Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Automatic Updates diabled and Google re-direct problem


  • This topic is locked This topic is locked
16 replies to this topic

#1 Kristen D

Kristen D

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 08 May 2011 - 11:03 PM

I received a pop-up from McAfee saying a trojan was detected and removed and I needed to restart my computer. Upon restart I immediately updated and ran Malware Bytes which found and quarantined 26 problems. When I attempted to remove the problems, a fake security warning popped up telling me that Malware Bytes was trying to hijack my system. I proceeded with trying to remove the trojans and restart my computer and it seemed to work. This time when I restarted, scans revealed no problems and other than my Windows Automatic Updates being disabled, everything looked normal. I opened a browser to find out what to do about the auto-update problem and every time I searched I was redirected to a different page instead of what I was trying to get to. Thank you for your help.



.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Kristen D at 17:23:25.87 on Sun 05/08/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1283 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WN111\wn111.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Kristen D\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101103182752.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IDTSysTrayApp] sttray.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\documents and settings\kristen d\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\documents and settings\kristen d\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wn111\wn111.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259694083156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\kriste~1\applic~1\mozilla\firefox\profiles\sonyrf3f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\kristen d\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: XULRunner: {7375C511-C696-4942-A46B-FD69B7BFACCE} - c:\documents and settings\kristen d\local settings\application data\{7375C511-C696-4942-A46B-FD69B7BFACCE}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - Ext: yogurttree: theme@yogurttree.com - %profile%\extensions\theme@yogurttree.com
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-27 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-27 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-12-3 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-27 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-27 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-27 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-27 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-27 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-27 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-27 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-27 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-27 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-27 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-27 88544]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-27 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-27 84264]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]
.
=============== Created Last 30 ================
.
2011-05-08 23:10:59 54016 ----a-w- c:\windows\system32\drivers\rjnvkdux.sys
2011-05-08 19:09:32 0 ----a-w- c:\windows\Kqelusovom.bin
2011-05-08 19:09:30 -------- d-----w- c:\docume~1\kriste~1\locals~1\applic~1\{7375C511-C696-4942-A46B-FD69B7BFACCE}
2011-05-08 19:04:18 -------- d-----w- c:\docume~1\kriste~1\applic~1\C665F608760F5FCC1327D8B851DA7C20
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00:28 78336 ------w- c:\windows\system32\ieencode.dll
2011-02-17 19:00:28 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44:16 389120 ------w- c:\windows\system32\html.iec
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
============= FINISH: 17:24:18.59 ===============


GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-08 21:03:03
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 WDC_WD1600JS-75NCB1 rev.10.02E01
Running: gmer.exe; Driver: C:\DOCUME~1\KRISTE~1\LOCALS~1\Temp\fwldqpoc.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9ED50E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9ED50F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9ED5120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9ED5176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9ED50CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9ED50A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9ED50B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9ED510A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9ED514C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9ED5136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9ED51A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9ED518C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9ED5160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050225C 7 Bytes JMP B9ED5164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A75C4 7 Bytes JMP B9ED517A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A83DA 5 Bytes JMP B9ED5190 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805B6114 5 Bytes JMP B9ED5150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C13F8 5 Bytes JMP B9ED50A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C1684 5 Bytes JMP B9ED50BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8DA6 5 Bytes JMP B9ED51A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 8061925E 7 Bytes JMP B9ED513A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 8061A70E 7 Bytes JMP B9ED510E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061ACEC 5 Bytes JMP B9ED50E4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061B188 7 Bytes JMP B9ED50F8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061B358 7 Bytes JMP B9ED5124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061C0CA 5 Bytes JMP B9ED50D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? mwivp.sys The system cannot find the file specified. !
? C:\DOCUME~1\KRISTE~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[360] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1040C334 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\System32\svchost.exe[404] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00900000
.text C:\WINDOWS\System32\svchost.exe[404] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00900FDE
.text C:\WINDOWS\System32\svchost.exe[404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00900FEF
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0091
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0076
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F9E
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0051
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F70
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F81
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F29
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F3A
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA00DD
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FCA
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA001B
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA00AC
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0036
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\System32\svchost.exe[404] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F55
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90025
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90FAF
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B9000A
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90FDE
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B9006C
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B90051
.text C:\WINDOWS\System32\svchost.exe[404] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B90036
.text C:\WINDOWS\System32\svchost.exe[404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0093005A
.text C:\WINDOWS\System32\svchost.exe[404] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930049
.text C:\WINDOWS\System32\svchost.exe[404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0093002E
.text C:\WINDOWS\System32\svchost.exe[404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930000
.text C:\WINDOWS\System32\svchost.exe[404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930FE3
.text C:\WINDOWS\System32\svchost.exe[404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0093001D
.text C:\WINDOWS\System32\svchost.exe[404] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00910FEF
.text C:\WINDOWS\System32\svchost.exe[404] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[404] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0091001B
.text C:\WINDOWS\System32\svchost.exe[404] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00910FD4
.text C:\WINDOWS\System32\svchost.exe[404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\services.exe[1056] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1056] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040022
.text C:\WINDOWS\system32\services.exe[1056] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040011
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0090005D
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0090004C
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900F72
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900F83
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FA5
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00900093
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F4D
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900F15
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009000AE
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900F04
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900F94
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900078
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00900F30
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0007001E
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070065
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F9C
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FC1
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060031
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[1056] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[1068] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\lsass.exe[1068] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\lsass.exe[1068] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0014
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E50F54
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E50F65
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E50F80
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E50F91
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E50FB6
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E50064
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E50F28
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E500A4
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E50F01
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E500B5
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E5003D
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E50011
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E50F39
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E50FDB
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E50022
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E5007F
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0047
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0087
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF002C
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0062
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BF0FC0
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 88]
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FDB
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0F9C
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FAD
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE000C
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0027
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FD2
.text C:\WINDOWS\system32\lsass.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FD0FB9
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02420000
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02420067
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02420F7C
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02420056
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02420F8D
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02420FC3
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024200A6
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02420089
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02420F28
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02420F39
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024200E6
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02420FA8
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0242001B
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02420078
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02420FD4
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02420FEF
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024200B7
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02410FD4
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02410051
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02410025
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02410FE5
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02410F94
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02410000
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02410040
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02410FB9
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0FBE
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0049
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0038
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF001D
.text C:\WINDOWS\system32\svchost.exe[1292] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A40FC3
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A40FD4
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B10F6B
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B10F86
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B10054
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10F97
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B10FC3
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10F3F
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B10F50
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B100C4
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B100B3
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B100D5
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B10FB2
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B1007B
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B10FD4
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B10025
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B100A2
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A7001B
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A70073
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A70FCA
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A70062
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A70047
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A7002C
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60F8B
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60FA6
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A6000C
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60FB7
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A60FD2
.text C:\WINDOWS\system32\svchost.exe[1376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A50000
.text C:\WINDOWS\System32\svchost.exe[1500] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 03A1000A
.text C:\WINDOWS\System32\svchost.exe[1500] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 03A10FE5
.text C:\WINDOWS\System32\svchost.exe[1500] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 03A1001B
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03A6000A
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03A60F79
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03A60F94
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03A6006E
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03A60047
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03A60FA5
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03A60F43
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03A60F54
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03A60F0D
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03A60F28
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03A600CB
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03A60036
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03A60FE5
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03A6007F
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03A60FCA
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03A6001B
.text C:\WINDOWS\System32\svchost.exe[1500] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03A600A6
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03A5001B
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03A50051
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03A50FCA
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03A50FDB
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03A50040
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03A50000
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03A50F9E
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C5, 8B]
.text C:\WINDOWS\System32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03A50FAF
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03A40FB4
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!system 77C293C7 5 Bytes JMP 03A4003F
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03A4001D
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03A40FEF
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03A4002E
.text C:\WINDOWS\System32\svchost.exe[1500] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03A4000C
.text C:\WINDOWS\System32\svchost.exe[1500] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03A30000
.text C:\WINDOWS\System32\svchost.exe[1500] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 03A2000A
.text C:\WINDOWS\System32\svchost.exe[1500] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 03A20025
.text C:\WINDOWS\System32\svchost.exe[1500] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 03A20036
.text C:\WINDOWS\System32\svchost.exe[1500] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 03A20047
.text C:\WINDOWS\System32\svchost.exe[1552] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\System32\svchost.exe[1552] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B60FD4
.text C:\WINDOWS\System32\svchost.exe[1552] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D30F79
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D3006E
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D3005D
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D30040
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D30025
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D3009A
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D30F52
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D30F12
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D30F2D
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D300C6
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D30FA8
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D3000A
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D30089
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D30FB9
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D30FCA
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D300AB
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D20FB9
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D20039
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D2000A
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D20F72
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D20F8D
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F2, 88]
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D20F9E
.text C:\WINDOWS\System32\svchost.exe[1552] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10036
.text C:\WINDOWS\System32\svchost.exe[1552] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10FAB
.text C:\WINDOWS\System32\svchost.exe[1552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D1001B
.text C:\WINDOWS\System32\svchost.exe[1552] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10FE3
.text C:\WINDOWS\System32\svchost.exe[1552] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10FC6
.text C:\WINDOWS\System32\svchost.exe[1552] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D10000
.text C:\WINDOWS\System32\svchost.exe[1552] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00000
.text C:\WINDOWS\System32\svchost.exe[1640] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\System32\svchost.exe[1640] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B60FD4
.text C:\WINDOWS\System32\svchost.exe[1640] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0085
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F86
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0060
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0039
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FA1
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00C2
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA00B1
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00DD
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F44
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA00EE
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0028
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA00A0
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FB2
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FCD
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F5F
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FA8
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B9004A
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90FB9
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B9002F
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B9001E
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B90F97
.text C:\WINDOWS\System32\svchost.exe[1640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80069
.text C:\WINDOWS\System32\svchost.exe[1640] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80FDE
.text C:\WINDOWS\System32\svchost.exe[1640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80044
.text C:\WINDOWS\System32\svchost.exe[1640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B8000C
.text C:\WINDOWS\System32\svchost.exe[1640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\System32\svchost.exe[1640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B80029
.text C:\WINDOWS\System32\svchost.exe[1640] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70FE5
.text C:\WINDOWS\Explorer.EXE[2020] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01420FEF
.text C:\WINDOWS\Explorer.EXE[2020] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01420025
.text C:\WINDOWS\Explorer.EXE[2020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01420000
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02A90000
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02A9009A
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02A90089
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02A90FA5
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02A90062
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02A90047
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02A900CB
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02A90F79
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02A90108
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02A900F7
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02A9012D
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02A90FB6
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02A90011
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02A90F8A
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02A90FDB
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02A9002C
.text C:\WINDOWS\Explorer.EXE[2020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02A900DC
.text C:\WINDOWS\Explorer.EXE[2020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 029D0036
.text C:\WINDOWS\Explorer.EXE[2020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 029D006C
.text C:\WINDOWS\Explorer.EXE[2020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 029D0FDB
.text C:\WINDOWS\Explorer.EXE[2020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 029D0011
.text C:\WINDOWS\Explorer.EXE[2020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 029D0FAF
.text C:\WINDOWS\Explorer.EXE[2020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 029D0000
.text C:\WINDOWS\Explorer.EXE[2020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 029D0FCA
.text C:\WINDOWS\Explorer.EXE[2020] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BD, 8A]
.text C:\WINDOWS\Explorer.EXE[2020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 029D0051
.text C:\WINDOWS\Explorer.EXE[2020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01720049
.text C:\WINDOWS\Explorer.EXE[2020] msvcrt.dll!system 77C293C7 5 Bytes JMP 01720FBE
.text C:\WINDOWS\Explorer.EXE[2020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0172002E
.text C:\WINDOWS\Explorer.EXE[2020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01720000
.text C:\WINDOWS\Explorer.EXE[2020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01720FCF
.text C:\WINDOWS\Explorer.EXE[2020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0172001D
.text C:\WINDOWS\Explorer.EXE[2020] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01450FEF
.text C:\WINDOWS\Explorer.EXE[2020] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01450014
.text C:\WINDOWS\Explorer.EXE[2020] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01450FDE
.text C:\WINDOWS\Explorer.EXE[2020] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 01450FC3
.text C:\WINDOWS\Explorer.EXE[2020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 014A0000
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[2556] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[2556] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[2956] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BE0000
.text C:\WINDOWS\System32\svchost.exe[2956] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BE002C
.text C:\WINDOWS\System32\svchost.exe[2956] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE001B
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10000
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C10F4B
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10F66
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10F77
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10F94
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10FAF
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10F1F
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10F30
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C10EE9
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C10082
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C10ECE
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10036
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C10FDB
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C1005B
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C1001B
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C10FC0
.text C:\WINDOWS\System32\svchost.exe[2956] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C10F04
.text C:\WINDOWS\System32\svchost.exe[2956] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C00F94
.text C:\WINDOWS\System32\svchost.exe[2956] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00036
.text C:\WINDOWS\System32\svchost.exe[2956] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\System32\svchost.exe[2956] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\System32\svchost.exe[2956] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00025
.text C:\WINDOWS\System32\svchost.exe[2956] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\System32\svchost.exe[2956] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C0000A
.text C:\WINDOWS\System32\svchost.exe[2956] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C00F83
.text C:\WINDOWS\System32\svchost.exe[2956] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0053
.text C:\WINDOWS\System32\svchost.exe[2956] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0042
.text C:\WINDOWS\System32\svchost.exe[2956] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0FD2
.text C:\WINDOWS\System32\svchost.exe[2956] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\System32\svchost.exe[2956] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0031
.text C:\WINDOWS\System32\svchost.exe[2956] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3028] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 PM

Posted 09 May 2011 - 04:36 AM

:welcome: to BC!

Step 1.
RKU:

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


Step 2.
aswMBR:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image

Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply


Step 3.
Things I would like to see in your reply:

  • The content of this file : C:\Documents and Settings\Kristen D\My Documents\Downloads\Attach.txt from when you ran DDS.
  • The content of the log from RKU in step 1.
  • The content of the log from aswMBR in step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 PM

Posted 13 May 2011 - 02:44 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 PM

Posted 13 May 2011 - 02:58 PM

Topic opened on users request.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 Kristen D

Kristen D
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 13 May 2011 - 03:01 PM

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/1/2009 10:33:37 AM
System Uptime: 5/8/2011 3:54:48 PM (2 hours ago)
.
Motherboard: Dell Inc. | | 0JC474
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 144 GiB total, 91.26 GiB free.
D: is CDROM (CDFS)
E: is Removable
F: is Removable
G: is Removable
H: is FIXED (FAT32) - 5 GiB total, 1.009 GiB free.
I: is CDROM (CDFS)
J: is Removable
K: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP424: 2/8/2011 5:35:07 AM - System Checkpoint
RP425: 2/9/2011 8:47:42 PM - System Checkpoint
RP426: 2/10/2011 3:00:18 AM - Software Distribution Service 3.0
RP427: 2/11/2011 3:29:41 AM - System Checkpoint
RP428: 2/12/2011 3:39:32 AM - System Checkpoint
RP429: 2/13/2011 1:27:55 PM - System Checkpoint
RP430: 2/14/2011 5:12:39 PM - System Checkpoint
RP431: 2/15/2011 5:22:21 PM - System Checkpoint
RP432: 2/16/2011 6:23:26 PM - System Checkpoint
RP433: 2/17/2011 7:21:11 PM - System Checkpoint
RP434: 2/18/2011 3:00:15 AM - Software Distribution Service 3.0
RP435: 2/19/2011 3:21:11 AM - System Checkpoint
RP436: 2/20/2011 3:22:16 AM - System Checkpoint
RP437: 2/21/2011 4:21:11 AM - System Checkpoint
RP438: 2/22/2011 4:49:27 AM - System Checkpoint
RP439: 2/23/2011 5:49:27 AM - System Checkpoint
RP440: 2/24/2011 6:49:29 AM - System Checkpoint
RP441: 2/25/2011 8:15:56 AM - System Checkpoint
RP442: 2/26/2011 8:49:27 AM - System Checkpoint
RP443: 2/27/2011 9:09:31 AM - System Checkpoint
RP444: 2/28/2011 12:10:25 PM - System Checkpoint
RP445: 3/1/2011 6:31:00 PM - System Checkpoint
RP446: 3/2/2011 6:54:08 PM - System Checkpoint
RP447: 3/3/2011 7:15:22 PM - System Checkpoint
RP448: 3/4/2011 7:35:50 PM - System Checkpoint
RP449: 3/5/2011 8:38:21 PM - System Checkpoint
RP450: 3/6/2011 9:36:55 PM - System Checkpoint
RP451: 3/7/2011 10:36:56 PM - System Checkpoint
RP452: 3/8/2011 10:50:23 PM - System Checkpoint
RP453: 3/9/2011 3:00:25 AM - Software Distribution Service 3.0
RP454: 3/10/2011 3:19:08 AM - System Checkpoint
RP455: 3/11/2011 3:35:48 AM - System Checkpoint
RP456: 3/12/2011 4:35:48 AM - System Checkpoint
RP457: 3/13/2011 5:25:36 PM - System Checkpoint
RP458: 3/14/2011 8:11:17 PM - System Checkpoint
RP459: 3/15/2011 8:15:39 PM - System Checkpoint
RP460: 3/16/2011 3:00:15 AM - Software Distribution Service 3.0
RP461: 3/17/2011 3:20:55 AM - System Checkpoint
RP462: 3/18/2011 4:20:52 AM - System Checkpoint
RP463: 3/19/2011 5:20:53 AM - System Checkpoint
RP464: 3/20/2011 6:20:52 AM - System Checkpoint
RP465: 3/21/2011 7:20:52 AM - System Checkpoint
RP466: 3/22/2011 7:49:00 AM - System Checkpoint
RP467: 3/23/2011 8:49:00 AM - System Checkpoint
RP468: 3/24/2011 3:00:14 AM - Software Distribution Service 3.0
RP469: 3/25/2011 3:48:59 AM - System Checkpoint
RP470: 3/26/2011 4:49:02 AM - System Checkpoint
RP471: 3/27/2011 5:40:20 AM - System Checkpoint
RP472: 3/28/2011 6:40:19 AM - System Checkpoint
RP473: 3/29/2011 7:55:06 AM - System Checkpoint
RP474: 3/30/2011 8:40:19 AM - System Checkpoint
RP475: 3/31/2011 9:40:20 AM - System Checkpoint
RP476: 4/1/2011 10:53:21 AM - System Checkpoint
RP477: 4/2/2011 11:40:20 AM - System Checkpoint
RP478: 4/3/2011 12:32:50 PM - System Checkpoint
RP479: 4/4/2011 12:52:49 PM - System Checkpoint
RP480: 4/5/2011 1:07:50 PM - System Checkpoint
RP481: 4/6/2011 1:53:19 PM - System Checkpoint
RP482: 4/7/2011 3:03:37 PM - System Checkpoint
RP483: 4/8/2011 7:00:32 PM - System Checkpoint
RP484: 4/9/2011 8:24:43 PM - System Checkpoint
RP485: 4/10/2011 8:49:08 PM - System Checkpoint
RP486: 4/11/2011 9:49:08 PM - System Checkpoint
RP487: 4/12/2011 9:55:18 PM - System Checkpoint
RP488: 4/13/2011 10:49:08 PM - System Checkpoint
RP489: 4/14/2011 3:00:30 AM - Software Distribution Service 3.0
RP490: 4/15/2011 3:31:09 AM - System Checkpoint
RP491: 4/16/2011 4:43:10 AM - System Checkpoint
RP492: 4/17/2011 5:31:09 AM - System Checkpoint
RP493: 4/18/2011 6:11:24 AM - System Checkpoint
RP494: 4/19/2011 8:04:35 AM - System Checkpoint
RP495: 4/20/2011 8:11:24 AM - System Checkpoint
RP496: 4/21/2011 6:28:57 PM - System Checkpoint
RP497: 4/22/2011 3:00:17 AM - Software Distribution Service 3.0
RP498: 4/23/2011 9:40:08 AM - System Checkpoint
RP499: 4/24/2011 10:11:24 AM - System Checkpoint
RP500: 4/25/2011 10:16:09 AM - System Checkpoint
RP501: 4/26/2011 10:18:15 AM - System Checkpoint
RP502: 4/27/2011 3:00:15 AM - Software Distribution Service 3.0
RP503: 4/28/2011 3:18:15 AM - System Checkpoint
RP504: 4/29/2011 8:54:21 AM - System Checkpoint
RP505: 4/30/2011 9:18:15 AM - System Checkpoint
RP506: 5/1/2011 10:44:19 AM - System Checkpoint
RP507: 5/2/2011 11:18:15 AM - System Checkpoint
RP508: 5/3/2011 12:30:47 PM - System Checkpoint
RP509: 5/4/2011 12:58:20 PM - System Checkpoint
RP510: 5/5/2011 3:02:26 PM - System Checkpoint
RP511: 5/6/2011 3:18:15 PM - System Checkpoint
RP512: 5/7/2011 3:28:54 PM - System Checkpoint
.
==== Installed Programs ======================
.
.
32 bit Windows Card Reader Driver
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 9.4.2
Adobe Shockwave Player 11.5
Amazon Kindle For PC
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Display Driver
ATI Parental Control
ATI Parental Control & Encoder
Audacity 1.2.6
Bonjour
Canon Easy-WebPrint EX
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MP Navigator EX 3.0
Canon MP490 series MP Drivers
Canon MP490 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Civilization III
Civilization III: Conquests
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Defraggler
Dell Photo AIO Printer 924
Dell Support Center (Support Software)
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
Facebook Plug-In
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
iTunes
Java Auto Updater
Java™ 6 Update 19
LADSPA_plugins-win-0.4.15
Malwarebytes' Anti-Malware
McAfee AntiVirus Plus
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.17)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NETGEAR WN111 wireless USB 2.0 adapter
Pattern Maker for cross stitch - v4
QuickTime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sid Meier's Civilization 4
SigmaTel Audio
SimCity 4 Deluxe
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
The Sims 2
The Sims 2 Family Fun Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims™ 2 Bon Voyage
The Sims™ 2 IKEA® Home Stuff
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
.
==== End Of File ===========================

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2069376 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2069376 bytes
0x804D7000 RAW 2069376 bytes
0x804D7000 WMIxWDM 2069376 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB96F4000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1167360 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA933C000 C:\WINDOWS\system32\drivers\sthda.sys 1015808 bytes (SigmaTel, Inc., NDRC)
0xBF07E000 C:\WINDOWS\System32\ialmdd5.DLL 983040 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xB9DE9000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA916C000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB94F6000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB9EA2000 mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
0xA928C000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA85F9000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB957C000 C:\WINDOWS\system32\drivers\mfefirek.sys 307200 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)
0xBF16E000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA7FCC000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF043000 C:\WINDOWS\System32\ialmdev5.DLL 241664 bytes (Intel Corporation, Component GHAL Driver)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA86C9000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9DBC000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA7A41000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA91DC000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB96B8000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA9229000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB966E000 C:\WINDOWS\System32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver)
0xA9120000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB95EB000 C:\WINDOWS\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xA9318000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9694000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB964B000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA9207000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF021000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x806D1000 ACPI_HAL 131840 bytes
0x806D1000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9F11000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9DA2000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xA7A6C000 C:\DOCUME~1\KRISTE~1\LOCALS~1\Temp\fwldqpoc.sys 102400 bytes
0xA8F9A000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xA8F81000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xB9F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA9108000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9E76000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9620000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA7D83000 C:\WINDOWS\system32\drivers\mfeapfk.sys 90112 bytes (McAfee, Inc., Access Protection Filter Driver)
0xB9E8D000 drvmcdb.sys 86016 bytes (Sonic Solutions, Device Driver)
0xA8FB3000 C:\WINDOWS\system32\dla\tfsnifs.sys 86016 bytes (Sonic Solutions, Drive Letter Access Component)
0xA8C4C000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB9637000 C:\WINDOWS\system32\DRIVERS\mfendisk.sys 81920 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)
0xB96E0000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA92E5000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xA9279000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 77824 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9EFF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB960F000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA178000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA248000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA2F8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 61440 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xBA258000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA8EE9000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA2E8000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0A8000 mwivp.sys 57344 bytes
0xBA0F8000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA278000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0D8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xA82A1000 C:\WINDOWS\system32\drivers\cfwids.sys 49152 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)
0xBA298000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB98A1000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA268000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xA7E8C000 C:\WINDOWS\system32\drivers\mfebopk.sys 45056 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xBA0C8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA288000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB9851000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xBA0B8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA2C8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA108000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA2B8000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0E8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB9861000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA238000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA2A8000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA128000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA7E31000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xB9841000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xB9891000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA358000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA360000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA448000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA4A8000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA498000 C:\DOCUME~1\KRISTE~1\LOCALS~1\Temp\mbr.sys 28672 bytes
0xBA328000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3D8000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA368000 C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA450000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA470000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA478000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA4A0000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xBA440000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA4B0000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA350000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA460000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA468000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA458000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3B8000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA590000 C:\WINDOWS\system32\ckldrv.sys 16384 bytes
0xB9D6D000 C:\WINDOWS\System32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB98B5000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA8FF8000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xA9050000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB98B9000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA59C000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA8661000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xBA5A0000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9D55000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA56C000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA5F6000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5CC000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA5F4000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5F8000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5FA000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5E8000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xBA5EE000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5D4000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA5F0000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA6EF000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA710000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7ED000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xBA77D000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA77C000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
==============================================
>Stealth
==============================================
0x03D60000 Hidden Image-->SupportSoft.Agent.Sprocket.dll [ EPROCESS 0x89E00BE0 ] PID: 508, 28672 bytes
0x03B40000 Hidden Image-->SupportSoft.Agent.Sprocket.SupportMessage.dll [ EPROCESS 0x89E00BE0 ] PID: 508, 45056 bytes
0x02E00000 Hidden Image-->sprtmessage.dll [ EPROCESS 0x89E00BE0 ] PID: 508, 77824 bytes

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-13 12:57:05
-----------------------------
12:57:05.703 OS Version: Windows 5.1.2600 Service Pack 3
12:57:05.703 Number of processors: 1 586 0x403
12:57:05.703 ComputerName: KRISTEN UserName:
12:57:06.328 Initialize success
12:57:14.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
12:57:14.468 Disk 0 Vendor: WDC_WD1600JS-75NCB1 10.02E01 Size: 152587MB BusType: 3
12:57:16.515 Disk 0 MBR read successfully
12:57:16.515 Disk 0 MBR scan
12:57:16.515 Disk 0 Windows XP default MBR code
12:57:18.515 Disk 0 scanning sectors +312496380
12:57:18.593 Disk 0 scanning C:\WINDOWS\system32\drivers
12:57:36.687 Service scanning
12:57:37.562 Disk 0 trace - called modules:
12:57:37.562 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
12:57:37.562 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7adab8]
12:57:37.562 3 CLASSPNP.SYS[ba0f8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8a7fed98]
12:57:37.562 Scan finished successfully
12:59:28.890 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Kristen D\Desktop\MBR.dat"
12:59:28.890 The log file has been saved successfully to "C:\Documents and Settings\Kristen D\Desktop\aswMBR.txt"

#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 PM

Posted 14 May 2011 - 03:47 AM

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 Kristen D

Kristen D
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 14 May 2011 - 01:27 PM

ComboFix 11-05-13.03 - Kristen D 05/14/2011 11:07:11.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1560 [GMT -7:00]
Running from: c:\documents and settings\Kristen D\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Kristen D\Application Data\Adobe\plugs
c:\documents and settings\Kristen D\Application Data\Adobe\shed
c:\documents and settings\Kristen D\Application Data\Local
c:\documents and settings\Kristen D\Application Data\Local\Temp\DDM\Settings\0.ddi
c:\documents and settings\Kristen D\Application Data\Local\Temp\DDM\Settings\1.ddi
c:\documents and settings\Kristen D\Application Data\Local\Temp\DDM\Settings\doctor_who_2005_2005.6x01.the_impossible_astronaut_part1.hdtv_xvid-fov_ns.avi.ddr
c:\documents and settings\Kristen D\Application Data\Local\Temp\DDM\Settings\Inception_Trailer_NEW.divx.ddr
c:\documents and settings\Kristen D\Application Data\Local\Temp\DDM\Settings\settings.ddi
c:\documents and settings\Kristen D\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\doctor_who_2005_2005.6x01.the_impossible_astronaut_part1.hdtv_xvid-fov_ns.avi.ddp
c:\documents and settings\Kristen D\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Inception_Trailer_NEW.divx
c:\documents and settings\Kristen D\Local Settings\Application Data\{7375C511-C696-4942-A46B-FD69B7BFACCE}
c:\documents and settings\Kristen D\Local Settings\Application Data\{7375C511-C696-4942-A46B-FD69B7BFACCE}\chrome.manifest
c:\documents and settings\Kristen D\Local Settings\Application Data\{7375C511-C696-4942-A46B-FD69B7BFACCE}\chrome\content\_cfg.js
c:\documents and settings\Kristen D\Local Settings\Application Data\{7375C511-C696-4942-A46B-FD69B7BFACCE}\chrome\content\overlay.xul
c:\documents and settings\Kristen D\Local Settings\Application Data\{7375C511-C696-4942-A46B-FD69B7BFACCE}\install.rdf
c:\documents and settings\Kristen D\WINDOWS
c:\windows\system32\drivers\1028_DELL_XPS_Dell DV051 .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DV051 .MRK
.
.
((((((((((((((((((((((((( Files Created from 2011-04-14 to 2011-05-14 )))))))))))))))))))))))))))))))
.
.
2011-05-08 19:09 . 2011-05-08 19:09 0 ----a-w- c:\windows\Kqelusovom.bin
2011-05-08 19:04 . 2011-05-08 19:04 -------- d-----w- c:\documents and settings\Kristen D\Application Data\C665F608760F5FCC1327D8B851DA7C20
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-12-01 18:28 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2003-07-16 20:49 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2003-07-16 20:51 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00 . 2003-07-16 20:51 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2003-07-16 20:30 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 13:18 . 2003-07-16 20:34 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2003-07-16 20:46 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-12-02 15:21 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2004-08-04 05:59 389120 ------w- c:\windows\system32\html.iec
2011-02-15 12:56 . 2003-07-16 20:24 290432 ----a-w- c:\windows\system32\atmfd.dll
2010-10-14 05:28 . 2010-11-04 01:27 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-01-10 1230704]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
.
c:\documents and settings\Kristen D\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2010-5-13 225280]
PowerReg Scheduler.exe [2010-5-13 256000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-12-3 113664]
NETGEAR WN111 Smart Wizard.lnk - c:\program files\NETGEAR\WN111\wn111.exe [2007-8-27 1343488]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/27/2010 6:55 AM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/3/2009 4:43 PM 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/27/2010 6:55 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/27/2010 6:55 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/27/2010 6:56 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/27/2010 6:55 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/27/2010 6:55 AM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/27/2010 6:55 AM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/27/2010 6:55 AM 88544]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/27/2010 6:55 AM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/27/2010 6:55 AM 84264]
S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kristen D\Application Data\Mozilla\Firefox\Profiles\sonyrf3f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - Ext: yogurttree: theme@yogurttree.com - %profile%\extensions\theme@yogurttree.com
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-14 11:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Kristen D\Application Data\Mozilla\Firefox\Profiles\sonyrf3f.default\prefs.js.BAK 1075860 bytes
c:\documents and settings\Kristen D\Application Data\Mozilla\Firefox\Profiles\sonyrf3f.default\user.js.BAK 56 bytes
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1008)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2520)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\crypserv.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dlcccoms.exe
.
**************************************************************************
.
Completion time: 2011-05-14 11:25:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-14 18:25
.
Pre-Run: 97,923,833,856 bytes free
Post-Run: 99,892,039,680 bytes free
.
- - End Of File - - AD67B744BAA15F7AD4499604794325E0

#8 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 PM

Posted 14 May 2011 - 02:00 PM

Step 1.
Filescans:

Please go to: VirusTotal

  • On the page you'll find a Browse - button.
  • Click on the Browse button.
  • In the Choose File to Upload window which opens, copy and paste this into the File Name box.

    c:\Qoobox\Quarantine\C\windows\system32\drivers\1028_DELL_XPS_Dell DV051 .MRK.vir

  • Next, click the Open button.
  • Then click the Send File - button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.


Please repeat for the following file:
c:\Qoobox\Quarantine\C\windows\system32\drivers\DELL_XPS_Dell DV051 .MRK.vir


Step 2.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\Kqelusovom.bin
DirLook::
c:\documents and settings\Kristen D\Application Data\C665F608760F5FCC1327D8B851DA7C20
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 3.
Things I would like to see in your reply:

  • The links to the results from the filescans in step 1.
  • The content of C:\ComboFix.txt from step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#9 Kristen D

Kristen D
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 14 May 2011 - 03:24 PM

http://www.virustotal.com/file-scan/report.html?id=9377fd1e115548f004d3f9501c206590c7d9bbfb0b7d5835c60987a92c811db6-1305403397

http://www.virustotal.com/file-scan/report.html?id=9377fd1e115548f004d3f9501c206590c7d9bbfb0b7d5835c60987a92c811db6-1305403470


ComboFix 11-05-13.03 - Kristen D 05/14/2011 13:15:15.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1599 [GMT -7:00]
Running from: c:\documents and settings\Kristen D\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kristen D\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\windows\Kqelusovom.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Kqelusovom.bin
.
.
((((((((((((((((((((((((( Files Created from 2011-04-14 to 2011-05-14 )))))))))))))))))))))))))))))))
.
.
2011-05-08 19:04 . 2011-05-08 19:04 -------- d-----w- c:\documents and settings\Kristen D\Application Data\C665F608760F5FCC1327D8B851DA7C20
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-12-01 18:28 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2003-07-16 20:49 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2003-07-16 20:51 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00 . 2003-07-16 20:51 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2003-07-16 20:30 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 13:18 . 2003-07-16 20:34 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2003-07-16 20:46 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-12-02 15:21 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2004-08-04 05:59 389120 ------w- c:\windows\system32\html.iec
2011-02-15 12:56 . 2003-07-16 20:24 290432 ----a-w- c:\windows\system32\atmfd.dll
2010-10-14 05:28 . 2010-11-04 01:27 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Kristen D\Application Data\C665F608760F5FCC1327D8B851DA7C20 ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-01-10 1230704]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
.
c:\documents and settings\Kristen D\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2010-5-13 225280]
PowerReg Scheduler.exe [2010-5-13 256000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-12-3 113664]
NETGEAR WN111 Smart Wizard.lnk - c:\program files\NETGEAR\WN111\wn111.exe [2007-8-27 1343488]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/27/2010 6:55 AM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/3/2009 4:43 PM 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/27/2010 6:55 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/27/2010 6:55 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/27/2010 6:56 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/27/2010 6:55 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/27/2010 6:55 AM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/27/2010 6:55 AM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/27/2010 6:55 AM 88544]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/27/2010 6:55 AM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/27/2010 6:55 AM 84264]
S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kristen D\Application Data\Mozilla\Firefox\Profiles\sonyrf3f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - Ext: yogurttree: theme@yogurttree.com - %profile%\extensions\theme@yogurttree.com
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-14 13:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1008)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-14 13:23:48
ComboFix-quarantined-files.txt 2011-05-14 20:23
ComboFix2.txt 2011-05-14 18:25
.
Pre-Run: 99,889,647,616 bytes free
Post-Run: 99,875,889,152 bytes free
.
- - End Of File - - CAA88A919FBF5EFCDF70DED6A94289A5

#10 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 PM

Posted 14 May 2011 - 05:49 PM

Step 1.
Dequarantine:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Dequarantine::
c:\Qoobox\Quarantine\C\windows\system32\drivers\1028_DELL_XPS_Dell DV051 .MRK.vir
c:\Qoobox\Quarantine\C\windows\system32\drivers\DELL_XPS_Dell DV051 .MRK.vir
Quit::

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\DeQuarantine_log.txt which I will require in your next reply.

Step 2.
Scan with MBAM:

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 3.
Scan with ESET Online Scanner:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Step 4.
Things I would like to see in your reply:

  • The content of DeQuarantine_log.txt from Step 1.
  • The content of the report from MBAM from Step 2.
  • The content of the report from ESET Online Scanner from Step 3.
  • Information on how your computer is running after those steps.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#11 Kristen D

Kristen D
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 14 May 2011 - 10:59 PM

ComboFix 11-05-13.03 - Kristen D 05/14/2011 18:24:11.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1546 [GMT -7:00]
Running from: c:\documents and settings\Kristen D\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kristen D\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
.
.
2011-05-14 23:59 . 2011-05-15 00:01 -------- d-----w- c:\windows\LastGood
2011-05-08 19:04 . 2011-05-08 19:04 -------- d-----w- c:\documents and settings\Kristen D\Application Data\C665F608760F5FCC1327D8B851DA7C20
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 21:01 . 2010-04-27 13:56 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-14 21:01 . 2010-04-27 13:55 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-14 21:01 . 2010-04-27 13:55 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-14 21:01 . 2010-04-27 13:55 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-14 21:01 . 2010-04-27 13:55 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-14 21:01 . 2010-04-27 13:55 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-14 21:01 . 2010-04-27 13:55 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-14 21:01 . 2010-04-27 13:55 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-14 21:01 . 2010-04-27 13:55 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-14 21:01 . 2010-04-27 13:55 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-03-07 05:33 . 2009-12-01 18:28 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2003-07-16 20:49 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2003-07-16 20:51 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00 . 2003-07-16 20:51 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2003-07-16 20:30 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 13:18 . 2003-07-16 20:34 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2003-07-16 20:46 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-12-02 15:21 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2004-08-04 05:59 389120 ------w- c:\windows\system32\html.iec
2011-02-15 12:56 . 2003-07-16 20:24 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-04-14 21:01 . 2010-11-04 01:27 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-14_20.21.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-01 18:33 . 2011-05-15 00:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-01 18:33 . 2011-05-14 19:25 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-01 18:33 . 2011-05-15 00:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-12-01 18:33 . 2011-05-14 19:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-05-14 23:36 . 2011-05-15 00:02 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-01-10 1230704]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
.
c:\documents and settings\Kristen D\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2010-5-13 225280]
PowerReg Scheduler.exe [2010-5-13 256000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-12-3 113664]
NETGEAR WN111 Smart Wizard.lnk - c:\program files\NETGEAR\WN111\wn111.exe [2007-8-27 1343488]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/27/2010 6:55 AM 84200]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/3/2009 4:43 PM 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/27/2010 6:55 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/27/2010 6:55 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/27/2010 6:56 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/27/2010 6:55 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/27/2010 6:55 AM 56064]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/27/2010 6:55 AM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/27/2010 6:55 AM 88736]
S2 0248211305417717mcinstcleanup;McAfee Application Installer Cleanup (0248211305417717);c:\windows\TEMP\024821~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\024821~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/27/2010 6:55 AM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/27/2010 6:55 AM 84488]
S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
*Deregistered* - mfeavfk02
*Deregistered* - mfehidk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kristen D\Application Data\Mozilla\Firefox\Profiles\sonyrf3f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - Ext: yogurttree: theme@yogurttree.com - %profile%\extensions\theme@yogurttree.com
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-14 18:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1008)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2632)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-05-14 18:36:05
ComboFix-quarantined-files.txt 2011-05-15 01:36
ComboFix2.txt 2011-05-14 20:23
ComboFix3.txt 2011-05-14 18:25
.
Pre-Run: 99,889,795,072 bytes free
Post-Run: 99,876,917,248 bytes free
.
- - End Of File - - 559839831B2D68174C70E6A61A48A40A


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6580

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/14/2011 7:48:22 PM
mbam-log-2011-05-14 (19-48-22).txt

Scan type: Quick scan
Objects scanned: 154730
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\5GUTNY6MFK (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=475f409b2321af4a8001fb18db5a4a1c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-15 03:51:48
# local_time=2011-05-14 08:51:48 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16777189 100 75 0 34571996 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=117471
# found=0
# cleaned=0
# scan_time=2834


I tried searching with Google and in ten searches I did not get a redirect, so that seems to be working better.

#12 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 PM

Posted 15 May 2011 - 02:33 AM

The first step did go as planned.
Let's retry

Please attach the following files in a reply.

C:\Qoobox\ComboFix-quarantined-files.txt
C:\DeQuarantine_log.txt

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#13 Kristen D

Kristen D
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 15 May 2011 - 12:45 PM

I can't find a file named C:\DeQuarantine_log.txt?

Attached Files



#14 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:54 PM

Posted 15 May 2011 - 12:49 PM

Let's try again

Step 1.
Dequarantine:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Dequarantine::
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\1028_DELL_XPS_Dell DV051                   .MRK.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\DELL_XPS_Dell DV051                   .MRK.vir
Quit::

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\DeQuarantine_log.txt which I will require in your next reply.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#15 Kristen D

Kristen D
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 15 May 2011 - 03:24 PM

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\1028_DELL_XPS_Dell DV051 .MRK.vir -> C:\WINDOWS\system32\drivers\1028_DELL_XPS_Dell DV051 .MRK ( 5 bytes )
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\DELL_XPS_Dell DV051 .MRK.vir -> C:\WINDOWS\system32\drivers\DELL_XPS_Dell DV051 .MRK ( 5 bytes )




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users