Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware infection - through USB


  • This topic is locked This topic is locked
17 replies to this topic

#1 catamantaloedes

catamantaloedes

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 02 June 2011 - 06:04 AM

Hi there,

I'm having some trouble with a malware/spyware infection and would appreciate your help. The problems started a few months ago through a USB stick that got infected at a print station. Virus scans would find and quarantine a few items about once a month, and occasionally a strange website would open as a new tab in Chrome. Every time after using a USB port there's be a new surge of this, but generally the symptoms were pretty mild. Yesterday things got worse, as hackers got into my Gmail account and spammed all my contacts. In addition, my antivirus software (McAfee) has started picking things up constantly - it says it's blocked 32 Registry actions in the past day. I'm trying to take steps to prevent this from getting worse: I installed the Panda USB vaccine to deal with the USB contamination issue, but evidently the infection is already on the hard drive. I've been following your instructions and am attaching my DDS and GMER logs below.

Many thanks for your time - I'd really appreciate any help.

Cheers,
catamantaloedes


.
DDS (Ver_2011-06-01.06) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Kyrill at 10:39:29 on 2011-06-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.335 [GMT 2:00]
.
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\o2\Mobile Connection Manager\ImpWiFiSvc.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\Kyrill\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aspire_one
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aspire_one
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aspire_one
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aspire_one
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.415.1646\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [Google Update] "c:\documents and settings\kyrill\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\kyrill\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\kyrill\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\kyrill\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\kyrill\startm~1\programs\startup\pandau~1.lnk - c:\program files\panda usb vaccine\USBVaccine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C58C496F-2A8C-4B70-A438-C599461A4775} : NameServer = 213.191.74.18 62.109.123.196
TCP: Interfaces\{F2F94334-09FD-4779-8D6C-DDA63D04C6C6} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-8-5 344712]
R1 tidnet;TID NDIS Protocol Driver;c:\windows\system32\drivers\tidnet.sys [2010-7-8 26008]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-8-25 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-1-12 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-8-25 147984]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-8-25 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-10-16 69192]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-3-12 237568]
R2 TGCM_ImportWiFiSvc;TGCM_ImportWiFiSvc;c:\program files\o2\mobile connection manager\ImpWiFiSvc.exe [2010-8-2 199600]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2011-3-18 63616]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-4 38912]
R3 M3000Srv;USB2.0 UVC WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [2009-6-7 145408]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-5 91896]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-5 43192]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-12 1684736]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2011-3-18 101504]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-3-18 117504]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-3-12 24064]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-10-16 66536]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rts5121.sys --> c:\windows\system32\drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
.
=============== Created Last 30 ================
.
2011-06-02 07:45:38 -------- d-----w- c:\documents and settings\all users\application data\Panda Security
2011-06-02 07:45:08 -------- d-----w- c:\program files\Panda USB Vaccine
2011-05-24 21:24:45 -------- d-----w- c:\documents and settings\all users\application data\Skype Extras
2011-05-03 18:58:01 -------- d-----w- c:\documents and settings\kyrill\application data\DDMSettings
2011-05-03 17:45:10 -------- d-----w- c:\program files\common files\DivX Shared
2011-05-03 17:37:39 -------- d-----w- c:\program files\DivX
2011-05-03 17:36:07 -------- d-----w- c:\documents and settings\all users\application data\DivX
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 10:42:31.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:43 AM

Posted 10 June 2011 - 10:28 PM

Hello catamantaloedes and welcome to Bleeping Computer! :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. :thumbup2:

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

***Note: In order for ComboFix to run properly McAfee must be uninstalled. Please go here and follow the instructions to uninstall McAfee.
You can reinstall it after the computer is clean.

--------------------------

Please download ATF Cleaner
Save it to your Desktop.

Please locate ATF
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

-------------

Please download Malwarebytes' Anti-Malware to your Desktop
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a location you will remember.
  • Copy and Paste that log into your next reply.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK for either of the prompts and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

-------------

Please do the following:
  • Download GMER from here. Save it to your Desktop. Take note of the filename, as it is a randomly named .exe file.
  • Disconnect from the Internet and close all running programs while scan is running.
  • Make sure all antivirus and other real-time security programs are disabled. See here for directions.
  • Double-click on the downloaded file to start the program. (If running Vista or Win 7, right click on it and Run as an Administrator)
  • If possible rootkit activity is found, you will be asked if you would like to perform a full scan.-->Click on NO, then use the following settings for a more complete scan:


    Posted Image
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Click the Scan button to begin. (Please be patient: this can take some time.
  • When the scan is finished, click Save and type in gmer.txt and save to Desktop and copy/paste the contents in your next reply.
Note!: These types of scans can produce false positives. Do not take any action until a trained helper has seen the log.

-------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.

-------------

Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:
  • Malwarebytes log
  • GMER log
  • C:\ComboFix.txt
  • Security Check checkup.txt

How is your computer running now?

#3 catamantaloedes

catamantaloedes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 12 June 2011 - 02:09 PM

Hi D-Fred,

Thank you for your help - I really appreciate it. I've followed your instructions, and I'm pasting the four logs below. It's hard to tell whether the problem is solved because there were so few symptoms to begin with: the worst was my Gmail account getting hacked, but other than that the only way I knew I had a problem is that McAfee reported around 30 blocked actions a day. I had to uninstall McAfee in order to run Combofix, and now I've installed Microsoft Security Essentials instead, so it's hard to compare. But so far so good - I haven't had any problems after doing Combofix, but then again Malwarebytes didn't pick up anything in the first place. So if you could give me some advice on what these logs mean, that would be awesome!

Thanks again,
catamantaloedes


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6839

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/12/2011 2:24:21 PM
mbam-log-2011-06-12 (14-24-21).txt

Scan type: Full scan (C:\|)
Objects scanned: 222648
Time elapsed: 2 hour(s), 26 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-12 16:48:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.FG01
Running: nnvrtw5n.exe; Driver: C:\DOCUME~1\Kyrill\LOCALS~1\Temp\uxldqpod.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF75899A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF7589940]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF7589954]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF75899BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF75899E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF7589A54]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF7589A3E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF7589A6A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7589AFE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF7589A96]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF7589992]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7589904]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7589918]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF7589AD2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF7589A28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF7589A12]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF75899D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF7589ABE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF7589AAA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF758997E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF758996A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF75899FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7589B2D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF7589A80]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7589B14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7589AE8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80515AB2 7 Bytes JMP F7589AEC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80572BDF 5 Bytes JMP F7589996 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 80572F19 7 Bytes JMP F7589A16 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80574B1F 5 Bytes JMP F758996E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80578AB4 5 Bytes JMP F75899AA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057A7A9 5 Bytes JMP F7589B18 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057AC21 7 Bytes JMP F7589B02 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 8057EC02 7 Bytes JMP F7589AD6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 8057F002 7 Bytes JMP F7589A58 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 8057F93A 3 Bytes JMP F7589908 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess + 4 8057F93E 1 Byte [77]
PAGE ntoskrnl.exe!ZwSetValueKey 80580088 7 Bytes JMP F7589A00 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B9EC 7 Bytes JMP F7589958 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E8B1 5 Bytes JMP F7589B31 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590232 7 Bytes JMP F7589A42 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 80596743 5 Bytes JMP F758991C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 80596D8A 5 Bytes JMP F7589A9A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 805991E8 7 Bytes JMP F75899EA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 8059A5C9 7 Bytes JMP F75899BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwLoadKey2 805B83E6 7 Bytes JMP F7589A6E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805C7A4D 5 Bytes JMP F7589944 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 80635EFB 5 Bytes JMP F7589982 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 80655A96 7 Bytes JMP F7589A84 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 806563CF 7 Bytes JMP F7589A2C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8065684C 7 Bytes JMP F75899D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 80656D3D 5 Bytes JMP F7589AAE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 806571A8 5 Bytes JMP F7589AC2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D70FDB
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60FEF
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60096
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D6007B
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D6005E
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60FA1
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60FC3
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D600D8
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60F90
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D60F3F
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D60F5A
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D600FD
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60FB2
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D600BB
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D6002F
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60FD4
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D60F6B
.text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50FC0
.text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50F6C
.text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50011
.text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50F91
.text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D50033
.text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50022
.text C:\WINDOWS\system32\svchost.exe[540] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40F93
.text C:\WINDOWS\system32\svchost.exe[540] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40FA4
.text C:\WINDOWS\system32\svchost.exe[540] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40FC6
.text C:\WINDOWS\system32\svchost.exe[540] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40FE3
.text C:\WINDOWS\system32\svchost.exe[540] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40FB5
.text C:\WINDOWS\system32\svchost.exe[540] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\services.exe[848] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\services.exe[848] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E90014
.text C:\WINDOWS\system32\services.exe[848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E90FDE
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80F65
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E8005A
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80F80
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E8003D
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80FA5
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E8007C
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E8006B
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E800B2
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E80F19
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E80EF4
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E8002C
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E80011
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E80F40
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E80FC0
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E80FDB
.text C:\WINDOWS\system32\services.exe[848] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E80097
.text C:\WINDOWS\system32\services.exe[848] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E70FAF
.text C:\WINDOWS\system32\services.exe[848] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E70047
.text C:\WINDOWS\system32\services.exe[848] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E7000A
.text C:\WINDOWS\system32\services.exe[848] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E70FD4
.text C:\WINDOWS\system32\services.exe[848] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E70F8A
.text C:\WINDOWS\system32\services.exe[848] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E70FE5
.text C:\WINDOWS\system32\services.exe[848] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E70036
.text C:\WINDOWS\system32\services.exe[848] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E7001B
.text C:\WINDOWS\system32\services.exe[848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E60042
.text C:\WINDOWS\system32\services.exe[848] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E60031
.text C:\WINDOWS\system32\services.exe[848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E60016
.text C:\WINDOWS\system32\services.exe[848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\services.exe[848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E60FC1
.text C:\WINDOWS\system32\services.exe[848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E60FD2
.text C:\WINDOWS\system32\services.exe[848] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\lsass.exe[860] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\lsass.exe[860] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F6001E
.text C:\WINDOWS\system32\lsass.exe[860] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F60FDE
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F50F7C
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50071
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50F97
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50054
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50FC3
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F500A7
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50096
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F500DD
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F500CC
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F50F29
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F50FA8
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F50F6B
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F5002F
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F5000A
.text C:\WINDOWS\system32\lsass.exe[860] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F50F44
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F40FE5
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F40080
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F40036
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F40FB9
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F40FCA
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [14, 89] {ADC AL, 0x89}
.text C:\WINDOWS\system32\lsass.exe[860] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F40051
.text C:\WINDOWS\system32\lsass.exe[860] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F30FB5
.text C:\WINDOWS\system32\lsass.exe[860] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F30036
.text C:\WINDOWS\system32\lsass.exe[860] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F30FC6
.text C:\WINDOWS\system32\lsass.exe[860] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\lsass.exe[860] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F30025
.text C:\WINDOWS\system32\lsass.exe[860] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F30FE3
.text C:\WINDOWS\system32\lsass.exe[860] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02530000
.text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0253001B
.text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02530FE5
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02520FEF
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02520F7A
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02520F95
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0252006F
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02520FB2
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02520FC3
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025200AC
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0252009B
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025200C7
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02520F38
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025200D8
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0252004A
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02520FDE
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0252008A
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0252002F
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02520014
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02520F49
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02510036
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02510065
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02510025
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02510FE5
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02510FA8
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02510000
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02510FC3
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [71, 8A] {JNO 0xffffffffffffff8c}
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02510FD4
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02500F9E
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!system 77C293C7 5 Bytes JMP 02500FB9
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02500FD4
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02500FEF
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02500029
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0250000C
.text C:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!socket 71AB4211 5 Bytes JMP 024F0FE5
.text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EA0011
.text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E9007F
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E9006E
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90F8A
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90047
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90036
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E900B5
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F6D
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E900F2
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E900D7
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E90F3E
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90FAF
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E900A4
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90025
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E900C6
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E80022
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E8003D
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E80FD1
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E80011
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E80F80
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E80F91
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [08, 89]
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E80FB6
.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E7003F
.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E70FBE
.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E7001D
.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E7002E
.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E70FE3
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E60FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00140000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00140FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00140FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270065
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270F70
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270F81
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0027004A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0027002F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00270076
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00270F2E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002700A9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00270098
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00270EEB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270FA8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00270000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270F4B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00270087
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360FA8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00360FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0036002F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00360F97
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [56, 88]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0036001E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00370FA1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] msvcrt.dll!system 77C293C7 5 Bytes JMP 00370FB2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00370FCD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00370000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370022
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00370011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00EB0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00EB0FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00EB0FCD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1116] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00EB0FBC
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02C20000
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02C20FC0
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02C20FDB
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02C10FE5
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02C10082
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02C10067
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02C10056
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02C10039
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02C10FB2
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02C100B8
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02C10F70
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02C100DD
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02C10F44
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02C10F1F
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02C10FA1
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02C10FD4
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02C100A7
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02C10014
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02C10FC3
.text C:\WINDOWS\System32\svchost.exe[1128] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02C10F55
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02C00FC3
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02C00051
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02C00FD4
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02C00FEF
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02C00040
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02C0000A
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02C0002F
.text C:\WINDOWS\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02C00FA8
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02AD0042
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!system 77C293C7 5 Bytes JMP 02AD0031
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02AD0FD2
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02AD0000
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02AD0FC1
.text C:\WINDOWS\System32\svchost.exe[1128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02AD0FE3
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02AC000A
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02AB0000
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02AB0011
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02AB002C
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 02AB0FD1
.text C:\WINDOWS\system32\svchost.exe[1224] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 008E0FEF
.text C:\WINDOWS\system32\svchost.exe[1224] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008E0014
.text C:\WINDOWS\system32\svchost.exe[1224] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008E0FD4
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008D0000
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008D0FB9
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008D00AE
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008D0093
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008D0FD4
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008D005B
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008D00F7
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008D00DC
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008D0F68
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008D0F79
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008D0F57
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008D006C
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008D0025
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008D00BF
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008D0040
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008D0F8A
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008C0FCA
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008C006C
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008C001B
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008C000A
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008C005B
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008C0FEF
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008C004A
.text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008C0FB9
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008B0FD9
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!system 77C293C7 5 Bytes JMP 008B0064
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008B0038
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008B000C
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008B0049
.text C:\WINDOWS\system32\svchost.exe[1224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008B001D
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008A000A
.text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B20FCD
.text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B20FDE
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10FE5
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B10062
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B10F6D
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B10047
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10F94
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B10FAF
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B1008E
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B10F46
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B100D5
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B100BA
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B100E6
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B10036
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B1000A
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B1007D
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B10FD4
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B10025
.text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B1009F
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B00FC0
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B00062
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B00011
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B00051
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B00FE5
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B00040
.text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B00FAF
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF0FA1
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0022
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF0011
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0FB2
.text C:\WINDOWS\system32\svchost.exe[1260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0FD7
.text C:\WINDOWS\system32\svchost.exe[1260] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007C0FEF
.text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF001B
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0F4E
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0F5F
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0F7C
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE002F
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0FB2
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0F22
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE006A
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE00A7
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE008C
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00B8
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0F8D
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0014
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F3D
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0FC3
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FDE
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE007B
.text C:\WINDOWS\system32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00760014
.text C:\WINDOWS\system32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00760F68
.text C:\WINDOWS\system32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00760FC3
.text C:\WINDOWS\system32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00760FD4
.text C:\WINDOWS\system32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00760025
.text C:\WINDOWS\system32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00760F83
.text C:\WINDOWS\system32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [96, 88]
.text C:\WINDOWS\system32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00760FA8
.text C:\WINDOWS\system32\svchost.exe[1624] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00750F8B
.text C:\WINDOWS\system32\svchost.exe[1624] msvcrt.dll!system 77C293C7 5 Bytes JMP 00750F9C
.text C:\WINDOWS\system32\svchost.exe[1624] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0075000C
.text C:\WINDOWS\system32\svchost.exe[1624] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00750FEF
.text C:\WINDOWS\system32\svchost.exe[1624] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00750FC1
.text C:\WINDOWS\system32\svchost.exe[1624] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00750FD2
.text C:\WINDOWS\system32\svchost.exe[1624] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00730FEF
.text C:\WINDOWS\system32\svchost.exe[1624] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00730FDE
.text C:\WINDOWS\system32\svchost.exe[1624] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0073000A
.text C:\WINDOWS\system32\svchost.exe[1624] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00730FB9
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00740000
.text C:\WINDOWS\Explorer.EXE[1924] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02740000
.text C:\WINDOWS\Explorer.EXE[1924] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02740FD4
.text C:\WINDOWS\Explorer.EXE[1924] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02740FE5
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01C3000A
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01C30F70
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01C30F81
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01C30F92
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01C3005B
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01C30040
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01C30094
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01C30F4E
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01C30F0F
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01C30F20
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01C300B9
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01C30FB9
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01C30FEF
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01C30F5F
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01C30FD4
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01C3001B
.text C:\WINDOWS\Explorer.EXE[1924] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01C30F31
.text C:\WINDOWS\Explorer.EXE[1924] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01C20FB9
.text C:\WINDOWS\Explorer.EXE[1924] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01C20F8D
.text C:\WINDOWS\Explorer.EXE[1924] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01C20FCA
.text C:\WINDOWS\Explorer.EXE[1924] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01C20FE5
.text C:\WINDOWS\Explorer.EXE[1924] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01C2004A
.text C:\WINDOWS\Explorer.EXE[1924] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01C20000
.text C:\WINDOWS\Explorer.EXE[1924] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01C20F9E
.text C:\WINDOWS\Explorer.EXE[1924] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E2, 89] {LOOP 0xffffffffffffff8b}
.text C:\WINDOWS\Explorer.EXE[1924] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01C20025
.text C:\WINDOWS\Explorer.EXE[1924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01C10FA1
.text C:\WINDOWS\Explorer.EXE[1924] msvcrt.dll!system 77C293C7 5 Bytes JMP 01C1002C
.text C:\WINDOWS\Explorer.EXE[1924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01C10011
.text C:\WINDOWS\Explorer.EXE[1924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01C10000
.text C:\WINDOWS\Explorer.EXE[1924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01C10FB2
.text C:\WINDOWS\Explorer.EXE[1924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01C10FD7
.text C:\WINDOWS\Explorer.EXE[1924] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F50000
.text C:\WINDOWS\Explorer.EXE[1924] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F5001B
.text C:\WINDOWS\Explorer.EXE[1924] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\Explorer.EXE[1924] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00F50FCA
.text C:\WINDOWS\Explorer.EXE[1924] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01C00000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0316000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 03160FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 03160FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03150FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03150082
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03150F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03150F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03150051
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03150FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03150F5A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03150F6B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03150F27
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03150F38
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 031500DB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03150FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0315000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03150F7C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03150036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03150025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03150F49
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03140FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03140F6B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03140014
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03140FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03140F7C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03140FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03140F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [34, 8B] {XOR AL, 0x8b}
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03140FB2
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03130FA6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] msvcrt.dll!system 77C293C7 5 Bytes JMP 03130031
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03130FC1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03130FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03130016
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03130FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03120000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02F60000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02F60FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02F60FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1968] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 02F60FB9

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----



ComboFix 11-06-11.01 - Kyrill 06/12/2011 17:42:33.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.607 [GMT 2:00]
Running from: c:\documents and settings\Kyrill\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Kyrill\Application Data\.#
.
.
((((((((((((((((((((((((( Files Created from 2011-05-12 to 2011-06-12 )))))))))))))))))))))))))))))))
.
.
2011-06-12 15:27 . 2011-06-12 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2011-06-12 09:55 . 2011-06-12 09:55 -------- d-----w- c:\documents and settings\Kyrill\Application Data\Malwarebytes
2011-06-12 09:54 . 2011-05-29 07:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-12 09:54 . 2011-06-12 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-12 09:53 . 2011-05-29 07:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-12 09:52 . 2011-06-12 09:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-07 22:18 . 2011-06-07 22:18 -------- d-----w- c:\program files\Common Files\Java
2011-06-02 07:45 . 2011-06-02 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2011-06-02 07:45 . 2011-06-02 07:45 -------- d-----w- c:\program files\Panda USB Vaccine
2011-05-24 21:24 . 2011-06-05 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-05-24 21:23 . 2011-05-24 21:23 -------- d-----w- c:\program files\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 02:52 . 2010-08-09 19:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 00:25 . 2009-11-30 01:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Kyrill\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Kyrill\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Kyrill\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Kyrill\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M3000Mnt"="M3000Rmv.dll " [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-01-25 53248]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-12 24064]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Kyrill\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Kyrill\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
PandaUSBVaccine.lnk - c:\program files\Panda USB Vaccine\USBVaccine.exe [2011-6-2 1287176]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-3-12 565248]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Acer\\Acer VCM\\VC.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Kyrill\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Documents and Settings\\Kyrill\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 tidnet;TID NDIS Protocol Driver;c:\windows\system32\drivers\tidnet.sys [7/8/2010 1:41 PM 26008]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [3/12/2009 8:32 AM 237568]
R2 TGCM_ImportWiFiSvc;TGCM_ImportWiFiSvc;c:\program files\o2\Mobile Connection Manager\ImpWiFiSvc.exe [8/2/2010 12:40 PM 199600]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [3/18/2011 7:51 PM 63616]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/4/2009 5:03 AM 38912]
R3 M3000Srv;USB2.0 UVC WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [6/7/2009 1:40 PM 145408]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/12/2009 7:56 AM 1684736]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [3/18/2011 7:51 PM 101504]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [3/18/2011 7:51 PM 117504]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/12/2009 8:06 AM 24064]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-598665437-3454122357-776746741-1005Core.job
- c:\documents and settings\Kyrill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-26 13:53]
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-598665437-3454122357-776746741-1005UA.job
- c:\documents and settings\Kyrill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-26 13:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aspire_one
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aspire_one
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C58C496F-2A8C-4B70-A438-C599461A4775}: NameServer = 213.191.74.18 62.109.123.196
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-12 17:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2396)
c:\windows\system32\WININET.dll
c:\documents and settings\Kyrill\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\WebCam\M3000\M3000Mnt.exe
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-06-12 17:53:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-12 15:53
.
Pre-Run: 105,307,602,944 bytes free
Post-Run: 105,523,269,632 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - A9733CEE6BA809287D39DBFED12DE696



Results of screen317's Security Check version 0.99.13
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 26
Flash Player Out of Date!
Adobe Flash Player 10.1.53.64
Adobe Reader X (10.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

#4 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:43 AM

Posted 12 June 2011 - 03:01 PM

Hello again. Your logs are looking better, but there is more that needs doing. Let's run some more scans to get a better look. :thumbup2:

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

-------------


I see that you have ComboFix running from Running from: c:\documents and settings\Kyrill\My Documents\Downloads\ComboFix.exe.

It needs to run from your Desktop. Please delete the file (in bold) found at c:\documents and settings\Kyrill\My Documents\Downloads\ComboFix.exe, and download a new copy to your Desktop. Run it again, and post the newly created log (found at C:\ComboFix.txt).

-------------

Please do the following:
  • Please download aswMBR.exe from here and save it to your Desktop.
  • Double click aswMBR.exe to start the tool. (Vista - Win 7 Rt click to run as Administrator)
  • Click Scan
  • Upon completion of the scan, click Save log and save it to your Desktop, and post that log in your next reply. Do NOT attempt any Fix at this time!
  • This will also create a file on your Desktop named MBR.dat. Right click that file and select Send To->Compressed (zipped) folder. Attach that zipped folder in your next reply as well.

-------------

In your next reply, please include:
  • C:\ComboFix.txt
  • aswMBR log, and MBR.dat zip file

How is your computer running now?

#5 catamantaloedes

catamantaloedes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 12 June 2011 - 03:56 PM

Hi again,

Thanks so much for the quick reply. I'm attaching the new ComboFix and aswMBR logs below. I scanned two external drives using the Flash_Disinfector, but both times the scanning was extremely quick - less then five seconds. Perhaps that's because I'd already 'vaccinated' both drives through the Panda USB Vaccine?

Thank you again - it would be great to get all this stuff off my system!
catamantaloedes


ComboFix 11-06-11.01 - Kyrill 06/12/2011 22:34:09.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.520 [GMT 2:00]
Running from: c:\documents and settings\Kyrill\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-12 to 2011-06-12 )))))))))))))))))))))))))))))))
.
.
2011-06-12 20:29 . 2011-06-12 20:29 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2D2F775E-E242-43C1-8E06-68D43B27C223}\MpKsl9b29f1b7.sys
2011-06-12 17:08 . 2011-05-09 11:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2D2F775E-E242-43C1-8E06-68D43B27C223}\mpengine.dll
2011-06-12 17:08 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-06-12 17:05 . 2011-06-12 17:06 -------- d-----w- c:\program files\Microsoft Security Client
2011-06-12 15:27 . 2011-06-12 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2011-06-12 09:55 . 2011-06-12 09:55 -------- d-----w- c:\documents and settings\Kyrill\Application Data\Malwarebytes
2011-06-12 09:54 . 2011-05-29 07:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-12 09:54 . 2011-06-12 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-12 09:53 . 2011-05-29 07:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-12 09:52 . 2011-06-12 09:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-07 22:18 . 2011-06-07 22:18 -------- d-----w- c:\program files\Common Files\Java
2011-06-02 07:45 . 2011-06-02 07:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2011-06-02 07:45 . 2011-06-02 07:45 -------- d-----w- c:\program files\Panda USB Vaccine
2011-05-24 21:24 . 2011-06-12 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-05-24 21:23 . 2011-05-24 21:23 -------- d-----w- c:\program files\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-04 02:52 . 2010-08-09 19:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 00:25 . 2009-11-30 01:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-12_15.49.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-12 20:29 . 2011-06-12 20:29 16384 c:\windows\Temp\Perflib_Perfdata_7a4.dat
- 2009-03-11 12:53 . 2011-06-12 15:41 76284 c:\windows\system32\perfc009.dat
+ 2009-03-11 12:53 . 2011-06-12 20:33 76284 c:\windows\system32\perfc009.dat
- 2009-03-11 12:53 . 2011-06-12 15:41 458214 c:\windows\system32\perfh009.dat
+ 2009-03-11 12:53 . 2011-06-12 20:33 458214 c:\windows\system32\perfh009.dat
+ 2010-10-24 19:25 . 2010-10-24 19:25 165264 c:\windows\system32\drivers\MpFilter.sys
+ 2011-06-12 17:05 . 2011-06-12 17:05 786432 c:\windows\Installer\463f5b.msi
+ 2011-06-12 17:05 . 2011-06-12 17:05 479744 c:\windows\Installer\463f55.msi
+ 2011-06-12 17:05 . 2011-06-12 17:05 301056 c:\windows\Installer\463f50.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Kyrill\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Kyrill\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Kyrill\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Kyrill\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M3000Mnt"="M3000Rmv.dll " [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-01-25 53248]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-12 24064]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\documents and settings\Kyrill\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Kyrill\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
PandaUSBVaccine.lnk - c:\program files\Panda USB Vaccine\USBVaccine.exe [2011-6-2 1287176]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-3-12 565248]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Acer\\Acer VCM\\VC.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Kyrill\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Documents and Settings\\Kyrill\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 MpKsl9b29f1b7;MpKsl9b29f1b7;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2D2F775E-E242-43C1-8E06-68D43B27C223}\MpKsl9b29f1b7.sys [6/12/2011 10:29 PM 28752]
R1 tidnet;TID NDIS Protocol Driver;c:\windows\system32\drivers\tidnet.sys [7/8/2010 1:41 PM 26008]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [3/12/2009 8:32 AM 237568]
R2 TGCM_ImportWiFiSvc;TGCM_ImportWiFiSvc;c:\program files\o2\Mobile Connection Manager\ImpWiFiSvc.exe [8/2/2010 12:40 PM 199600]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [3/18/2011 7:51 PM 63616]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/4/2009 5:03 AM 38912]
R3 M3000Srv;USB2.0 UVC WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [6/7/2009 1:40 PM 145408]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/12/2009 7:56 AM 1684736]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [3/18/2011 7:51 PM 101504]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [3/18/2011 7:51 PM 117504]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/12/2009 8:06 AM 24064]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL9B29F1B7
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-598665437-3454122357-776746741-1005Core.job
- c:\documents and settings\Kyrill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-26 13:53]
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-598665437-3454122357-776746741-1005UA.job
- c:\documents and settings\Kyrill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-26 13:53]
.
2011-06-12 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 10:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aspire_one
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aspire_one
uInternet Settings,ProxyOverride = *.local
TCP: Interfaces\{C58C496F-2A8C-4B70-A438-C599461A4775}: NameServer = 62.109.123.7 213.191.92.86
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-12 22:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(440)
c:\windows\system32\WININET.dll
c:\documents and settings\Kyrill\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-06-12 22:43:35
ComboFix-quarantined-files.txt 2011-06-12 20:43
ComboFix2.txt 2011-06-12 15:53
.
Pre-Run: 105,337,225,216 bytes free
Post-Run: 105,322,946,560 bytes free
.
- - End Of File - - 3C00DA4209D1C09E88FB35B6D58C03AD


aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-12 22:49:50
-----------------------------
22:49:50.328 OS Version: Windows 5.1.2600 Service Pack 3
22:49:50.328 Number of processors: 2 586 0x1C02
22:49:50.328 ComputerName: KYRILL UserName: Kyrill
22:49:51.609 Initialize success
22:49:55.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
22:49:55.062 Disk 0 Vendor: TOSHIBA_ FG01 Size: 152627MB BusType: 3
22:49:55.062 Disk 0 MBR read successfully
22:49:55.078 Disk 0 MBR scan
22:49:55.078 Disk 0 unknown MBR code
22:49:55.093 Disk 0 scanning sectors +312578048
22:49:55.140 Disk 0 scanning C:\WINDOWS\system32\drivers
22:50:02.671 Service scanning
22:50:03.828 Disk 0 trace - called modules:
22:50:03.875 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
22:50:03.875 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f78030]
22:50:03.890 3 CLASSPNP.SYS[f787dfd7] -> nt!IofCallDriver -> \Device\00000065[0x86f06848]
22:50:03.906 5 ACPI.sys[f77f4620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x869e4030]
22:50:03.906 Scan finished successfully
22:50:13.406 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Kyrill\Desktop\MBR.dat"
22:50:13.421 The log file has been saved successfully to "C:\Documents and Settings\Kyrill\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   559bytes   1 downloads


#6 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:43 AM

Posted 12 June 2011 - 04:04 PM

Hello again.

Thanks so much for the quick reply. I'm attaching the new ComboFix and aswMBR logs below. I scanned two external drives using the Flash_Disinfector, but both times the scanning was extremely quick - less then five seconds. Perhaps that's because I'd already 'vaccinated' both drives through the Panda USB Vaccine?

Quite possibly. I had you run Flash Disinfector just to be sure. :thumbup2:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
-------------

In your next reply, please include:
  • ESET Online Scan log

How is your computer running now?

#7 catamantaloedes

catamantaloedes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 13 June 2011 - 04:46 AM

Hi there,

Here's the new log. How's it looking?

Thanks again,
catamantaloedes


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17096 (vista_gdr.110211-1830)
# OnlineScanner.ocx=1.0.0.6526
# api_version=3.0.2
# EOSSerial=636528b917213e4e9e0ce0f7c42b4a55
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-12 10:50:21
# local_time=2011-06-13 12:50:21 (+0100, W. Europe Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776533 42 87 1617 19964814 0 0
# compatibility_mode=8192 67108863 100 0 198 198 0 0
# scanned=78447
# found=0
# cleaned=0
# scan_time=5886

#8 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:43 AM

Posted 13 June 2011 - 12:14 PM

Hello again. Your logs are looking good, but lets run just one more scan to be sure.:wink:

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please use the Internet Explorer and run a BitDefender Online scan from Here
  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan
Please post the results in your next reply.

-------------

In your next reply, please include:
  • BitDefender Online Scan log

How is your computer running now?

#9 catamantaloedes

catamantaloedes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 14 June 2011 - 11:08 AM

Hi again,

Here's the latest scan results. What do you think?

Thanks as always for your help!

catamantaloedes



QuickScan Beta 32-bit v0.9.9.96
-------------------------------
Scan date: Tue Jun 14 18:07:17 2011
Machine ID: 26BDA222



No infection found.
-------------------



Processes
---------
(verified) Acer Video Conference Manager 2036 C:\Program Files\Acer\Acer VCM\RS_Service.exe
(verified) Bonjour 1892 C:\Program Files\Bonjour\mDNSResponder.exe
(verified) DivX Update 2716 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
(verified) Dropbox 3180 C:\Documents and Settings\Kyrill\Application Data\Dropbox\bin\Dropbox.exe
(verified) Google Chrome 596 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 536 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 632 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 2592 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 1268 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 3632 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(verified) Google Talk Plugin 4008 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
(verified) GrooveMonitor Utility 2464 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(verified) Intel® Common User Interface 664 C:\WINDOWS\system32\hkcmd.exe
(verified) Intel® Common User Interface 692 C:\WINDOWS\system32\igfxpers.exe
(verified) Intel® Common User Interface 956 C:\WINDOWS\system32\igfxsrvc.exe
(verified) Intel® Common User Interface 644 C:\WINDOWS\system32\igfxtray.exe
(verified) iTunes 3008 C:\Program Files\iPod\bin\iPodService.exe
(verified) iTunes 2620 C:\Program Files\iTunes\iTunesHelper.exe
(verified) Java™ Platform SE 6 U26 1956 C:\Program Files\Java\jre6\bin\jqs.exe
(verified) Java™ Platform SE Auto Updater 2 0 2740 C:\Program Files\Common Files\Java\Java Update\jusched.exe
(verified) M3000Mnt.exe 2472 C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
(verified) Microsoft Malware Protection 1112 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
(verified) Microsoft Office OneNote 912 C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE
(verified) Microsoft Security Client 2808 C:\Program Files\Microsoft Security Client\msseces.exe
(verified) Microsoft® Windows® Operating System 3088 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
(verified) Microsoft® Windows® Operating System 440 C:\WINDOWS\explorer.exe
(verified) Microsoft® Windows® Operating System 2300 C:\WINDOWS\system32\alg.exe
(verified) Microsoft® Windows® Operating System 760 C:\WINDOWS\system32\csrss.exe
(verified) Microsoft® Windows® Operating System 2836 C:\WINDOWS\system32\ctfmon.exe
(verified) Microsoft® Windows® Operating System 840 C:\WINDOWS\system32\lsass.exe
(verified) Microsoft® Windows® Operating System 828 C:\WINDOWS\system32\services.exe
(verified) Microsoft® Windows® Operating System 704 C:\WINDOWS\system32\smss.exe
(verified) Microsoft® Windows® Operating System 1584 C:\WINDOWS\system32\spoolsv.exe
(verified) Microsoft® Windows® Operating System 1180 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1072 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 988 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 228 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1368 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1664 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1244 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 488 C:\WINDOWS\system32\wdfmgr.exe
(verified) Microsoft® Windows® Operating System 784 C:\WINDOWS\system32\winlogon.exe
(verified) MobileDeviceService 1716 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(verified) RAID Event Monitor 612 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(verified) RAID Monitor 1928 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(verified) Realtek HD Audio Sound Effect Manager 1212 C:\WINDOWS\RTHDCPL.EXE
(verified) Skype 4032 C:\Program Files\Skype\Phone\Skype.exe
(verified) Skype Extras Manager 268 C:\Program Files\Skype\Plugin Manager\skypePM.exe
(verified) Synaptics Pointing Device Driver 2548 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(verified) TGCM 360 C:\Program Files\o2\Mobile Connection Manager\ImpWiFiSvc.exe
(verified) USB Vaccine 3224 C:\Program Files\Panda USB Vaccine\USBVaccine.exe
(verified) Windows® Internet Explorer 1808 C:\Program Files\Internet Explorer\iexplore.exe


Network activity
----------------
Process chrome.exe (1268) connected on port 80 (HTTP) --> 209.85.149.113
Process chrome.exe (1268) connected on port 443 (HTTP over SSL) --> 209.85.149.83
Process iexplore.exe (1808) connected on port 80 (HTTP) --> 209.85.149.100
Process iexplore.exe (1808) connected on port 80 (HTTP) --> 69.63.190.10
Process iexplore.exe (1808) connected on port 80 (HTTP) --> 66.235.142.57
Process Dropbox.exe (3180) connected on port 80 (HTTP) --> 199.47.216.144

Process svchost.exe (1072) listens on ports: 135 (RPC)
Process Dropbox.exe (3180) listens on ports: 17500


Autoruns and critical files
---------------------------
(unsigned) QuickTime C:\Program Files\QuickTime\QTTask.exe

(verified) Adobe Acrobat C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe
(verified) Adobe Reader and Acrobat Manager C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(verified) Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe
(verified) DivX Update C:\Program Files\DivX\DivX Update\DivXUpdate.exe
(verified) Dropbox C:\Documents and Settings\Kyrill\Application Data\Dropbox\bin\Dropbox.exe
(verified) Flash® Player Installer/Uninstaller C:\WINDOWS\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
(verified) Google Desktop C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
(verified) Google Update C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
(verified) GrooveMonitor Utility C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(verified) GrooveShellExtensions Module C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
(verified) ImScInst.exe C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
(verified) Intel® Common User Interface C:\WINDOWS\system32\hkcmd.exe
(verified) Intel® Common User Interface C:\WINDOWS\system32\igfxdev.dll
(verified) Intel® Common User Interface C:\WINDOWS\system32\igfxpers.exe
(verified) Intel® Common User Interface C:\WINDOWS\system32\igfxtray.exe
(verified) iTunes C:\Program Files\iTunes\iTunesHelper.exe
(verified) Java™ Platform SE Auto Updater 2 0 C:\Program Files\Common Files\Java\Java Update\jusched.exe
(verified) Launch Manager C:\Program Files\Launch Manager\LManager.exe
(verified) Microsoft IME 2002 C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
(verified) Microsoft Office OneNote C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
(verified) Microsoft Security Client C:\Program Files\Microsoft Security Client\msseces.exe
(verified) Microsoft® Windows® Operating System C:\Program Files\Windows Desktop Search\WindowsSearch.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\BROWSEUI.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\CRYPT32.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\CSCDLL.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\dimsntfy.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\SHELL32.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
(verified) Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\WlNotify.dll
(verified) MobileMe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
(verified) RAID Event Monitor C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(verified) Realtek Azalia Mixer Selector C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe
(verified) Realtek HD Audio Sound Effect Manager C:\WINDOWS\RTHDCPL.EXE
(verified) Synaptics Pointing Device Driver C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(verified) USB Vaccine C:\Program Files\Panda USB Vaccine\USBVaccine.exe
(verified) Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll
(verified) Windows® Search C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
(verified) 新注音 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE


Browser plugins
---------------
(unsigned) Java™ Platform SE 6 U26 C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll

(verified) AcroIEHelperShim Library c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
(verified) Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
(verified) BitDefender QuickScan C:\WINDOWS\Downloaded Program Files\qsax.dll
(verified) Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
(verified) DivX VOD Helper Plug-in C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll
(verified) DivX Web Player c:\program files\divx\divx plus web player\npdivx32.dll
(verified) Google Talk Plugin C:\Documents and Settings\Kyrill\Application Data\Mozilla\plugins\npgoogletalk.dll
(verified) Google Talk Plugin Video Accelerator C:\Documents and Settings\Kyrill\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
(verified) Google Toolbar for IE c:\program files\google\googletoolbar1.dll
(verified) GoogleToolbarNotifier c:\program files\google\googletoolbarnotifier\3.1.415.1646\swg.dll
(verified) GrooveShellExtensions Module C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
(verified) Java™ Platform SE 6 U26 c:\program files\java\jre6\bin\jp2ssv.dll
(verified) Java™ Platform SE 6 U26 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
(verified) Messenger C:\Program Files\Messenger\msmsgs.exe
(verified) Microsoft® Windows Live Login Helper c:\program files\common files\microsoft shared\windows live\windowslivelogin.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\mswsock.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\winrnr.dll
(verified) Move Streaming Media Player C:\Documents and Settings\Kyrill\Application Data\Move Networks\plugins\npqmp071705000014.dll
(verified) npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
(verified) NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
(verified) Picasa C:\Program Files\Google\Picasa3\npPicasa3.dll
(verified) Silverlight Plug-In c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll
(verified) Windows Live® Photo Gallery C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
(verified) Windows Presentation Foundation c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
(verified) Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll


Missing files
-------------
File not found: M3000Rmv.dll
--> HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"M3000Mnt"


Scan
----
MD5: 0b02d9aa67eea2c5524943b69418512e C:\Documents and Settings\Kyrill\Application Data\Dropbox\bin\PYTHON25.DLL
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
MD5: 1040bd9bf3ddab7cda2346f8375480a2 C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
MD5: afdae59fe562a7cdb44f9d4abedac316 C:\Program Files\QuickTime\QTSystem\QTCF.dll
MD5: 1d856e6e7490447fcfaa46e09a2bf9c9 C:\Program Files\QuickTime\QTSystem\QuickTime.qts
MD5: 0aee5668eb59912f32ff245bfa72465f C:\Program Files\QuickTime\QTTask.exe


No file uploaded.

Scan finished - communication took 0 sec
Total traffic - 0.00 MB sent, 0.09 KB recvd
Scanned 721 files and modules - 4 seconds

==============================================================================

#10 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:43 AM

Posted 14 June 2011 - 12:57 PM

Hello again. Your logs are appear to be clean. :thumbup2:

Please take the time to install the following program updates. Keeping your programs up-to-date is important, because that will greatly reduce your chances of getting infected again.

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

You are using Internet Explorer version 7. The latest version is 8 (for XP).. Using an outdated version of a web browser leaves you extremely vulnerable to malware!
Please see this link to download the latest version: http://windows.microsoft.com/en-US/internet-explorer/products/ie/home

-------------

Your Flash Player is out of date!
To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger).
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

-------------

Please let me know how the program updates went, as failed updates may indicate additional malware.

#11 catamantaloedes

catamantaloedes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 18 June 2011 - 10:28 AM

Hi again,

Sorry for the late reply. I've installed the new versions of Explorer and Adobe Flash Player - which actually prompted me to update automatically. Everything worked successfully - the only glitch was that as I was restarting my computer, the 'End Program' window for a DivX update came up (I didn't realize this was running) and the program had to be shut down manually. But given that all the tests have come back clean so far, that was presumably not a malware problem, right?

One last question: is there any way to scan/clean my external harddrive? I've 'vaccinated' it to prevent the autorun function, but my guess is that there is still some malware on that. Can I get rid of it, or is it not worth worrying about as long as the autorun is disabled?

Thank you again for all your help - you've been very kind!

Catamantaloedes

#12 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:43 AM

Posted 18 June 2011 - 01:43 PM

Hello again!

Thank you again for all your help - you've been very kind!

No problem. I very much enjoy what I do :).

But given that all the tests have come back clean so far, that was presumably not a malware problem, right?

Correct! Everything appears to be clean.
What you described is actually a normal occurrance; all programs have to be ended before you shut down, and that was just Windows' way of doing it.

One last question: is there any way to scan/clean my external harddrive? I've 'vaccinated' it to prevent the autorun function, but my guess is that there is still some malware on that. Can I get rid of it, or is it not worth worrying about as long as the autorun is disabled?

The autorun function is what cause most of the infections associated with removable hard drives, but its still a good idea to scan the entire drive to make sure its clean.

Simply insert the drive in your computer, and perform another ESET Online Scan. Post the results in your next reply for me here to see.

#13 catamantaloedes

catamantaloedes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 19 June 2011 - 08:19 AM

Hi again,

I've done the ESET scan and it turned up a few threats on the external hard drive - the details are below. My antivirus, Microsoft Security Essentials, also reported and removed a Trojan it identified as Win32/RimecudA. Here's what it reported:

Items:
file:D:\nasmejana\sharmira.exe
file:D:\zaboravi\dasamteikad.exe
filelocalcopy:c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{39428C28-AA88-4BC4-A05C-DD7C28E4BA95}-sharmira.exe
filelocalcopy:\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{35A56241-A672-4287-965E-E9866EFE4C9A}-dasamteikad.exe

Should I be worried about any of these results or does this mean that everything's been cleaned up from the external drive, too?

Thanks as always!
catamantaloedes

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17096 (vista_gdr.110211-1830)
# OnlineScanner.ocx=1.0.0.6526
# api_version=3.0.2
# EOSSerial=636528b917213e4e9e0ce0f7c42b4a55
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-12 10:50:21
# local_time=2011-06-13 12:50:21 (+0100, W. Europe Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776533 42 87 1617 19964814 0 0
# compatibility_mode=8192 67108863 100 0 198 198 0 0
# scanned=78447
# found=0
# cleaned=0
# scan_time=5886
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6526
# api_version=3.0.2
# EOSSerial=636528b917213e4e9e0ce0f7c42b4a55
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-19 01:14:22
# local_time=2011-06-19 03:14:22 (+0100, W. Europe Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776533 42 87 52213 20533285 0 0
# compatibility_mode=8192 67108863 100 0 568669 568669 0 0
# scanned=118116
# found=3
# cleaned=3
# scan_time=7657
D:\System Volume Information\_restore{D943BACC-C405-4AD7-B9AF-994E097D0C0F}\RP363\A0032096.inf INF/Autorun virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\System Volume Information\_restore{D943BACC-C405-4AD7-B9AF-994E097D0C0F}\RP364\A0032107.inf INF/Autorun virus (deleted - quarantined) 00000000000000000000000000000000 C
D:\Recycled\Dd2.INF INF/Autorun virus (deleted - quarantined) 00000000000000000000000000000000 C

#14 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:43 AM

Posted 19 June 2011 - 10:39 AM

Should I be worried about any of these results or does this mean that everything's been cleaned up from the external drive, too?

Let's run one more scan just to be sure. :)

Leave the drive plugged in, and please use the Internet Explorer and run a BitDefender Online scan from Here
  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan
Please post the results in your next reply.

#15 catamantaloedes

catamantaloedes
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 19 June 2011 - 11:54 AM

Hi,

Here's the result - it looks clean! Let me know if there's anything else I should do, and thanks again,

catamantaloedes



QuickScan Beta 32-bit v0.9.9.96
-------------------------------
Scan date: Sun Jun 19 18:52:31 2011
Machine ID: 26BDA222



No infection found.
-------------------



Processes
---------
(verified) Acer Video Conference Manager 2980 C:\Program Files\Acer\Acer VCM\AcerVCM.exe
(verified) Acer Video Conference Manager 204 C:\Program Files\Acer\Acer VCM\RS_Service.exe
(verified) Bonjour 1900 C:\Program Files\Bonjour\mDNSResponder.exe
(verified) DivX Update 2752 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
(verified) Dropbox 3076 C:\Documents and Settings\Kyrill\Application Data\Dropbox\bin\Dropbox.exe
(verified) Google Chrome 2956 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 2808 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 3920 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 3332 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 3152 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 2960 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(verified) Google Talk Plugin 480 C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
(verified) GrooveMonitor Utility 2608 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(verified) Intel® Common User Interface 2052 C:\WINDOWS\system32\hkcmd.exe
(verified) Intel® Common User Interface 3224 C:\WINDOWS\system32\igfxext.exe
(verified) Intel® Common User Interface 2176 C:\WINDOWS\system32\igfxpers.exe
(verified) Intel® Common User Interface 2104 C:\WINDOWS\system32\igfxsrvc.exe
(verified) Intel® Common User Interface 1428 C:\WINDOWS\system32\igfxtray.exe
(verified) iTunes 3156 C:\Program Files\iPod\bin\iPodService.exe
(verified) iTunes 2688 C:\Program Files\iTunes\iTunesHelper.exe
(verified) Java™ Platform SE 6 U26 148 C:\Program Files\Java\jre6\bin\jqs.exe
(verified) Java™ Platform SE Auto Updater 2 0 2764 C:\Program Files\Common Files\Java\Java Update\jusched.exe
(verified) Launch Manager 2512 C:\PROGRA~1\LAUNCH~1\LManager.exe
(verified) M3000Mnt.exe 2728 C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
(verified) Microsoft Malware Protection 1108 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
(verified) Microsoft Office OneNote 660 C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE
(verified) Microsoft Security Client 2792 C:\Program Files\Microsoft Security Client\msseces.exe
(verified) Microsoft® Windows® Operating System 3040 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
(verified) Microsoft® Windows® Operating System 1844 C:\WINDOWS\explorer.exe
(verified) Microsoft® Windows® Operating System 1892 C:\WINDOWS\system32\alg.exe
(verified) Microsoft® Windows® Operating System 760 C:\WINDOWS\system32\csrss.exe
(verified) Microsoft® Windows® Operating System 2824 C:\WINDOWS\system32\ctfmon.exe
(verified) Microsoft® Windows® Operating System 840 C:\WINDOWS\system32\lsass.exe
(verified) Microsoft® Windows® Operating System 828 C:\WINDOWS\system32\services.exe
(verified) Microsoft® Windows® Operating System 460 C:\WINDOWS\system32\smss.exe
(verified) Microsoft® Windows® Operating System 1580 C:\WINDOWS\system32\spoolsv.exe
(verified) Microsoft® Windows® Operating System 1676 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1280 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1252 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1144 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1068 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1000 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 276 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 452 C:\WINDOWS\system32\wdfmgr.exe
(verified) Microsoft® Windows® Operating System 784 C:\WINDOWS\system32\winlogon.exe
(verified) MobileDeviceService 1868 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(verified) RAID Event Monitor 1708 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(verified) RAID Monitor 2040 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(verified) Realtek HD Audio Sound Effect Manager 2248 C:\WINDOWS\RTHDCPL.EXE
(verified) Skype 3700 C:\Program Files\Skype\Phone\Skype.exe
(verified) Skype Extras Manager 3916 C:\Program Files\Skype\Plugin Manager\skypePM.exe
(verified) Synaptics Pointing Device Driver 2640 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(verified) TGCM 376 C:\Program Files\o2\Mobile Connection Manager\ImpWiFiSvc.exe
(verified) USB Vaccine 3120 C:\Program Files\Panda USB Vaccine\USBVaccine.exe
(verified) Windows® Internet Explorer 652 C:\Program Files\Internet Explorer\iexplore.exe
(verified) Windows® Internet Explorer 3488 C:\Program Files\Internet Explorer\iexplore.exe
(verified) Windows® Internet Explorer 3768 C:\Program Files\Internet Explorer\iexplore.exe


Network activity
----------------
Process chrome.exe (2960) connected on port 443 (HTTP over SSL) --> 209.85.148.83
Process chrome.exe (2960) connected on port 80 (HTTP) --> 209.85.147.102
Process Dropbox.exe (3076) connected on port 80 (HTTP) --> 199.47.216.144
Process iexplore.exe (3488) connected on port 80 (HTTP) --> 66.235.142.20
Process iexplore.exe (3488) connected on port 80 (HTTP) --> 66.220.158.25
Process iexplore.exe (3488) connected on port 80 (HTTP) --> 209.85.147.102

Process svchost.exe (1068) listens on ports: 135 (RPC)
Process Dropbox.exe (3076) listens on ports: 17500


Autoruns and critical files
---------------------------
(unsigned) QuickTime C:\Program Files\QuickTime\QTTask.exe

(verified) Adobe Reader and Acrobat Manager C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(verified) Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe
(verified) DivX Update C:\Program Files\DivX\DivX Update\DivXUpdate.exe
(verified) Dropbox C:\Documents and Settings\Kyrill\Application Data\Dropbox\bin\Dropbox.exe
(verified) Google Desktop C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
(verified) Google Update C:\Documents and Settings\Kyrill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
(verified) GrooveMonitor Utility C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(verified) GrooveShellExtensions Module C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
(verified) ImScInst.exe C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
(verified) Intel® Common User Interface C:\WINDOWS\system32\hkcmd.exe
(verified) Intel® Common User Interface C:\WINDOWS\system32\igfxdev.dll
(verified) Intel® Common User Interface C:\WINDOWS\system32\igfxpers.exe
(verified) Intel® Common User Interface C:\WINDOWS\system32\igfxtray.exe
(verified) iTunes C:\Program Files\iTunes\iTunesHelper.exe
(verified) Java™ Platform SE Auto Updater 2 0 C:\Program Files\Common Files\Java\Java Update\jusched.exe
(verified) Launch Manager C:\Program Files\Launch Manager\LManager.exe
(verified) Microsoft IME 2002 C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
(verified) Microsoft Office OneNote C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
(verified) Microsoft Security Client C:\Program Files\Microsoft Security Client\msseces.exe
(verified) Microsoft® Windows® Operating System C:\Program Files\Windows Desktop Search\WindowsSearch.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\BROWSEUI.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\CRYPT32.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\dimsntfy.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\SHELL32.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
(verified) Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\WlNotify.dll
(verified) MobileMe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
(verified) RAID Event Monitor C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(verified) Realtek Azalia Mixer Selector C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe
(verified) Realtek HD Audio Sound Effect Manager C:\WINDOWS\RTHDCPL.EXE
(verified) Synaptics Pointing Device Driver C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(verified) USB Vaccine C:\Program Files\Panda USB Vaccine\USBVaccine.exe
(verified) Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll
(verified) Windows® Search C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
(verified) 新注音 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE


Browser plugins
---------------
(unsigned) Java™ Platform SE 6 U26 C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll

(verified) AcroIEHelperShim Library c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
(verified) Adobe Acrobat C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
(verified) Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
(verified) BitDefender QuickScan C:\WINDOWS\Downloaded Program Files\qsax.dll
(verified) Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
(verified) DivX VOD Helper Plug-in C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll
(verified) DivX Web Player c:\program files\divx\divx plus web player\npdivx32.dll
(verified) Google Talk Plugin C:\Documents and Settings\Kyrill\Application Data\Mozilla\plugins\npgoogletalk.dll
(verified) Google Talk Plugin Video Accelerator C:\Documents and Settings\Kyrill\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
(verified) Google Toolbar for IE c:\program files\google\googletoolbar1.dll
(verified) GoogleToolbarNotifier c:\program files\google\googletoolbarnotifier\3.1.415.1646\swg.dll
(verified) GrooveShellExtensions Module C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
(verified) Java™ Platform SE 6 U26 c:\program files\java\jre6\bin\jp2ssv.dll
(verified) Java™ Platform SE 6 U26 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
(verified) Messenger C:\Program Files\Messenger\msmsgs.exe
(verified) Microsoft® Windows Live Login Helper c:\program files\common files\microsoft shared\windows live\windowslivelogin.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\winrnr.dll
(verified) Move Streaming Media Player C:\Documents and Settings\Kyrill\Application Data\Move Networks\plugins\npqmp071705000014.dll
(verified) npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
(verified) NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
(verified) Picasa C:\Program Files\Google\Picasa3\npPicasa3.dll
(verified) Silverlight Plug-In c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll
(verified) Windows Live® Photo Gallery C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
(verified) Windows Presentation Foundation c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
(verified) Windows® Internet Explorer C:\WINDOWS\system32\IEFRAME.dll


Missing files
-------------
File not found: M3000Rmv.dll
--> HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"M3000Mnt"


Scan
----
MD5: 0b02d9aa67eea2c5524943b69418512e C:\Documents and Settings\Kyrill\Application Data\Dropbox\bin\PYTHON25.DLL
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
MD5: 1040bd9bf3ddab7cda2346f8375480a2 C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
MD5: afdae59fe562a7cdb44f9d4abedac316 C:\Program Files\QuickTime\QTSystem\QTCF.dll
MD5: 1d856e6e7490447fcfaa46e09a2bf9c9 C:\Program Files\QuickTime\QTSystem\QuickTime.qts
MD5: 0aee5668eb59912f32ff245bfa72465f C:\Program Files\QuickTime\QTTask.exe


No file uploaded.

Scan finished - communication took 0 sec
Total traffic - 0.00 MB sent, 0.09 KB recvd
Scanned 728 files and modules - 16 seconds

==============================================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users