
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D00036
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D00F5C
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D00F6D
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D00F41
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D000DA
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D000F5
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D0005B
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D00025
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D00F8A
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D00FCA
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D000BF
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CF0FAF
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CF0F5E
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CF0FCA
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CF0F6F
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CF0011
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CF0F94
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0FAB
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE0FC6
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE0FE3
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\svchost.exe[1168] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CD0000
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03140000
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0314005E
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03140F69
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03140F86
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03140F97
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03140039
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03140079
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03140F3D
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0314009E
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03140F05
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03140EF4
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03140FB2
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03140FEF
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03140F58
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03140FC3
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03140FD4
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03140F20
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03130FD4
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03130076
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03130025
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03130FEF
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0313005B
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03130000
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03130FC3
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [33, 8B]
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03130040
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03120FD4
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!system 77C293C7 5 Bytes JMP 03120055
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03120029
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03120FEF
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03120044
.text C:\WINDOWS\System32\svchost.exe[1264] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0312000C
.text C:\WINDOWS\System32\svchost.exe[1264] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03110FEF
.text C:\WINDOWS\System32\svchost.exe[1264] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02C00FEF
.text C:\WINDOWS\System32\svchost.exe[1264] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02C00000
.text C:\WINDOWS\System32\svchost.exe[1264] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02C0001B
.text C:\WINDOWS\System32\svchost.exe[1264] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02C00FCA
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B0F83
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0F94
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0FA5
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0FC0
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0051
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B00D5
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B00BA
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B011C
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B0101
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B0137
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0062
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B0093
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B0040
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B001B
.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B00E6
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A0033
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0073
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A0022
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A0011
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A0FB6
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0000
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007A004E
.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0FC7
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790047
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!system 77C293C7 5 Bytes JMP 00790036
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00790FC6
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0079001B
.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1352] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A800B3
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A80098
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A80087
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A80076
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A80FCA
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A80F77
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A80F88
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A80106
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A800EB
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A80F48
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A8005B
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A80011
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A80F99
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A8002C
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A80FDB
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A800DA
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A70040
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A7009B
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A7001B
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A70FD4
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A70076
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A70051
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60F8B
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60F9C
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A60FC8
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60FE3
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60FB7
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A6000C
.text C:\WINDOWS\system32\svchost.exe[1436] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0093
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F94
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0062
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0FA5
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0051
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F66
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F77
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F29
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F44
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F0E
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE00AE
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F55
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FC0
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930062
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930047
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FA5
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[1936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920FAD
.text C:\WINDOWS\system32\svchost.exe[1936] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FC8
.text C:\WINDOWS\system32\svchost.exe[1936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FE3
.text C:\WINDOWS\system32\svchost.exe[1936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920038
.text C:\WINDOWS\system32\svchost.exe[1936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0092001D
.text C:\WINDOWS\system32\svchost.exe[1936] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1936] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[1936] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900FB9
.text C:\WINDOWS\system32\svchost.exe[1936] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[1936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FEF
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0093
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0082
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A005B
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0036
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F5C
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00AE
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00D3
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F30
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F1F
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F83
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0011
.text C:\WINDOWS\explorer.exe[2600] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F4B
.text C:\WINDOWS\explorer.exe[2600] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0029002F
.text C:\WINDOWS\explorer.exe[2600] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290FA1
.text C:\WINDOWS\explorer.exe[2600] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FDE
.text C:\WINDOWS\explorer.exe[2600] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290014
.text C:\WINDOWS\explorer.exe[2600] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290FB2
.text C:\WINDOWS\explorer.exe[2600] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[2600] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FC3
.text C:\WINDOWS\explorer.exe[2600] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\explorer.exe[2600] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290040
.text C:\WINDOWS\explorer.exe[2600] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0053
.text C:\WINDOWS\explorer.exe[2600] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0038
.text C:\WINDOWS\explorer.exe[2600] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FE3
.text C:\WINDOWS\explorer.exe[2600] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\explorer.exe[2600] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FC8
.text C:\WINDOWS\explorer.exe[2600] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A001D
.text C:\WINDOWS\explorer.exe[2600] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0000
.text C:\WINDOWS\explorer.exe[2600] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\explorer.exe[2600] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C001B
.text C:\WINDOWS\explorer.exe[2600] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C0036
.text C:\WINDOWS\explorer.exe[2600] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01BA0FEF

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----



I left for the day yesterday while the PC was still scanning the GMER. When i come in this AM, the PC froze up and i had to manually reboot the PC by doing a long press on the power button. it rebooted but went in to a F8 options. I tried to start it normally but it kept on going back to the option screen. i tried going into a safe mode but still it failed. i choose the last good know config and it went throught but the screen resolution was back to 800x600.

As i said above, the computer is hooked up to a network server. I want to know if there's a possibility that the server might get infected too.

Any help will be most appreciated.

Thank you.


UPDATE: Computer is freezing up every now and then.



There is two of them in the Virus Chest.

Attached Files


Edited by thespitsmaster, 02 June 2010 - 02:38 PM.


BC AdBot (Login to Remove)

 


#2 thespitsmaster

thespitsmaster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 02 June 2010 - 02:25 PM



I found two more. Please someone help me.



5 more. how do i get rid of these?

Edited by thespitsmaster, 02 June 2010 - 03:07 PM.


#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 02 June 2010 - 03:16 PM

Hello.

My name is Extremeboy (or EB for short), and I will be helping you with your log.

Seems you're infected with one of those rootkit that patches a random driver.

Let's start off with Combofix and continue from there and see if it can remove it, if not we'll do something else next post.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 thespitsmaster

thespitsmaster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 02 June 2010 - 03:45 PM

EB,

Thank you so much for answering me.

Attached is the text form ComboFix.

Attached Files



#5 thespitsmaster

thespitsmaster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 02 June 2010 - 03:48 PM

I dunno if this is relevant but before the scan, my wallpaper was plain blue (i didn't change that) and after the scan, my original wallpaper came back. And i've notice that if i move the browser, there's will a shadow following it. Like after the windows card game.

Btw, My McAfee was not activate yet so i couldn't disable it but with the Firewall, i was able to shut it down. I had to activate it first so i can disable but it suddenly disappeared on me. I could still see in the ADD/REMOVE PROGRAMS at the Control panel but under the Start Menu and System Tray I couldn't fine it anymore. I just thought you might need to know this too.

Again, thank you so much EB and i really appreciate the help.

Edited by thespitsmaster, 02 June 2010 - 05:30 PM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 02 June 2010 - 07:39 PM

Hello again,

Thanks for the additional information. smile.gif

Do you still get the warning however from your AV?

Can you update your Malwarebytes and run it once more.

Then, let me know the current condition of your machine and we'll proceed further next post.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 thespitsmaster

thespitsmaster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 03 June 2010 - 11:04 AM

EB,

I updated Malwarebytes and it didn't find anything.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4167

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/3/2010 9:52:01 AM
mbam-log-2010-06-03 (09-52-01).txt

Scan type: Full scan (C:\|)
Objects scanned: 177275
Time elapsed: 14 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I ran Avast! Full system scan (scans all HD, Rootkits (quick scan), Auto-start progs and modulesloaded in memory) and it was clean. But when i ran a custom scan (ALL HD, ROotkits(full scan, System drive, Operating Memory of the computer and Auto-start programs (all users)), this come out:



I was shocked. Any ideas?

As for the current condition, everything seems to be A-Okay. I sure hope it is.

Again, thank you very much.

Edited by thespitsmaster, 03 June 2010 - 11:05 AM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 03 June 2010 - 04:25 PM

Hello.

I wouldn't worry about that, it seems to be detecting parts of mbam.

Let's get an online scan done.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 thespitsmaster

thespitsmaster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 04 June 2010 - 10:24 AM

Hey there,

I did the Kaspershy Online Scan and here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, June 4, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, June 04, 2010 07:29:18
Records in database: 4199053
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 57185
Threats found: 1
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 00:57:40


File name / Threat / Threats count
C:\Documents and Settings\Mike\Desktop\support.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Documents and Settings\Mike\My Documents\Downloads\support(2).exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\VtSupport\Vt Support.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1

Selected area has been scanned.


The object that it found are the programs used by of software vendors to do remote log ins. Does this mean everything is A-OK?

Thank you.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 05 June 2010 - 08:53 PM

Yes, those are fine, you can delete them if you don't use it any longer, thus why Kaspersky detected it as a "not-a-virus" as well.

Let's take another look at your system.

Take a new DDS run and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 thespitsmaster

thespitsmaster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 07 June 2010 - 10:38 AM

EB,

They still use it every now and then. Im going to do another run of the DSS and will post in a bit. As far as problems, i don't have any.

thank you.

#12 thespitsmaster

thespitsmaster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 08 June 2010 - 08:38 AM

EB,

I do apologize for not being able to post this yesterday.

Here is the DDS Log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Mike at 8:34:42.85 on Tue 06/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3543.2826 [GMT -5:00]

AV: Total Protection Service *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Total Protection Service *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Mike\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://32.71.31.38:82/cgi/mainhtml.exe
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\managed virusscan\vscan\ScriptSn.20100604101553.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
uRun: [NetSP - restore settings on power failure] "c:\program files\at&t global network client\NetSP.exe" -show
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NortonOnlineBackupReminder] "c:\program files\symantec\norton online backup\activation\NobuActivation.exe" UNATTENDED
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\desktopui\XTray.exe" /LOGON
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.768.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\cna6ezdj.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - component: c:\program files\mcafee\siteadvisor enterprise\components\McFFPlg.dll
FF - plugin: c:\documents and settings\mike\local settings\application data\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-19 164048]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-3-30 214664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-19 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-19 40384]
R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2010-3-30 14144]
R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [2009-12-16 222528]
R2 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2010-3-30 144704]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2010-3-30 282824]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2010-3-30 635416]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-3-30 2066968]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-19 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-19 40384]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-3-30 149600]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-12-18 44800]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2010-3-30 79816]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2010-3-30 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2010-3-30 34248]

=============== Created Last 30 ================

2010-06-04 21:29:50 226728 ----a-r- c:\windows\system32\cpnprt2.cid
2010-06-04 21:29:46 0 d-----w- c:\windows\Cache
2010-06-04 21:29:43 0 d-----w- c:\program files\Coupons
2010-06-04 13:54:27 0 d-----w- c:\docume~1\mike\applic~1\McAfee
2010-06-02 14:53:15 0 d-sha-r- C:\cmdcons
2010-06-02 14:52:02 77312 ----a-w- c:\windows\MBR.exe
2010-06-02 14:52:00 98816 ----a-w- c:\windows\sed.exe
2010-06-02 14:52:00 256512 ----a-w- c:\windows\PEV.exe
2010-06-02 14:52:00 161792 ----a-w- c:\windows\SWREG.exe
2010-06-01 19:13:00 0 d-----w- c:\program files\VideoLAN
2010-05-14 14:05:43 3158 ----a-w- C:\MFW2.xml
2010-05-10 18:44:08 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-10 18:44:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-10 15:21:22 3253 ----a-w- c:\windows\system32\wbem\Outlook_01caf0547269d31c.mof

==================== Find3M ====================

2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-22 16:20:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-21 17:42:29 56136 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-19 23:05:50 4874240 ------w- c:\windows\system32\dllcache\wmp.dll

============= FINISH: 8:35:20.90 ===============

Attached Files


Edited by thespitsmaster, 08 June 2010 - 08:39 AM.


#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 09 June 2010 - 06:10 PM

No problem, I was quite busy yesterday myself.

That's good. Just update your Java and then we can wrap up and give you some prevention tips.

Update Java to Version 6 Update 20

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.




Please follow/read the steps below to remove the tools we used and for some more information. smile.gif


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips >over here<. Is your system a bit slow? If so, try some of the points and things suggested here.

If you would like, visit my http://computermalwaresecurity.blogspot.com/ and Subscribe/Follow along.


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 thespitsmaster

thespitsmaster
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 11 June 2010 - 02:24 PM

EB,

Thank you very very much for your help and support sir. I really do appreciate it. i've bookedmarked the tips you gave and your blog site.\


Everything is working fine now. Thank you and God Bless.



#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 14 June 2010 - 07:31 PM

You're very welcome. smile.gif

Glad I was able to help you out.

--
Since the problem appears to be resolved, this topic is now Closed. Glad we could help smile.gif
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users