Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Infections on WinXP


  • This topic is locked This topic is locked
80 replies to this topic

#1 WoundedFox

WoundedFox

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 08 October 2010 - 11:11 PM

I have (or at least had) reported multiple Trojan infections and at least one virus and at least one rootkit. (I didn't catch or write down what all of them were. The most recent to be removed were:
trojan.hiloti
trojan.dropper
rootkit.agent
rootkit.tdss
trojan.hiloti
spyware.agent

Anyway, Here's what has happened so far:

This all started with the computer prompting my wife with a warning that there was an infection, and she clicked on the window at least once, and it was actually a Trojan. The computer became totally disabled very quickly. We ended up using a pre-installed restore feature that backed up the contents of the drive (onto the drive itself) and then reimaged Windows from a saved version, just to get something that I could work from.

With that, I seemed to be able to get things under control between using rkill, McAfee Total Protection (which caught a few things) and multiple runs of Malwarebytes' Anti-Malware which seemed to catch a lot more. Running the scans over and over caught progressively fewer things until it seemed to be almost OK. I say almost because:

The first symptom that things were not all well was that while I could get to most websites, windowsupdate.microsoft.com would not load in either Internet Exploder or in Firefox. It was loading fine from my other computer. It times out like it is too busy.

Then, I would very occasionally get 2 web pages instead of 1. Second page would be Work from home scams, "anti"-malware sites, etc.

Control-alt-delete does not always pull up the task manager. But sometimes it does.

Several times the "new" windows theme died, and it would revert from a green start button and blue taskbar to all gray buttons and taskbar.

I would occasionally get processes die, especially this one that would happen repeatedly:
Generic Host Process for Win 32 Services
svchost.exe
szAppVer 5.1.2600.2180
szModName ntdll.dll
szModVer 5.1.2600.2180
offset 00021260
(It just did it again while I was typing this!)

Also, the computer will not shutdown cleanly on command, but it will sometimes reboot by itself.

I have gone through the "Preparation for Help" list:
1) Backup is incomplete and out of date, but it is the best I can do with the current condition of the computer.
2) I did not go through the "slow computer" steps because there is clearly an infection.
3) Created account.
4) Enabled notification of replies.
5) McAfee Firewall is on.
6) Ran DeFogger, but had no CD emulation software running.
7) Ran DDS, log follows at end.
8) Ran GMER, and it hung. Ran again and saved off a partial log when it seemed to have caught a bunch. It rebooted.
PARTIAL GMER log will be attached, and I will keep trying to get a complete log if I can.
9) Here we are!
10) Thank you very much for any assistance that you can provide. I will be unavailable until approximately 3 PM Eastern on Saturday 10/9, but I will do my best to respond promptly after that.

Update! Wow. I was able to access your site from the infected computer, but my attempts to post this did not work. Whatever is tampering with my internet traffic prevented it. Well, I was able to mail this post to my other computer, and I am posting it from there. What a hassle.

DDS LOG
========================

DDS (Ver_10-10-05.01) - NTFSx86
Run by Scott at 22:57:09.06 on Fri 10/08/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.619 [GMT -4:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Documents and Settings\Scott\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.gatewaybiz.com
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101007195709.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunKistEM] c:\program files\emachines bay reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286411046546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\q94wsje0.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-24 386712]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-10-6 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-10-6 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-6 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-6 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-6 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-6 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-10-6 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-10-6 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-5 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-6 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-10-6 152992]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-10-6 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-6 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-10-6 88544]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\scott\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2010-10-6 70144]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-10-6 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-6 84264]

=============== Created Last 30 ================

2010-10-09 02:56:04 0 ----a-w- c:\documents and settings\scott\defogger_reenable
2010-10-09 02:42:06 38912 ------w- c:\windows\system32\brinsstr.dll
2010-10-09 02:42:06 19361 ------w- c:\windows\system32\drivers\BrPar.sys
2010-10-09 02:42:03 651264 ------w- c:\windows\system32\brfxdial.dll
2010-10-09 02:42:02 131072 ----a-w- c:\windows\bruninst.dll
2010-10-09 02:42:02 -------- d-----w- c:\program files\Brother
2010-10-08 02:50:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-07 23:53:47 -------- d-----w- c:\docume~1\scott\applic~1\McAfee
2010-10-07 02:16:44 -------- d-----w- c:\docume~1\scott\applic~1\Malwarebytes
2010-10-07 02:16:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-07 02:16:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-07 02:16:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-07 02:16:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-07 01:40:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-10-07 01:28:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-07 01:28:08 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-07 00:34:17 -------- d-----w- c:\docume~1\scott\locals~1\applic~1\Adobe
2010-10-07 00:32:00 -------- d-----w- c:\docume~1\scott\locals~1\applic~1\Mozilla
2010-10-07 00:23:09 -------- d-s---w- c:\documents and settings\scott\UserData
2010-10-06 04:10:58 17464 ----a-w- c:\docume~1\scott\locals~1\applic~1\GDIPFONTCACHEV1.DAT
2010-10-06 04:09:13 -------- d-----w- c:\program files\McAfeeMOBK
2010-10-06 04:09:03 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-10-06 04:08:57 -------- d-----w- c:\program files\McAfee Online Backup
2010-10-06 04:07:21 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-06 04:07:13 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-10-06 04:07:12 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-10-06 04:07:12 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-06 04:07:12 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-06 04:07:12 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-06 04:07:12 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-06 04:07:12 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-06 04:07:06 -------- d-----w- c:\program files\common files\Mcafee
2010-10-06 04:07:05 -------- d-----w- c:\program files\McAfee.com
2010-10-06 04:06:48 -------- d-----w- c:\program files\McAfee
2010-10-06 03:46:27 -------- d-----w- c:\docume~1\scott\applic~1\Symantec
2010-10-06 03:33:00 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-10-06 03:27:02 -------- d-----w- c:\windows\system32\Lang
2010-10-06 02:36:37 24659 ----a-w- c:\windows\system32\aolddial.dll
2010-10-06 02:36:37 153088 ----a-w- c:\windows\system32\jgdwmie.dll
2010-10-06 02:36:35 54784 ----a-w- c:\windows\system32\Inetwh32.dll
2010-10-06 02:36:35 29184 ----a-w- c:\windows\system32\popup.ocx
2010-10-06 02:36:35 1044480 ----a-w- c:\windows\system32\roboex32.dll
2010-10-06 02:36:20 65536 ----a-w- c:\windows\wanmpsvc.exe
2010-10-06 02:36:16 33588 ----a-w- c:\windows\system32\drivers\wanatw4.sys
2010-10-06 02:36:15 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2010-10-06 02:36:11 -------- d-----w- c:\program files\common files\aolshare
2010-10-06 02:36:09 -------- d-----w- c:\program files\America Online 9.0
2010-10-06 02:36:01 864 ---ha-w- C:\IPH.PH
2010-10-06 02:36:00 -------- d-----w- c:\program files\common files\AOL
2010-10-06 02:35:54 140488 ----a-w- c:\windows\system32\comdlg32.ocx
2010-10-06 02:35:54 118976 ----a-w- c:\windows\system32\MSADODC.OCX
2010-10-06 02:35:44 46433 ----a-w- c:\windows\WBODA34I.DLL
2010-10-06 02:35:43 351526 ----a-w- c:\windows\WBDDA34I.DLL
2010-10-06 02:33:27 -------- d-----w- c:\program files\Program Shortcuts
2010-10-06 02:33:15 518520 ----a-w- c:\windows\vidres.exe
2010-10-06 02:32:01 -------- d-----w- c:\program files\Symantec
2010-10-06 02:31:56 20480 ----a-w- c:\windows\system32\Marker32.exe
2010-10-06 02:31:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-10-06 02:31:37 66992 ----a-w- c:\windows\system32\drivers\cdr4_xp.sys
2010-10-06 02:31:37 61440 ----a-w- c:\windows\system32\cdrtc.dll
2010-10-06 02:31:37 45056 ----a-w- c:\windows\system32\cdral.dll
2010-10-06 02:31:37 24698 ----a-w- c:\windows\system32\drivers\cdralw2k.sys
2010-10-06 02:31:37 -------- d-----w- c:\windows\DRIVERS
2010-10-06 02:31:36 -------- d-----w- c:\program files\Napster
2010-10-06 02:30:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Napster
2010-10-06 02:30:15 471298 ----a-w- c:\windows\wallpg.exe
2010-10-06 02:28:31 17956 ----a-w- c:\windows\BigFixClientOverride.dll
2010-10-06 02:28:30 -------- d-----w- c:\program files\BigFix
2010-10-06 02:28:22 -------- d-----w- c:\program files\Gateway
2010-10-06 02:28:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Prism Deploy
2010-10-06 02:28:21 -------- d-----w- c:\program files\common files\New Boundary
2010-10-06 02:27:17 -------- d-----w- c:\windows\system32\ReinstallBackups
2010-10-06 02:26:45 57344 ----a-w- c:\windows\system32\NeroBurnRights.cpl
2010-10-06 02:26:45 53248 ----a-w- c:\windows\system32\NeroCo.dll
2010-10-06 02:26:45 28080 ------w- c:\windows\system32\drivers\incdrm.sys
2010-10-06 02:26:45 1658880 ------w- c:\windows\UNNeroBurnRights.exe
2010-10-06 02:26:45 1658880 ------w- c:\windows\UNMRW.exe
2010-10-06 02:26:01 569344 ----a-w- c:\windows\system32\imagr5.dll
2010-10-06 02:26:01 544768 ----a-w- c:\windows\system32\imagx5.dll
2010-10-06 02:26:01 38912 ----a-w- c:\windows\system32\picn20.dll
2010-10-06 02:26:01 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-10-06 02:26:00 283920 ----a-w- c:\windows\system32\ImagXpr5.dll
2010-10-06 02:26:00 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-10-06 02:24:58 -------- d-----w- c:\program files\Marvell
2010-10-06 02:24:48 0 ----a-w- C:\REQUEST_OEMRESET_ENDUSER
2010-10-06 02:24:25 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-10-06 02:24:23 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-10-06 02:24:15 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-10-06 02:24:11 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-10-06 02:23:58 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-06 02:23:55 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-10-06 02:23:22 -------- d-----w- c:\program files\CONEXANT
2010-10-06 02:23:19 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2010-10-06 02:23:19 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-10-06 02:23:19 53248 ----a-w- c:\windows\system32\drivers\1394bus.sys
2010-10-06 02:22:39 26624 ----a-w- c:\windows\system32\drivers\usbehci.sys
2010-10-06 02:22:38 7168 ----a-w- c:\windows\system32\hccoin.dll
2010-10-06 02:01:50 -------- d-----r- c:\windows\Offline Web Pages
2010-10-06 01:59:48 -------- dcsh--r- c:\windows\system32\dllcache
2010-10-06 01:59:00 -------- d-----w- C:\My Backup -- 05-10-10 1859
2010-10-05 18:08:32 60 ----a-w- C:\MOVE_RECOVERY
2010-10-05 18:07:00 -------- d-----w- C:\My Backup -- 05-10-10 1107

==================== Find3M ====================

2010-10-06 02:38:01 1409 ----a-w- c:\windows\QTFont.for
2010-10-06 02:37:08 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2010-10-06 02:37:04 24576 ----a-w- c:\windows\system32\prefscpl.cpl
2010-08-24 18:57:38 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 18:57:38 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys

============= FINISH: 22:58:53.43 ===============







PARTIAL GMER LOG (best I can do so far):
====================================

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-08 23:23:27
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Alex\LOCALS~1\Temp\kwlyifow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF7348090]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF73480A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF73480D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7348126]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF734807C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7348054]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7348068]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF73480BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF73480FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF73480E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7348150]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF734813C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7348110]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ZwRenameKey 80655F85 1 Byte [E9]
init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF7847300]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[396] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[396] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1116] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1116] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00050022
.text C:\WINDOWS\system32\services.exe[1116] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00040060
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00040F6B
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0004004F
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00040F86
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00040FA8
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0004007D
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00040F35
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00040EE4
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00040EFF
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00040ED3
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00040F97
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00040F46
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00040FB9
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00040F10
.text C:\WINDOWS\system32\services.exe[1116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0089004C
.text C:\WINDOWS\system32\services.exe[1116] msvcrt.dll!system 77C293C7 5 Bytes JMP 00890FC1
.text C:\WINDOWS\system32\services.exe[1116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00890FD2
.text C:\WINDOWS\system32\services.exe[1116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00890FEF
.text C:\WINDOWS\system32\services.exe[1116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00890031
.text C:\WINDOWS\system32\services.exe[1116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0089000C
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008A0FD4
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008A0F72
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008A0025
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008A0014
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008A0F83
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008A0F9E
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008A0FB9
.text C:\WINDOWS\system32\services.exe[1116] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1116] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[1116] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00070FDB
.text C:\WINDOWS\system32\services.exe[1116] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[1116] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\lsass.exe[1128] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[1128] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00050025
.text C:\WINDOWS\system32\lsass.exe[1128] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00040F91
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00040090
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0004007F
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00040058
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00040FC0
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00040F6F
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 000400B7
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000400FE
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 000400ED
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00040119
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00040047
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00040011
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00040F80
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00040FDB
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00040022
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 000400D2
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00EB0025
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00EB0051
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00EB0FCA
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00EB0F94
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00EB0036
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00EB0FAF
.text C:\WINDOWS\system32\lsass.exe[1128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA0049
.text C:\WINDOWS\system32\lsass.exe[1128] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0038
.text C:\WINDOWS\system32\lsass.exe[1128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA0FD2
.text C:\WINDOWS\system32\lsass.exe[1128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\lsass.exe[1128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0027
.text C:\WINDOWS\system32\lsass.exe[1128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA000C
.text C:\WINDOWS\system32\lsass.exe[1128] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\lsass.exe[1128] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\lsass.exe[1128] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00070027
.text C:\WINDOWS\system32\lsass.exe[1128] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\lsass.exe[1128] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00070042
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00D00014
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CF0090
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CF0FA5
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CF0073
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CF0FB6
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CF0047
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CF0F80
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CF00BC
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CF00ED
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CF0F54
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00CF0F39
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00CF0058
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00CF0FDB
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00CF00AB
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00CF002C
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00CF0011
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00CF0F6F
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00D40FD4
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00D4006C
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00D4001B
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00D40051
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00D40040
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00D4000A
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00D40FC3
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30FB7
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30042
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D3001D
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FD2
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D3000C
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00D20FE5
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00D20FAD
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00D20FCA
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00D20F92
.text C:\WINDOWS\system32\svchost.exe[1316] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00A40FD4
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A3005D
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A30042
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A30F68
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A30F79
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A30F94
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A300AE
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A30093
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A30F30
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A30F4B
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00A30F15
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00A3001B
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00A30FD4
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00A30082
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00A30FC3
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00A300C9
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A8001E
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A80054
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A80FCD
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A80FDE
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A80F97
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A80043
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A80FB2
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A70F75
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70F86
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A70FB5
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70FE3
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A70FC6
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00A60036
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00A6001B
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00A60047
.text C:\WINDOWS\system32\svchost.exe[1400] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A50000
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 02DF0FEF
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 02DF0025
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 02DF0014
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 0094000A
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0092000C
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02DE0FE5
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 7C801A5D 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02DE0F61
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02DE0F72
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02DE004C
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02DE0F83
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02DE0014
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02DE0F21
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02DE0073
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02DE0095
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02DE0084
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 02DE00B0
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 02DE0025
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 02DE0FD4
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 02DE0F3C
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 02DE0FA8
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 02DE0FB9
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 02DE0F10
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02DD0FC3
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02DD0F6B
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02DD0014
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02DD0FDE
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02DD0F7C
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02DD0F8D
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02DD0FEF
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02DD0FA8
.text C:\WINDOWS\System32\svchost.exe[1528] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 00E8000A
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04460038
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!system 77C293C7 5 Bytes JMP 04460027
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04460FD2
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04460FEF
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04460FB7
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0446000C
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 04450FEF
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 04450FD4
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 0445000A
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 04450FC3
.text C:\WINDOWS\System32\svchost.exe[1528] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02E00000
.text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A20F8A
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A2007F
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A20FA5
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A20062
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A20047
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A20F43
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A20F54
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A200BE
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A200AD
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00A20F0A
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00A20FC0
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00A2001B
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00A20F6F
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00A20FDB
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00A20036
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00A2009C
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A10FC3
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A1005E
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A10FA1
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A10FB2
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A1002F
.text C:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60FAD
.text C:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60038
.text C:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A60FD2
.text C:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60027
.text C:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A6000C
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00A50016
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00A50FDE
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00A50027
.text C:\WINDOWS\system32\svchost.exe[1648] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00B6001B
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B50F66
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B50F77
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B50051
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B50040
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B50FA8
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B50F38
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B50F55
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B50F13
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B500AC
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00B500BD
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00B5002F
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00B50FD4
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00B50080
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00B50FB9
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00B5009B
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B40FC3
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B4006C
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B40014
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B40FDE
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B4005B
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B4004A
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B4002F
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70058
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F70FC3
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F70FDE
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F7001D
.text C:\WINDOWS\system32\svchost.exe[1732] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\svchost.exe[1732] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00F60014
.text C:\WINDOWS\system32\svchost.exe[1732] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00F60FDE
.text C:\WINDOWS\system32\svchost.exe[1732] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00F6002F
.text C:\WINDOWS\system32\svchost.exe[1732] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\Explorer.EXE[1852] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 04140000
.text C:\WINDOWS\Explorer.EXE[1852] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 04140022
.text C:\WINDOWS\Explorer.EXE[1852] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 04140011
.text C:\WINDOWS\Explorer.EXE[1852] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 03E1000A
.text C:\WINDOWS\Explorer.EXE[1852] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 03DF000C
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DF0FE5
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DF0087
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DF0F88
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DF006C
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DF005B
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00DF0036
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DF00AC
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DF0F66
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DF0F1D
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DF0F2E
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00DF00D1
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00DF0FB9
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00DF0000
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00DF0F77
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00DF0025
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00DF0FD4
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00DF0F49
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CA0031
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CA0FA6
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CA0FC8
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CA0FB7
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CA000C
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00D60047
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00D6007D
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00D60036
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00D6001B
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00D60FC0
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00D6006C
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00D6000A
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00D60FDB
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00C9000A
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00C90FD4
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00C90FC3
.text C:\WINDOWS\Explorer.EXE[1852] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\wuauclt.exe[1892] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 029A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1892] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 029A0FCD
.text C:\WINDOWS\system32\wuauclt.exe[1892] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 029A0FDE
.text C:\WINDOWS\system32\wuauclt.exe[1892] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 0290000A
.text C:\WINDOWS\system32\wuauclt.exe[1892] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 028E000C
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02990FEF
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02990F50
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02990F75
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02990043
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02990F86
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02990FAB
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02990F24
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02990060
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 029900BD
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 029900A2
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 029900D8
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 02990028
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 02990FDE
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 02990F3F
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 02990FBC
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 02990FCD
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 02990091
.text C:\WINDOWS\system32\wuauclt.exe[1892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0127003D
.text C:\WINDOWS\system32\wuauclt.exe[1892] msvcrt.dll!system 77C293C7 5 Bytes JMP 0127002C
.text C:\WINDOWS\system32\wuauclt.exe[1892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01270FBC
.text C:\WINDOWS\system32\wuauclt.exe[1892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01270000
.text C:\WINDOWS\system32\wuauclt.exe[1892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01270011
.text C:\WINDOWS\system32\wuauclt.exe[1892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01270FD7
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01280FAF
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0128005B
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01280000
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01280FD4
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01280F9E
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01280036
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01280FEF
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01280025
.text C:\WINDOWS\system32\wuauclt.exe[1892] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01250000
.text C:\WINDOWS\system32\wuauclt.exe[1892] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 01260000
.text C:\WINDOWS\system32\wuauclt.exe[1892] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 01260FDE
.text C:\WINDOWS\system32\wuauclt.exe[1892] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 01260FEF
.text C:\WINDOWS\system32\wuauclt.exe[1892] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 01260FC1
.text C:\WINDOWS\System32\svchost.exe[2604] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00DC0000
.text C:\WINDOWS\System32\svchost.exe[2604] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00DC0022
.text C:\WINDOWS\System32\svchost.exe[2604] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00DC0011
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DB0000
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DB00BF
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DB009A
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DB0089
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DB0062
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00DB0FD4
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DB0108
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DB00E1
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DB012A
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DB0F91
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00DB0F76
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00DB0051
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00DB00D0
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00DB0040
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00DB0025
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00DB0119
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00DA0F9E
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00DA002F
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00DA0FB9
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00DA0FD4
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00DA0F7C
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00DA0F8D
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00DA0FE5
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00DA0014
.text C:\WINDOWS\System32\svchost.exe[2604] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D9002C
.text C:\WINDOWS\System32\svchost.exe[2604] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D90FA1
.text C:\WINDOWS\System32\svchost.exe[2604] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D90FC6
.text C:\WINDOWS\System32\svchost.exe[2604] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D90000
.text C:\WINDOWS\System32\svchost.exe[2604] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D90011
.text C:\WINDOWS\System32\svchost.exe[2604] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D90FD7
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 001B0000
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 001B0011
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 001B002C
.text C:\WINDOWS\System32\svchost.exe[2604] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001A000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:03 PM

Posted 16 October 2010 - 02:50 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had

Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 WoundedFox

WoundedFox
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 17 October 2010 - 02:40 PM

Yes, I am still looking for help with this problem. A few things have changed since I originally posted.

1) I ran a few more tools, before you responded, and I will post those logs ASAP. I will not run anything more without your instructions.

2) I have ordered and received a new external hard drive. I am going to do a full backup (with the remaining infections) before proceeding with any more tools.

3) I have ordered a new computer. My hope is to get the currently infected computer as clean as possible before making a second backup, and then to restore data from the clean(er) backup to the new computer to minimize the chance of infecting it. (It should arrive on approximately Wednesday.) Once I am sure I have everything I need on the new computer, I will do a clean reinstall on the currently infected computer.

The current symptoms on the sick computer are:
1) Attempting to go windowsupdate.microsoft.com fails. (Most other pages are fine. Search results may be redirected, I don't remember.)
2) Extra tabs occasionally open up with ad pages.
3) System load increases when the network is plugged in, so it must be doing something it shouldn't be, so I am leaving it unplugged from the network and using a different computer to fetch any programs that I need to run on it.
4) One instance of svchost.exe grows and grows memory usage until it hits some limit and then dies with a message.
5) Killing the growing instance of svchost.exe seems to help, but it starts a new one and the problem repeats.

I am off now to do the full backup, and then I will run the tools you have directed me to run, and I will post all of the logs.

Thank you so much for your assistance!



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:03 PM

Posted 17 October 2010 - 02:57 PM

Hello

Ok when you are ready just poste the logs here for me to see


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 WoundedFox

WoundedFox
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 17 October 2010 - 03:22 PM

I had run Defogger previously, but I did not save a log from it. I believe I did it before I ran these tools:

DDS 10/8 10:59 PM:


DDS (Ver_10-10-05.01) - NTFSx86
Run by Scott at 22:57:09.06 on Fri 10/08/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.619 [GMT -4:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Documents and Settings\Scott\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.gatewaybiz.com
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101007195709.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunKistEM] c:\program files\emachines bay reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286411046546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\q94wsje0.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-24 386712]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-10-6 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-10-6 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-6 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-6 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-6 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-6 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-10-6 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-10-6 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-5 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-6 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-10-6 152992]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-10-6 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-6 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-10-6 88544]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\scott\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2010-10-6 70144]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-10-6 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-6 84264]

=============== Created Last 30 ================

2010-10-09 02:56:04 0 ----a-w- c:\documents and settings\scott\defogger_reenable
2010-10-09 02:42:06 38912 ------w- c:\windows\system32\brinsstr.dll
2010-10-09 02:42:06 19361 ------w- c:\windows\system32\drivers\BrPar.sys
2010-10-09 02:42:03 651264 ------w- c:\windows\system32\brfxdial.dll
2010-10-09 02:42:02 131072 ----a-w- c:\windows\bruninst.dll
2010-10-09 02:42:02 -------- d-----w- c:\program files\Brother
2010-10-08 02:50:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-07 23:53:47 -------- d-----w- c:\docume~1\scott\applic~1\McAfee
2010-10-07 02:16:44 -------- d-----w- c:\docume~1\scott\applic~1\Malwarebytes
2010-10-07 02:16:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-07 02:16:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-07 02:16:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-07 02:16:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-07 01:40:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-10-07 01:28:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-07 01:28:08 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-07 00:34:17 -------- d-----w- c:\docume~1\scott\locals~1\applic~1\Adobe
2010-10-07 00:32:00 -------- d-----w- c:\docume~1\scott\locals~1\applic~1\Mozilla
2010-10-07 00:23:09 -------- d-s---w- c:\documents and settings\scott\UserData
2010-10-06 04:10:58 17464 ----a-w- c:\docume~1\scott\locals~1\applic~1\GDIPFONTCACHEV1.DAT
2010-10-06 04:09:13 -------- d-----w- c:\program files\McAfeeMOBK
2010-10-06 04:09:03 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-10-06 04:08:57 -------- d-----w- c:\program files\McAfee Online Backup
2010-10-06 04:07:21 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-06 04:07:13 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-10-06 04:07:12 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-10-06 04:07:12 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-06 04:07:12 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-06 04:07:12 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-06 04:07:12 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-06 04:07:12 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-06 04:07:06 -------- d-----w- c:\program files\common files\Mcafee
2010-10-06 04:07:05 -------- d-----w- c:\program files\McAfee.com
2010-10-06 04:06:48 -------- d-----w- c:\program files\McAfee
2010-10-06 03:46:27 -------- d-----w- c:\docume~1\scott\applic~1\Symantec
2010-10-06 03:33:00 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-10-06 03:27:02 -------- d-----w- c:\windows\system32\Lang
2010-10-06 02:36:37 24659 ----a-w- c:\windows\system32\aolddial.dll
2010-10-06 02:36:37 153088 ----a-w- c:\windows\system32\jgdwmie.dll
2010-10-06 02:36:35 54784 ----a-w- c:\windows\system32\Inetwh32.dll
2010-10-06 02:36:35 29184 ----a-w- c:\windows\system32\popup.ocx
2010-10-06 02:36:35 1044480 ----a-w- c:\windows\system32\roboex32.dll
2010-10-06 02:36:20 65536 ----a-w- c:\windows\wanmpsvc.exe
2010-10-06 02:36:16 33588 ----a-w- c:\windows\system32\drivers\wanatw4.sys
2010-10-06 02:36:15 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2010-10-06 02:36:11 -------- d-----w- c:\program files\common files\aolshare
2010-10-06 02:36:09 -------- d-----w- c:\program files\America Online 9.0
2010-10-06 02:36:01 864 ---ha-w- C:\IPH.PH
2010-10-06 02:36:00 -------- d-----w- c:\program files\common files\AOL
2010-10-06 02:35:54 140488 ----a-w- c:\windows\system32\comdlg32.ocx
2010-10-06 02:35:54 118976 ----a-w- c:\windows\system32\MSADODC.OCX
2010-10-06 02:35:44 46433 ----a-w- c:\windows\WBODA34I.DLL
2010-10-06 02:35:43 351526 ----a-w- c:\windows\WBDDA34I.DLL
2010-10-06 02:33:27 -------- d-----w- c:\program files\Program Shortcuts
2010-10-06 02:33:15 518520 ----a-w- c:\windows\vidres.exe
2010-10-06 02:32:01 -------- d-----w- c:\program files\Symantec
2010-10-06 02:31:56 20480 ----a-w- c:\windows\system32\Marker32.exe
2010-10-06 02:31:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-10-06 02:31:37 66992 ----a-w- c:\windows\system32\drivers\cdr4_xp.sys
2010-10-06 02:31:37 61440 ----a-w- c:\windows\system32\cdrtc.dll
2010-10-06 02:31:37 45056 ----a-w- c:\windows\system32\cdral.dll
2010-10-06 02:31:37 24698 ----a-w- c:\windows\system32\drivers\cdralw2k.sys
2010-10-06 02:31:37 -------- d-----w- c:\windows\DRIVERS
2010-10-06 02:31:36 -------- d-----w- c:\program files\Napster
2010-10-06 02:30:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Napster
2010-10-06 02:30:15 471298 ----a-w- c:\windows\wallpg.exe
2010-10-06 02:28:31 17956 ----a-w- c:\windows\BigFixClientOverride.dll
2010-10-06 02:28:30 -------- d-----w- c:\program files\BigFix
2010-10-06 02:28:22 -------- d-----w- c:\program files\Gateway
2010-10-06 02:28:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Prism Deploy
2010-10-06 02:28:21 -------- d-----w- c:\program files\common files\New Boundary
2010-10-06 02:27:17 -------- d-----w- c:\windows\system32\ReinstallBackups
2010-10-06 02:26:45 57344 ----a-w- c:\windows\system32\NeroBurnRights.cpl
2010-10-06 02:26:45 53248 ----a-w- c:\windows\system32\NeroCo.dll
2010-10-06 02:26:45 28080 ------w- c:\windows\system32\drivers\incdrm.sys
2010-10-06 02:26:45 1658880 ------w- c:\windows\UNNeroBurnRights.exe
2010-10-06 02:26:45 1658880 ------w- c:\windows\UNMRW.exe
2010-10-06 02:26:01 569344 ----a-w- c:\windows\system32\imagr5.dll
2010-10-06 02:26:01 544768 ----a-w- c:\windows\system32\imagx5.dll
2010-10-06 02:26:01 38912 ----a-w- c:\windows\system32\picn20.dll
2010-10-06 02:26:01 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-10-06 02:26:00 283920 ----a-w- c:\windows\system32\ImagXpr5.dll
2010-10-06 02:26:00 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-10-06 02:24:58 -------- d-----w- c:\program files\Marvell
2010-10-06 02:24:48 0 ----a-w- C:\REQUEST_OEMRESET_ENDUSER
2010-10-06 02:24:25 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-10-06 02:24:23 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-10-06 02:24:15 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-10-06 02:24:11 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-10-06 02:23:58 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-06 02:23:55 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-10-06 02:23:22 -------- d-----w- c:\program files\CONEXANT
2010-10-06 02:23:19 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2010-10-06 02:23:19 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-10-06 02:23:19 53248 ----a-w- c:\windows\system32\drivers\1394bus.sys
2010-10-06 02:22:39 26624 ----a-w- c:\windows\system32\drivers\usbehci.sys
2010-10-06 02:22:38 7168 ----a-w- c:\windows\system32\hccoin.dll
2010-10-06 02:01:50 -------- d-----r- c:\windows\Offline Web Pages
2010-10-06 01:59:48 -------- dcsh--r- c:\windows\system32\dllcache
2010-10-06 01:59:00 -------- d-----w- C:\My Backup -- 05-10-10 1859
2010-10-05 18:08:32 60 ----a-w- C:\MOVE_RECOVERY
2010-10-05 18:07:00 -------- d-----w- C:\My Backup -- 05-10-10 1107

==================== Find3M ====================

2010-10-06 02:38:01 1409 ----a-w- c:\windows\QTFont.for
2010-10-06 02:37:08 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2010-10-06 02:37:04 24576 ----a-w- c:\windows\system32\prefscpl.cpl
2010-08-24 18:57:38 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 18:57:38 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys

============= FINISH: 22:58:53.43 ===============


#6 WoundedFox

WoundedFox
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 17 October 2010 - 03:25 PM

Attach log from DDS run 10/8:
The notes say not to post this directly, but I don't see anything in it that I consider confidential. I am guessing that on some forum, they have permissions set to only allow moderators/helpers to download attachments? Anyway, here it is, posted.


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-05.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/5/2010 11:26:07 PM
System Uptime: 10/8/2010 10:49:53 PM (0 hours ago)

Motherboard: Intel Corporation | | D915GSE
Processor: Intel® Pentium® 4 CPU 3.20GHz | | 3200/800mhz
Processor: Intel® Pentium® 4 CPU 3.20GHz | | 3200/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 228 GiB total, 108.077 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 1.685 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 10/5/2010 11:26:11 PM - System Checkpoint
RP2: 10/5/2010 11:45:11 PM - Removed Cypress USB Mass Storage Driver Installation
RP3: 10/5/2010 11:45:15 PM - Removed Napster
RP4: 10/5/2010 11:46:46 PM - Removed Norton WMI Update
RP5: 10/6/2010 8:53:37 PM - Removed Adobe Reader 6.0
RP6: 10/6/2010 8:53:56 PM - Installed Adobe Reader 9.4.0.
RP7: 10/6/2010 9:27:17 PM - Installed Java™ 6 Update 21
RP8: 10/8/2010 10:42:09 PM - Printer Driver Brother PC-FAX Installed

==== Installed Programs ======================

Adobe AIR
Adobe Reader 9.4.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
ATI Control Panel
ATI Display Driver
Brother MFL Pro Suite
Do More
eMachines Bay Reader
High Definition Audio Driver Package - KB835221
InCD EasyWrite Reader
Java Auto Updater
Java™ 6 Update 21
Learn2 Player (Uninstall Only)
LiveUpdate 1.90 (Symantec Corporation)
Malwarebytes' Anti-Malware
Marvell Miniport Driver
McAfee Online Backup
McAfee Total Protection
McAfee Virtual Technician
Microsoft Office Basic Edition 2003
Mozilla Firefox (3.6.10)
Nero BurnRights
Nero OEM
PowerDVD
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Roxio Burn Engine
SoftV92 Data Fax Modem with SmartCP
Viewpoint Media Player
WebFldrs XP
Windows Backup Utility

==== Event Viewer Messages From Past Week ========

10/8/2010 9:27:49 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
10/8/2010 8:38:27 AM, error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 2 time(s).
10/8/2010 8:38:27 AM, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 2 time(s).
10/8/2010 8:38:27 AM, error: Service Control Manager [7034] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 2 time(s).
10/8/2010 8:38:27 AM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 2 time(s).
10/8/2010 8:38:27 AM, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/8/2010 8:38:27 AM, error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/8/2010 8:38:27 AM, error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/8/2010 8:38:27 AM, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
10/8/2010 8:00:12 AM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
10/8/2010 8:00:12 AM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
10/8/2010 7:28:18 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
10/8/2010 10:38:34 AM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 2 time(s).
10/7/2010 7:37:16 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
10/6/2010 12:00:25 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
10/6/2010 12:00:25 AM, error: Service Control Manager [7005] - The LoadUserProfile call failed with the following error: The device is not ready.
10/6/2010 10:04:20 PM, error: F-Secure Standalone Minifilter [1] -

==== End Of File ===========================


#7 WoundedFox

WoundedFox
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 17 October 2010 - 03:26 PM

The partial run from gmer from 10/8 11:23 PM. I don't remember whether I had posted this before or not. I have still not been able to get gmer to run to completion without crashing or the system restarting.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-08 23:23:27
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Alex\LOCALS~1\Temp\kwlyifow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF7348090]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF73480A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF73480D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7348126]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF734807C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7348054]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7348068]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF73480BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF73480FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF73480E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7348150]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF734813C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7348110]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ZwRenameKey 80655F85 1 Byte [E9]
init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF7847300]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[396] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[396] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1116] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1116] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00050022
.text C:\WINDOWS\system32\services.exe[1116] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00040060
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00040F6B
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0004004F
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00040F86
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00040FA8
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0004007D
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00040F35
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00040EE4
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00040EFF
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00040ED3
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00040F97
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00040F46
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00040FB9
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[1116] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00040F10
.text C:\WINDOWS\system32\services.exe[1116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0089004C
.text C:\WINDOWS\system32\services.exe[1116] msvcrt.dll!system 77C293C7 5 Bytes JMP 00890FC1
.text C:\WINDOWS\system32\services.exe[1116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00890FD2
.text C:\WINDOWS\system32\services.exe[1116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00890FEF
.text C:\WINDOWS\system32\services.exe[1116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00890031
.text C:\WINDOWS\system32\services.exe[1116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0089000C
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008A0FD4
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008A0F72
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008A0025
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008A0014
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008A0F83
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008A0F9E
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\services.exe[1116] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008A0FB9
.text C:\WINDOWS\system32\services.exe[1116] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1116] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[1116] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00070FDB
.text C:\WINDOWS\system32\services.exe[1116] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[1116] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\lsass.exe[1128] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[1128] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00050025
.text C:\WINDOWS\system32\lsass.exe[1128] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00040F91
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00040090
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0004007F
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00040058
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00040FC0
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00040F6F
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 000400B7
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000400FE
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 000400ED
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00040119
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00040047
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00040011
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00040F80
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00040FDB
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00040022
.text C:\WINDOWS\system32\lsass.exe[1128] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 000400D2
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00EB0025
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00EB0051
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00EB0FCA
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00EB0F94
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00EB0036
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\lsass.exe[1128] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00EB0FAF
.text C:\WINDOWS\system32\lsass.exe[1128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA0049
.text C:\WINDOWS\system32\lsass.exe[1128] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0038
.text C:\WINDOWS\system32\lsass.exe[1128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA0FD2
.text C:\WINDOWS\system32\lsass.exe[1128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\lsass.exe[1128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0027
.text C:\WINDOWS\system32\lsass.exe[1128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA000C
.text C:\WINDOWS\system32\lsass.exe[1128] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\lsass.exe[1128] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\lsass.exe[1128] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00070027
.text C:\WINDOWS\system32\lsass.exe[1128] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\lsass.exe[1128] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00070042
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00D00014
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CF0090
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CF0FA5
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CF0073
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CF0FB6
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CF0047
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CF0F80
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CF00BC
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CF00ED
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CF0F54
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00CF0F39
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00CF0058
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00CF0FDB
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00CF00AB
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00CF002C
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00CF0011
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00CF0F6F
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00D40FD4
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00D4006C
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00D4001B
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00D40051
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00D40040
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00D4000A
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00D40FC3
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30FB7
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30042
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D3001D
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FD2
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D3000C
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00D20FE5
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00D20FAD
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00D20FCA
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00D20F92
.text C:\WINDOWS\system32\svchost.exe[1316] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00A40FD4
.text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A3005D
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A30042
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A30F68
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A30F79
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A30F94
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A300AE
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A30093
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A30F30
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A30F4B
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00A30F15
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00A3001B
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00A30FD4
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00A30082
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00A30FC3
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00A300C9
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A8001E
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A80054
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A80FCD
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A80FDE
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A80F97
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A80043
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A80FB2
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A70F75
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70F86
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A70FB5
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70FE3
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A70FC6
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00A60036
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00A6001B
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00A60047
.text C:\WINDOWS\system32\svchost.exe[1400] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A50000
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 02DF0FEF
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 02DF0025
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 02DF0014
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 0094000A
.text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0092000C
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02DE0FE5
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 7C801A5D 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02DE0F61
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02DE0F72
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02DE004C
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02DE0F83
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02DE0014
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02DE0F21
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02DE0073
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02DE0095
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02DE0084
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 02DE00B0
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 02DE0025
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 02DE0FD4
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 02DE0F3C
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 02DE0FA8
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 02DE0FB9
.text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 02DE0F10
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02DD0FC3
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02DD0F6B
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02DD0014
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02DD0FDE
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02DD0F7C
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02DD0F8D
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02DD0FEF
.text C:\WINDOWS\System32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02DD0FA8
.text C:\WINDOWS\System32\svchost.exe[1528] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 00E8000A
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04460038
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!system 77C293C7 5 Bytes JMP 04460027
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04460FD2
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04460FEF
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04460FB7
.text C:\WINDOWS\System32\svchost.exe[1528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0446000C
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 04450FEF
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 04450FD4
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 0445000A
.text C:\WINDOWS\System32\svchost.exe[1528] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 04450FC3
.text C:\WINDOWS\System32\svchost.exe[1528] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02E00000
.text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A20F8A
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A2007F
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A20FA5
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A20062
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A20047
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A20F43
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A20F54
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A200BE
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A200AD
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00A20F0A
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00A20FC0
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00A2001B
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00A20F6F
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00A20FDB
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00A20036
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00A2009C
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A10FC3
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A1005E
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A10FA1
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A10FB2
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A1002F
.text C:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60FAD
.text C:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60038
.text C:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A60FD2
.text C:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60027
.text C:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A6000C
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00A50016
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00A50FDE
.text C:\WINDOWS\system32\svchost.exe[1648] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00A50027
.text C:\WINDOWS\system32\svchost.exe[1648] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00B6001B
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B50F66
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B50F77
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B50051
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B50040
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B50FA8
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B50F38
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B50F55
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B50F13
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B500AC
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00B500BD
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00B5002F
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00B50FD4
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00B50080
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00B50FB9
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00B5009B
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B40FC3
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B4006C
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B40014
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B40FDE
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B4005B
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B4004A
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B4002F
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70058
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F70FC3
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F70FDE
.text C:\WINDOWS\system32\svchost.exe[1732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F7001D
.text C:\WINDOWS\system32\svchost.exe[1732] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\svchost.exe[1732] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00F60014
.text C:\WINDOWS\system32\svchost.exe[1732] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00F60FDE
.text C:\WINDOWS\system32\svchost.exe[1732] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00F6002F
.text C:\WINDOWS\system32\svchost.exe[1732] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\Explorer.EXE[1852] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 04140000
.text C:\WINDOWS\Explorer.EXE[1852] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 04140022
.text C:\WINDOWS\Explorer.EXE[1852] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 04140011
.text C:\WINDOWS\Explorer.EXE[1852] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 03E1000A
.text C:\WINDOWS\Explorer.EXE[1852] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 03DF000C
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DF0FE5
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DF0087
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DF0F88
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DF006C
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DF005B
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00DF0036
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DF00AC
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DF0F66
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DF0F1D
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DF0F2E
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00DF00D1
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00DF0FB9
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00DF0000
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00DF0F77
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00DF0025
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00DF0FD4
.text C:\WINDOWS\Explorer.EXE[1852] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00DF0F49
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CA0031
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CA0FA6
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CA0FC8
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CA0FB7
.text C:\WINDOWS\Explorer.EXE[1852] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CA000C
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00D60047
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00D6007D
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00D60036
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00D6001B
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00D60FC0
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00D6006C
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00D6000A
.text C:\WINDOWS\Explorer.EXE[1852] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00D60FDB
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00C9000A
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00C90FD4
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\Explorer.EXE[1852] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00C90FC3
.text C:\WINDOWS\Explorer.EXE[1852] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\wuauclt.exe[1892] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 029A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1892] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 029A0FCD
.text C:\WINDOWS\system32\wuauclt.exe[1892] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 029A0FDE
.text C:\WINDOWS\system32\wuauclt.exe[1892] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 0290000A
.text C:\WINDOWS\system32\wuauclt.exe[1892] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 028E000C
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02990FEF
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02990F50
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02990F75
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02990043
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02990F86
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02990FAB
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02990F24
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02990060
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 029900BD
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 029900A2
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 029900D8
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 02990028
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 02990FDE
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 02990F3F
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 02990FBC
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 02990FCD
.text C:\WINDOWS\system32\wuauclt.exe[1892] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 02990091
.text C:\WINDOWS\system32\wuauclt.exe[1892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0127003D
.text C:\WINDOWS\system32\wuauclt.exe[1892] msvcrt.dll!system 77C293C7 5 Bytes JMP 0127002C
.text C:\WINDOWS\system32\wuauclt.exe[1892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01270FBC
.text C:\WINDOWS\system32\wuauclt.exe[1892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01270000
.text C:\WINDOWS\system32\wuauclt.exe[1892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01270011
.text C:\WINDOWS\system32\wuauclt.exe[1892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01270FD7
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01280FAF
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0128005B
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01280000
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01280FD4
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01280F9E
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01280036
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01280FEF
.text C:\WINDOWS\system32\wuauclt.exe[1892] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01280025
.text C:\WINDOWS\system32\wuauclt.exe[1892] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01250000
.text C:\WINDOWS\system32\wuauclt.exe[1892] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 01260000
.text C:\WINDOWS\system32\wuauclt.exe[1892] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 01260FDE
.text C:\WINDOWS\system32\wuauclt.exe[1892] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 01260FEF
.text C:\WINDOWS\system32\wuauclt.exe[1892] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 01260FC1
.text C:\WINDOWS\System32\svchost.exe[2604] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00DC0000
.text C:\WINDOWS\System32\svchost.exe[2604] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00DC0022
.text C:\WINDOWS\System32\svchost.exe[2604] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00DC0011
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DB0000
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DB00BF
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DB009A
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DB0089
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DB0062
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00DB0FD4
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DB0108
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DB00E1
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DB012A
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DB0F91
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00DB0F76
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00DB0051
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00DB00D0
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00DB0040
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00DB0025
.text C:\WINDOWS\System32\svchost.exe[2604] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00DB0119
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00DA0F9E
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00DA002F
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00DA0FB9
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00DA0FD4
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00DA0F7C
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00DA0F8D
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00DA0FE5
.text C:\WINDOWS\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00DA0014
.text C:\WINDOWS\System32\svchost.exe[2604] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D9002C
.text C:\WINDOWS\System32\svchost.exe[2604] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D90FA1
.text C:\WINDOWS\System32\svchost.exe[2604] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D90FC6
.text C:\WINDOWS\System32\svchost.exe[2604] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D90000
.text C:\WINDOWS\System32\svchost.exe[2604] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D90011
.text C:\WINDOWS\System32\svchost.exe[2604] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D90FD7
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 001B0000
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 001B0011
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 001B002C
.text C:\WINDOWS\System32\svchost.exe[2604] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001A000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)


#8 WoundedFox

WoundedFox
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 17 October 2010 - 03:28 PM

Rootkit Unhooker Report from 1010 12:21 AM
I don't remember which settings I had ticked.

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2269184 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2269184 bytes
0x804D7000 RAW 2269184 bytes
0x804D7000 WMIxWDM 2269184 bytes
0xBF087000 C:\WINDOWS\System32\ati3duag.dll 2256896 bytes (ATI Technologies Inc. , ati3duag.dll)
0xEEAFB000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 2244608 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF800000 Win32k 1839104 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1839104 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF6FDB000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF71BB000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 909312 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF6F33000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 688128 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF73F1000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF2AE000 C:\WINDOWS\System32\ativvaxx.dll 483328 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xEE7E3000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7495000 mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
0xEE9C4000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xED250000 C:\WINDOWS\system32\DRIVERS\srv.sys 339968 bytes (Microsoft Corporation, Server driver)
0xF6D9B000 C:\WINDOWS\system32\drivers\mfefirek.sys 307200 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)
0xEC8C1000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF04B000 C:\WINDOWS\System32\ati2cqag.dll 245760 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 233472 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xF70FD000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 221184 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xF6D3F000 C:\WINDOWS\system32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)
0xF75C8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xED3BB000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF73C4000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF7156000 C:\WINDOWS\system32\DRIVERS\yk51x86.sys 184320 bytes (Marvell, NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller)
0xF7523000 dac2w2k.sys 180224 bytes (Mylex Corporation, Mylex Disk Array Controller Driver)
0xEE852000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 180224 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEBDA5000 C:\WINDOWS\system32\drivers\kmixer.sys 172032 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEE940000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7183000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 147456 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0)
0xF6E0E000 C:\WINDOWS\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xEE7C0000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 143360 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF70DA000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF7133000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xEE87E000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xEE968000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0xEEADA000 C:\WINDOWS\system32\drivers\portcls.sys 135168 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x80701000 ACPI_HAL 134400 bytes
0x80701000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7504000 fltMgr.sys 126976 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7598000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF73A9000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF754F000 adpu160m.sys 102400 bytes (Microsoft Corporation, Adaptec Ultra160 SCSI miniport)
0xF7568000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEE780000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7580000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF747E000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6EE3000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xEC152000 C:\WINDOWS\system32\drivers\mfeapfk.sys 90112 bytes (McAfee, Inc., Access Protection Filter Driver)
0xED213000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6EFA000 C:\WINDOWS\system32\DRIVERS\mfendisk.sys 81920 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)
0xF6F1F000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF71A7000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEEA1C000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xEE989000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 77824 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xEEA4F000 C:\WINDOWS\system32\DRIVERS\MOBK.sys 77824 bytes (Mozy, Inc., Mozy Change Monitor Filter Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF74F2000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF6F0E000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 69632 bytes (Roxio, CDR4_XP CDR Helper)
0xF75B7000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6ED2000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xECCB4000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7767000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF77D7000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7339000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF7399000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7707000 ohci1394.sys 61440 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF7807000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xED32B000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7389000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7677000 aic78u2.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra2 SCSI miniport)
0xF7647000 aic78xx.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra SCSI miniport)
0xF7717000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 53248 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF77F7000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF76D7000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7817000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7637000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xECA2C000 C:\WINDOWS\system32\drivers\cfwids.sys 49152 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)
0xF76B7000 ql12160.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xF76A7000 ql1280.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xF7837000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7727000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF7757000 agpCPQ.sys 45056 bytes (Microsoft Corporation, CompatNT AGP Filter)
0xF7737000 alim1541.sys 45056 bytes (Microsoft Corporation, ALi M1541 NT AGP Filter)
0xF7747000 amdagp.sys 45056 bytes (Advanced Micro Devices, Inc., AMD Win2000 AGP Filter)
0xF77E7000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xEC9BC000 C:\WINDOWS\system32\drivers\mfebopk.sys 45056 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xF7627000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7827000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF76E7000 sisagp.sys 45056 bytes (Silicon Integrated Systems Corporation, SiS NT AGP Filter)
0xF76F7000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter)
0xF7887000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7697000 ql1080.sys 40960 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xF7667000 ql1240.sys 40960 bytes (Microsoft Corporation, QLogic ISP PCI Adapters)
0xF7857000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF76C7000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7309000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF6E72000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF77C7000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7617000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7847000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7329000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xEC599000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7657000 ql10wnt.sys 36864 bytes (Microsoft Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xF7687000 ultra.sys 36864 bytes (Promise Technology, Inc., Promise Ultra66 Miniport Driver)
0xF7349000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7977000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF79D7000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF78C7000 symc8xx.sys 32768 bytes (LSI Logic, Symbios 8XX SCSI Miniport Driver)
0xF78D7000 sym_u3.sys 32768 bytes (LSI Logic, Symbios Ultra3 SCSI Miniport Driver)
0xF7967000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF78AF000 asc.sys 28672 bytes (Advanced System Products, Inc., AdvanSys SCSI Controller Driver)
0xF7987000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF799F000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF78FF000 hpn.sys 28672 bytes (Microsoft Corporation, NetRAID-4M Miniport Driver)
0xF7897000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF78F7000 perc2.sys 28672 bytes (Microsoft Corporation, PERC 2 Miniport Driver)
0xF79B7000 C:\WINDOWS\System32\Drivers\sunkfilt.sys 28672 bytes (Alcor Micro Corp., SunkFilt)
0xF78CF000 sym_hi.sys 28672 bytes (LSI Logic, Symbios Hi-Perf SCSI Miniport Driver)
0xF7947000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xEEAA2000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF79FF000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF78DF000 ABP480N5.SYS 24576 bytes (Microsoft Corporation, AdvanSys SCSI Controller Driver)
0xF78E7000 asc3350p.sys 24576 bytes (Microsoft Corporation, AdvanSys SCSI Card Driver)
0xF79EF000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 24576 bytes (Roxio, CDRAL for Windows 2000 Kernel Driver)
0xF7A1F000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF792F000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF79AF000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF79F7000 C:\WINDOWS\system32\DRIVERS\wanatw4.sys 24576 bytes (America Online, Inc., Wan Miniport (ATW))
0xF78EF000 dpti2o.sys 20480 bytes (Microsoft Corporation, DPT SmartRAID miniport)
0xF7937000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF78BF000 i2omp.sys 20480 bytes (Microsoft Corporation, I2O Miniport Driver)
0xF78B7000 mraid35x.sys 20480 bytes (American Megatrends Inc., MegaRAID RAID Controller Driver for Windows Whistler 32)
0xF79BF000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF789F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF79CF000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF79DF000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF78A7000 sparrow.sys 20480 bytes (Adaptec, Inc., Adaptec AIC-6x60 series SCSI miniport)
0xF797F000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7A17000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF79E7000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7A33000 aha154x.sys 16384 bytes (Microsoft Corporation, Adaptec AHA-154x series SCSI miniport)
0xF7A43000 asc3550.sys 16384 bytes (Advanced System Products, Inc., AdvanSys Ultra-Wide PCI SCSI Driver)
0xF7A4B000 cbidf2k.sys 16384 bytes (Microsoft Corporation, CardBus/PCMCIA IDE Miniport Driver)
0xF7A2F000 cpqarray.sys 16384 bytes (Microsoft Corporation, Compaq Drive Array Controllers SCSI Miniport Driver)
0xF7A3B000 dac960nt.sys 16384 bytes (Microsoft Corporation, Mylex Disk Array Controller Driver)
0xF7A47000 ini910u.sys 16384 bytes (Microsoft Corporation, INITIO ini910u SCSI miniport)
0xF6DEE000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7AF3000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xED5FC000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF72E5000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7A37000 symc810.sys 16384 bytes (Symbios Logic Inc., Symbios Logic Inc. SCSI Miniport Driver)
0xF7A3F000 amsint.sys 12288 bytes (Microsoft Corporation, AMD SCSI/NET Controller)
0xF7A2B000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xEE9B8000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF6E02000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xED2B7000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF6DF6000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF72CD000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF6DEA000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7B19000 aliide.sys 8192 bytes (Acer Laboratories Inc., ALi mini IDE Driver)
0xF7BB7000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows ® 2000 DDK provider, TR Manager)
0xF7B51000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7B23000 cd20xrnt.sys 8192 bytes (Microsoft Corporation, IBM Portable CD-ROM Drive Miniport)
0xF7B1B000 cmdide.sys 8192 bytes (CMD Technology, Inc., CMD PCI IDE Bus Driver)
0xF7B75000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7B4D000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7B47000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 8192 bytes (Microsoft Corporation, I2O Utility Filter)
0xF7B21000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7B55000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7B25000 perc2hib.sys 8192 bytes (Microsoft Corporation, PERC 2 Hibernate Driver)
0xF7B59000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7B3B000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7B1D000 toside.sys 8192 bytes (Microsoft Corporation, Toshiba PCI IDE Controller)
0xF7B43000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7B1F000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7B17000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x872C6000 C:\WINDOWS\system32\KDCOM.DLL 7040 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7C71000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7C55000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7CCA000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7BDF000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x8733C298 ?_empty_? 3432 bytes
==============================================
>Stealth
==============================================
0xF7568000 WARNING: suspicious driver modification [atapi.sys::0x8733C298]
0xEC651730 Unknown thread object [ ETHREAD 0x863D7020 ] , 600 bytes



#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:03 PM

Posted 17 October 2010 - 03:30 PM

Greetings

One or more of the identified infections is Known as a Backdoor Trojan. - TDSS rootkit <--please read

What this virus does do.
QUOTE
Functionality
The functionality that the Trojan exhibits implies that it has been designed with profit-making as its primary objective. Making money from the Web typically involves generating Web traffic, installing pay-per-install software and also by generating sales leads for other Web sites and services of a dubious nature. It tries to achieve its objective by employing an array of techniques to try and make the user participate in these income-generating activities.


What the virus can do.
QUOTE
Backdoor.Tidserv is a Trojan horse that uses an advanced rootkit to hide itself. It also displays advertisements, redirects user search results, and opens a back door on the compromised computer.


This "could" allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can clean this machine but I cannot guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

I Would like you to do the following.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"
    In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 WoundedFox

WoundedFox
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 17 October 2010 - 03:33 PM

ESET Scanner Log 1 10/10/2010 1:03 AM

C:\My Backup -- 05-10-10 1107\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP318.tmp\aspapp\setup.exe probably a variant of Win32/Agent.MWCCTSP trojan cleaned by deleting - quarantined
C:\My Backup -- 05-10-10 1107\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP9D.tmp\aspapp\setup.exe probably a variant of Win32/Agent.JHVCYJA trojan cleaned by deleting - quarantined

ESET Scanner Log 2 10/10/2010 8:07 AM

C:\My Backup -- 05-10-10 1859\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4H6JO5E3\js[1].php JS/Kryptik.L.Gen trojan cleaned by deleting - quarantined
C:\My Backup -- 05-10-10 1859\WINDOWS\uyelucip.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined

MBAM Log 10/10/2010 6:24 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4763

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

10/10/2010 6:13:50 PM
mbam-log-2010-10-10 (18-13-50).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 527765
Time elapsed: 7 hour(s), 1 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

At this point, MBAM and McAffee were reporting that I was clean, but I knew that I wasn't because I was still seeing redirection of windowsupdate.microsoft.com, extra adware windows, misbehaving svchost.exe, etc. That's the end of the tools that I ran on my own before I gave up to wait for your assistance.

Next I will post the logs from the recent runs.

#11 WoundedFox

WoundedFox
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 17 October 2010 - 03:35 PM

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 16:06 on 17/10/2010 (Emily)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

=============


DDS (Ver_10-10-10.03) - NTFSx86
Run by Emily at 16:07:02.90 on Sun 10/17/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.684 [GMT -4:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Documents and Settings\Emily\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.gatewaybiz.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101007195709.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunKistEM] c:\program files\emachines bay reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286411046546
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\emily\applic~1\mozilla\firefox\profiles\swmlmbmj.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-24 386712]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-10-6 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-10-6 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-6 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-6 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-6 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-6 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-10-6 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-10-6 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-5 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-6 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-10-6 152992]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-10-6 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-6 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-10-6 88544]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\scott\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2010-10-6 70144]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-10-6 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-6 84264]

=============== Created Last 30 ================

2010-10-10 23:18:59 -------- d-----w- c:\docume~1\emily\locals~1\applic~1\Adobe
2010-10-10 13:31:39 -------- d-----w- c:\docume~1\emily\applic~1\Malwarebytes
2010-10-10 13:28:28 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-10-10 13:28:27 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2010-10-10 13:28:27 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2010-10-10 13:28:27 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2010-10-10 13:28:27 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2010-10-10 13:28:27 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2010-10-10 13:28:27 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2010-10-10 13:28:26 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2010-10-10 13:26:29 -------- d-----w- c:\docume~1\emily\locals~1\applic~1\Apple
2010-10-10 13:26:05 -------- d-----w- c:\docume~1\emily\locals~1\applic~1\Apple Computer
2010-10-10 13:18:00 -------- d-----w- c:\docume~1\emily\locals~1\applic~1\Mozilla
2010-10-10 01:51:16 -------- d-----w- c:\program files\ESET
2010-10-09 02:42:06 38912 ------w- c:\windows\system32\brinsstr.dll
2010-10-09 02:42:06 19361 ------w- c:\windows\system32\drivers\BrPar.sys
2010-10-09 02:42:03 651264 ------w- c:\windows\system32\brfxdial.dll
2010-10-09 02:42:02 131072 ----a-w- c:\windows\bruninst.dll
2010-10-09 02:42:02 -------- d-----w- c:\program files\Brother
2010-10-08 02:50:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-07 23:57:09 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2010-10-07 02:16:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-07 02:16:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-07 02:16:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-07 02:16:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-07 01:40:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-10-07 01:28:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-07 01:28:08 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-07 01:28:08 423656 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-06 04:09:13 -------- d-----w- c:\program files\McAfeeMOBK
2010-10-06 04:09:03 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-10-06 04:08:57 -------- d-----w- c:\program files\McAfee Online Backup
2010-10-06 04:07:21 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-06 04:07:13 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-10-06 04:07:12 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-10-06 04:07:12 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-06 04:07:12 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-06 04:07:12 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-06 04:07:12 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-06 04:07:12 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-06 04:07:06 -------- d-----w- c:\program files\common files\Mcafee
2010-10-06 04:07:05 -------- d-----w- c:\program files\McAfee.com
2010-10-06 04:06:48 -------- d-----w- c:\program files\McAfee
2010-10-06 03:33:00 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-10-06 03:27:02 -------- d-----w- c:\windows\system32\Lang
2010-10-06 02:36:37 24659 ----a-w- c:\windows\system32\aolddial.dll
2010-10-06 02:36:37 153088 ----a-w- c:\windows\system32\jgdwmie.dll
2010-10-06 02:36:35 54784 ----a-w- c:\windows\system32\Inetwh32.dll
2010-10-06 02:36:35 29184 ----a-w- c:\windows\system32\popup.ocx
2010-10-06 02:36:35 1044480 ----a-w- c:\windows\system32\roboex32.dll
2010-10-06 02:36:20 65536 ----a-w- c:\windows\wanmpsvc.exe
2010-10-06 02:36:16 33588 ----a-w- c:\windows\system32\drivers\wanatw4.sys
2010-10-06 02:36:15 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2010-10-06 02:36:11 -------- d-----w- c:\program files\common files\aolshare
2010-10-06 02:36:09 -------- d-----w- c:\program files\America Online 9.0
2010-10-06 02:36:00 -------- d-----w- c:\program files\common files\AOL
2010-10-06 02:35:54 140488 ----a-w- c:\windows\system32\comdlg32.ocx
2010-10-06 02:35:54 118976 ----a-w- c:\windows\system32\MSADODC.OCX
2010-10-06 02:35:52 692224 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
2010-10-06 02:35:52 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
2010-10-06 02:35:52 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2010-10-06 02:35:52 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
2010-10-06 02:35:52 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2010-10-06 02:35:52 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
2010-10-06 02:35:52 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
2010-10-06 02:35:52 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
2010-10-06 02:35:44 46433 ----a-w- c:\windows\WBODA34I.DLL
2010-10-06 02:35:43 351526 ----a-w- c:\windows\WBDDA34I.DLL
2010-10-06 02:33:27 -------- d-----w- c:\program files\Program Shortcuts
2010-10-06 02:33:15 518520 ----a-w- c:\windows\vidres.exe
2010-10-06 02:32:01 -------- d-----w- c:\program files\Symantec
2010-10-06 02:31:56 20480 ----a-w- c:\windows\system32\Marker32.exe
2010-10-06 02:31:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-10-06 02:31:37 66992 ----a-w- c:\windows\system32\drivers\cdr4_xp.sys
2010-10-06 02:31:37 61440 ----a-w- c:\windows\system32\cdrtc.dll
2010-10-06 02:31:37 45056 ----a-w- c:\windows\system32\cdral.dll
2010-10-06 02:31:37 24698 ----a-w- c:\windows\system32\drivers\cdralw2k.sys
2010-10-06 02:31:37 -------- d-----w- c:\windows\DRIVERS
2010-10-06 02:31:36 -------- d-----w- c:\program files\Napster
2010-10-06 02:30:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Napster
2010-10-06 02:30:15 471298 ----a-w- c:\windows\wallpg.exe
2010-10-06 02:28:31 17956 ----a-w- c:\windows\BigFixClientOverride.dll
2010-10-06 02:28:30 -------- d-----w- c:\program files\BigFix
2010-10-06 02:28:22 -------- d-----w- c:\program files\Gateway
2010-10-06 02:28:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Prism Deploy
2010-10-06 02:28:21 -------- d-----w- c:\program files\common files\New Boundary
2010-10-06 02:27:17 -------- d-----w- c:\windows\system32\ReinstallBackups
2010-10-06 02:26:45 57344 ----a-w- c:\windows\system32\NeroBurnRights.cpl
2010-10-06 02:26:45 53248 ----a-w- c:\windows\system32\NeroCo.dll
2010-10-06 02:26:45 28080 ------w- c:\windows\system32\drivers\incdrm.sys
2010-10-06 02:26:45 1658880 ------w- c:\windows\UNNeroBurnRights.exe
2010-10-06 02:26:45 1658880 ------w- c:\windows\UNMRW.exe
2010-10-06 02:26:01 569344 ----a-w- c:\windows\system32\imagr5.dll
2010-10-06 02:26:01 544768 ----a-w- c:\windows\system32\imagx5.dll
2010-10-06 02:26:01 38912 ----a-w- c:\windows\system32\picn20.dll
2010-10-06 02:26:01 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-10-06 02:26:00 283920 ----a-w- c:\windows\system32\ImagXpr5.dll
2010-10-06 02:26:00 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-10-06 02:24:58 -------- d-----w- c:\program files\Marvell
2010-10-06 02:24:25 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-10-06 02:24:23 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-10-06 02:24:15 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-10-06 02:24:11 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-10-06 02:23:58 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-06 02:23:55 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-10-06 02:23:22 -------- d-----w- c:\program files\CONEXANT
2010-10-06 02:23:19 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2010-10-06 02:23:19 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-10-06 02:23:19 53248 ----a-w- c:\windows\system32\drivers\1394bus.sys
2010-10-06 02:22:39 26624 ----a-w- c:\windows\system32\drivers\usbehci.sys
2010-10-06 02:22:38 7168 ----a-w- c:\windows\system32\hccoin.dll
2010-10-06 02:02:43 -------- d-----w- c:\windows\creator
2010-10-06 02:02:37 86016 ----a-w- c:\windows\system32\mdmxsdk.dll
2010-10-06 02:02:37 685056 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2010-10-06 02:02:37 39018 ----a-w- c:\windows\system32\HSFCI011.dll
2010-10-06 02:02:37 220032 ----a-w- c:\windows\system32\drivers\HSFHWBS2.sys
2010-10-06 02:02:37 13059 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2010-10-06 02:02:37 1041536 ----a-w- c:\windows\system32\drivers\HSF_DP.sys
2010-10-06 02:02:36 -------- d-----w- c:\windows\SMINST
2010-10-06 02:02:15 -------- d-----r- C:\Program Files
2010-10-06 02:02:04 -------- d-----r- c:\documents and settings\all users\Documents
2010-10-06 02:01:50 -------- d-----r- c:\windows\Offline Web Pages
2010-10-06 01:59:48 -------- dcsh--r- c:\windows\system32\dllcache
2010-10-06 01:59:00 -------- d-----w- C:\My Backup -- 05-10-10 1859
2010-10-05 18:07:00 -------- d-----w- C:\My Backup -- 05-10-10 1107
2010-09-22 22:10:52 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-09-22 22:10:52 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2010-10-06 02:38:01 1409 ----a-w- c:\windows\QTFont.for
2010-10-06 02:37:04 24576 ----a-w- c:\windows\system32\prefscpl.cpl
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 16:08:09.57 ===============


==================================================



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/5/2010 11:26:07 PM
System Uptime: 10/17/2010 3:59:22 PM (1 hours ago)

Motherboard: Intel Corporation | | D915GSE
Processor: Intel® Pentium® 4 CPU 3.20GHz | | 3200/800mhz
Processor: Intel® Pentium® 4 CPU 3.20GHz | | 3200/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 228 GiB total, 107.652 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 1.685 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is FIXED (NTFS) - 1863 GiB total, 1862.894 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 10/5/2010 11:26:11 PM - System Checkpoint
RP2: 10/5/2010 11:45:11 PM - Removed Cypress USB Mass Storage Driver Installation
RP3: 10/5/2010 11:45:15 PM - Removed Napster
RP4: 10/5/2010 11:46:46 PM - Removed Norton WMI Update
RP5: 10/6/2010 8:53:37 PM - Removed Adobe Reader 6.0
RP6: 10/6/2010 8:53:56 PM - Installed Adobe Reader 9.4.0.
RP7: 10/6/2010 9:27:17 PM - Installed Java™ 6 Update 21
RP8: 10/8/2010 10:42:09 PM - Printer Driver Brother PC-FAX Installed

==== Installed Programs ======================

Adobe AIR
Adobe Reader 9.4.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
Apple Application Support
Apple Software Update
ATI Control Panel
ATI Display Driver
Brother MFL Pro Suite
Do More
eMachines Bay Reader
ESET Online Scanner v3
High Definition Audio Driver Package - KB835221
InCD EasyWrite Reader
Java Auto Updater
Java™ 6 Update 21
Learn2 Player (Uninstall Only)
LiveUpdate 1.90 (Symantec Corporation)
Malwarebytes' Anti-Malware
Marvell Miniport Driver
McAfee Online Backup
McAfee Total Protection
McAfee Virtual Technician
Microsoft Office Basic Edition 2003
Mozilla Firefox (3.6.10)
Nero BurnRights
Nero OEM
PowerDVD
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Roxio Burn Engine
SoftV92 Data Fax Modem with SmartCP
Viewpoint Media Player
WebFldrs XP
Windows Backup Utility

==== Event Viewer Messages From Past Week ========

10/17/2010 4:01:44 PM, error: System Error [1003] - Error code 100000d1, parameter1 00000000, parameter2 0000001c, parameter3 00000001, parameter4 8511ac04.
10/10/2010 9:00:14 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
10/10/2010 8:20:55 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
10/10/2010 7:50:13 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/10/2010 7:49:43 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
10/10/2010 12:43:58 AM, error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 8 time(s).
10/10/2010 12:43:58 AM, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 8 time(s).
10/10/2010 12:43:58 AM, error: Service Control Manager [7034] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 8 time(s).
10/10/2010 12:43:58 AM, error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 8 time(s).
10/10/2010 12:43:58 AM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 8 time(s).
10/10/2010 12:43:58 AM, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 8 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/10/2010 10:20:07 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
10/10/2010 10:01:41 AM, error: System Error [1003] - Error code 10000050, parameter1 e4c02000, parameter2 00000000, parameter3 ba688c3e, parameter4 00000001.

==== End Of File ===========================


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2269184 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2269184 bytes
0x804D7000 RAW 2269184 bytes
0x804D7000 WMIxWDM 2269184 bytes
0xBF087000 C:\WINDOWS\System32\ati3duag.dll 2256896 bytes (ATI Technologies Inc. , ati3duag.dll)
0xEE953000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 2244608 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF800000 Win32k 1839104 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1839104 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF6E5B000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF703B000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 909312 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF6DB3000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 688128 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF7271000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF2AE000 C:\WINDOWS\System32\ativvaxx.dll 483328 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xEE663000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7315000 mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
0xEE81C000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xED0D0000 C:\WINDOWS\system32\DRIVERS\srv.sys 339968 bytes (Microsoft Corporation, Server driver)
0xF6C1B000 C:\WINDOWS\system32\drivers\mfefirek.sys 307200 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)
0xEC599000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF04B000 C:\WINDOWS\System32\ati2cqag.dll 245760 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 233472 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xF6F7D000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 221184 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xF6BBF000 C:\WINDOWS\system32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)
0xF7448000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xED23B000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7244000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF6FD6000 C:\WINDOWS\system32\DRIVERS\yk51x86.sys 184320 bytes (Marvell, NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller)
0xF73A3000 dac2w2k.sys 180224 bytes (Mylex Corporation, Mylex Disk Array Controller Driver)
0xEE6D2000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 180224 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEC116000 C:\WINDOWS\system32\drivers\kmixer.sys 172032 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEE7C0000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7003000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 147456 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0)
0xF6C66000 C:\WINDOWS\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xEE618000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 143360 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF6F5A000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF6FB3000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xEE6FE000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xEE7E8000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0xEE932000 C:\WINDOWS\system32\drivers\portcls.sys 135168 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x80701000 ACPI_HAL 134400 bytes
0x80701000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7384000 fltMgr.sys 126976 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7418000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7229000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF73CF000 adpu160m.sys 102400 bytes (Microsoft Corporation, Adaptec Ultra160 SCSI miniport)
0xF73E8000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEE600000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7400000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF72FE000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6D63000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xECB46000 C:\WINDOWS\system32\drivers\mfeapfk.sys 90112 bytes (McAfee, Inc., Access Protection Filter Driver)
0xEC94D000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6D7A000 C:\WINDOWS\system32\DRIVERS\mfendisk.sys 81920 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)
0xF6D9F000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF7027000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEE874000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xEE809000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 77824 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xEE8CF000 C:\WINDOWS\system32\DRIVERS\MOBK.sys 77824 bytes (Mozy, Inc., Mozy Change Monitor Filter Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7372000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF6D8E000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 69632 bytes (Roxio, CDR4_XP CDR Helper)
0xF7437000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6D2A000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xEC61A000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF75E7000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7657000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF71B9000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF7219000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7587000 ohci1394.sys 61440 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF7687000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xECAAE000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7209000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF74F7000 aic78u2.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra2 SCSI miniport)
0xF74C7000 aic78xx.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra SCSI miniport)
0xF7597000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 53248 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF7677000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7557000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7697000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF74B7000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xECEE0000 C:\WINDOWS\system32\drivers\cfwids.sys 49152 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)
0xF7537000 ql12160.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xF7527000 ql1280.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xF76B7000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF75A7000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF75D7000 agpCPQ.sys 45056 bytes (Microsoft Corporation, CompatNT AGP Filter)
0xF75B7000 alim1541.sys 45056 bytes (Microsoft Corporation, ALi M1541 NT AGP Filter)
0xF75C7000 amdagp.sys 45056 bytes (Advanced Micro Devices, Inc., AMD Win2000 AGP Filter)
0xF7667000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xED183000 C:\WINDOWS\system32\drivers\mfebopk.sys 45056 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xF74A7000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF76A7000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7567000 sisagp.sys 45056 bytes (Silicon Integrated Systems Corporation, SiS NT AGP Filter)
0xF7577000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter)
0xF7707000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7517000 ql1080.sys 40960 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xF74E7000 ql1240.sys 40960 bytes (Microsoft Corporation, QLogic ISP PCI Adapters)
0xF76D7000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7547000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7189000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF6C9A000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7647000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7497000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF76C7000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF71A9000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xEC1C0000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF74D7000 ql10wnt.sys 36864 bytes (Microsoft Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xF7507000 ultra.sys 36864 bytes (Promise Technology, Inc., Promise Ultra66 Miniport Driver)
0xF71C9000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF77F7000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF7857000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7747000 symc8xx.sys 32768 bytes (LSI Logic, Symbios 8XX SCSI Miniport Driver)
0xF7757000 sym_u3.sys 32768 bytes (LSI Logic, Symbios Ultra3 SCSI Miniport Driver)
0xF77DF000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF772F000 asc.sys 28672 bytes (Advanced System Products, Inc., AdvanSys SCSI Controller Driver)
0xF7807000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF781F000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF777F000 hpn.sys 28672 bytes (Microsoft Corporation, NetRAID-4M Miniport Driver)
0xF7717000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7777000 perc2.sys 28672 bytes (Microsoft Corporation, PERC 2 Miniport Driver)
0xF780F000 C:\WINDOWS\System32\Drivers\sunkfilt.sys 28672 bytes (Alcor Micro Corp., SunkFilt)
0xF774F000 sym_hi.sys 28672 bytes (LSI Logic, Symbios Hi-Perf SCSI Miniport Driver)
0xF77C7000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF788F000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF7837000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF775F000 ABP480N5.SYS 24576 bytes (Microsoft Corporation, AdvanSys SCSI Controller Driver)
0xF7767000 asc3350p.sys 24576 bytes (Microsoft Corporation, AdvanSys SCSI Card Driver)
0xF786F000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 24576 bytes (Roxio, CDRAL for Windows 2000 Kernel Driver)
0xF789F000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF77AF000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF782F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7877000 C:\WINDOWS\system32\DRIVERS\wanatw4.sys 24576 bytes (America Online, Inc., Wan Miniport (ATW))
0xF776F000 dpti2o.sys 20480 bytes (Microsoft Corporation, DPT SmartRAID miniport)
0xF77B7000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF773F000 i2omp.sys 20480 bytes (Microsoft Corporation, I2O Miniport Driver)
0xF7737000 mraid35x.sys 20480 bytes (American Megatrends Inc., MegaRAID RAID Controller Driver for Windows Whistler 32)
0xF783F000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF771F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF784F000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF785F000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7727000 sparrow.sys 20480 bytes (Adaptec, Inc., Adaptec AIC-6x60 series SCSI miniport)
0xF77FF000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7897000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7827000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF78B3000 aha154x.sys 16384 bytes (Microsoft Corporation, Adaptec AHA-154x series SCSI miniport)
0xF78C3000 asc3550.sys 16384 bytes (Advanced System Products, Inc., AdvanSys Ultra-Wide PCI SCSI Driver)
0xF78CB000 cbidf2k.sys 16384 bytes (Microsoft Corporation, CardBus/PCMCIA IDE Miniport Driver)
0xF78AF000 cpqarray.sys 16384 bytes (Microsoft Corporation, Compaq Drive Array Controllers SCSI Miniport Driver)
0xF78BB000 dac960nt.sys 16384 bytes (Microsoft Corporation, Mylex Disk Array Controller Driver)
0xF78C7000 ini910u.sys 16384 bytes (Microsoft Corporation, INITIO ini910u SCSI miniport)
0xEE8AB000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7977000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xED460000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7165000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF78B7000 symc810.sys 16384 bytes (Symbios Logic Inc., Symbios Logic Inc. SCSI Miniport Driver)
0xF78BF000 amsint.sys 12288 bytes (Microsoft Corporation, AMD SCSI/NET Controller)
0xF78AB000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xEE897000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF6D47000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xED1CB000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF6D3B000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7149000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7141000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7999000 aliide.sys 8192 bytes (Acer Laboratories Inc., ALi mini IDE Driver)
0xF79B9000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows ® 2000 DDK provider, TR Manager)
0xF79D1000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF79A3000 cd20xrnt.sys 8192 bytes (Microsoft Corporation, IBM Portable CD-ROM Drive Miniport)
0xF799B000 cmdide.sys 8192 bytes (CMD Technology, Inc., CMD PCI IDE Bus Driver)
0xF79F5000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79CD000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF79C7000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 8192 bytes (Microsoft Corporation, I2O Utility Filter)
0xF79A1000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF79D5000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79A5000 perc2hib.sys 8192 bytes (Microsoft Corporation, PERC 2 Hibernate Driver)
0xF79D9000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79BB000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF799D000 toside.sys 8192 bytes (Microsoft Corporation, Toshiba PCI IDE Controller)
0xF79C3000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF799F000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7997000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x862CB000 C:\WINDOWS\system32\KDCOM.DLL 7040 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7AF8000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7AF1000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7B52000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A5F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x8634D298 ?_empty_? 3432 bytes
==============================================
>Stealth
==============================================
0xF73E8000 WARNING: suspicious driver modification [atapi.sys::0x8634D298]

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:03 PM

Posted 17 October 2010 - 03:56 PM

Greetings

One or more of the identified infections is Known as a Backdoor Trojan. - TDSS rootkit <--please read

What this virus does do.
QUOTE
Functionality
The functionality that the Trojan exhibits implies that it has been designed with profit-making as its primary objective. Making money from the Web typically involves generating Web traffic, installing pay-per-install software and also by generating sales leads for other Web sites and services of a dubious nature. It tries to achieve its objective by employing an array of techniques to try and make the user participate in these income-generating activities.


What the virus can do.
QUOTE
Backdoor.Tidserv is a Trojan horse that uses an advanced rootkit to hide itself. It also displays advertisements, redirects user search results, and opens a back door on the compromised computer.


This "could" allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can clean this machine but I cannot guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

I Would like you to do the following.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"
    In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 WoundedFox

WoundedFox
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 17 October 2010 - 04:04 PM

I moved ComboFix over to the infected computer on the external HDD, and I started to run it. I canceled out at the warning screen because I realized that McAffee was still active. I disabled McAffee real time scanning and firewall both (it isn't connected the network anyway right now) and I ran ComboFix again.

It got to "Attempting to create a System Restore Point", popped up a window with some scrollbars that went across quickly, and then popped a dialog box. It wants to install Windows Recovery Console. Ugh. I am going to connect to the network as briefly as possible and try it.

Here goes...

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:03 PM

Posted 17 October 2010 - 04:06 PM

hello

go ahead and stay connected during the whole scan - if something new comes along I will remove it to - at this time it is best to allow combofix do what it wants



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 WoundedFox

WoundedFox
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 17 October 2010 - 04:14 PM

OK, I connected the network, verified that it was working by pinging www.yahoo.com in a command window, and then clicked yes to proceed.

It downloaded. I accepted the EULA.
Something got installed.

It didn't seem to be doing much of anything, so I popped up the TaskManager process list. The machine shows basically idle, and I don't see ComboFix running.

I do see a bit of activity by ATTRIB.cfxxe, and CF2610.cfxxe. Hopefully those are it, and it is still doing something. I am sure that I have not clicked in the ComboFix window.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users