Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV Guard Online Impervious to Remedies


  • This topic is locked This topic is locked
18 replies to this topic

#1 SherylEber

SherylEber

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:02:36 AM

Posted 10 October 2011 - 08:05 PM

My dear sweet mother clicked or opened something that started to run AV Guard Online and scare the bejeesus out of her. Fortunately, she is a fairly savvy senior and promptly alerted me to the shenanigans. I immediately isolated her laptop from our home network (turned off the wireless access)and began researching the removal.

I am a former IT Weenie, so feel quite comfortable following removal instructions and cautiously noodling around in registries.

I have carefully:

  • followed the removal instructions for AV Guard Online in the Spyware Removal Tab
  • Installed and run Malwarebytes - several times
  • Installed and run TDSSkiller
  • Installed run Super Anti Spyware
  • Run McAfee Stinger
  • I did run ComboFix
  • I have reconfigured IP several times
  • Tried system restore to previous date - now it no longer works
  • Installed and run MiniToolBox

The last run of malwarebytes still finds PUM.Hijack.StartMenu even though I remove it every run.

Unfortunately, I think that because she alerted me so quickly, AV Guard Online didn't really have time to fully install, so I'm wrestling some bastardized corrupt version. I am unable to get internet connectivity, so have been using my laptop to research and download onto a thumb drive...she's busily searching for her disks that came with the system in the event that we go ahead and format and re-install.

Any more ideas? Any help at all is much appreciated! I've been wrestling this for 4 days, now and she's getting cranky because I won't let her use my computers to get e-mail... (does that mean I'm a bad daughter?)

Many thanks! I humbly submit the following logs for your perusal....

DDS Log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Bev at 17:46:17 on 2011-10-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.341 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1250486336\ee\AOLSoftware.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110518222534.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [HostManager] c:\program files\common files\aol\1250486336\ee\AOLSoftware.exe
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0401.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{2B163A73-0412-4980-AF2B-E6046C6A4DD9} : NameServer = 68.105.28.11,68.105.29.11
TCP: Interfaces\{2B163A73-0412-4980-AF2B-E6046C6A4DD9} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-12-19 387480]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-12-19 84200]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-7 366152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-11-23 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-19 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-19 271480]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-12-19 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-12-19 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-12-19 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-12-19 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-12-19 56064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-7 22216]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-12-19 153280]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-12-19 52320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-12-19 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-12-19 88736]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-12-19 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-12-19 84488]
.
=============== Created Last 30 ================
.
2011-10-10 18:31:00 -------- d-sha-r- C:\cmdcons
2011-10-10 18:29:23 -------- d-----w- C:\sherylfix.exe22677s
2011-10-10 17:56:20 -------- d-----w- C:\sherylfix.exe
2011-10-10 16:45:21 98816 ----a-w- c:\windows\sed.exe
2011-10-10 16:45:21 518144 ----a-w- c:\windows\SWREG.exe
2011-10-10 16:45:21 256000 ----a-w- c:\windows\PEV.exe
2011-10-10 16:45:21 208896 ----a-w- c:\windows\MBR.exe
2011-10-10 03:03:51 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-10-10 03:03:51 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-08 16:26:26 -------- d-----w- c:\program files\Vongo
2011-10-08 02:47:44 -------- d-----w- c:\documents and settings\bev\application data\Malwarebytes
2011-10-07 23:16:49 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-07 23:13:36 -------- d--h--w- c:\windows\PIF
2011-10-07 23:09:55 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-07 23:09:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-07 20:50:14 -------- d-----w- c:\documents and settings\bev\application data\McAfee
2011-10-07 03:21:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-07 03:21:04 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-10-07 02:43:30 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-04 03:50:40 -------- d-----w- c:\documents and settings\bev\application data\Funambol
2011-10-04 03:50:16 -------- d-----w- c:\program files\Funambol
2011-09-23 00:28:56 -------- d-----w- c:\program files\Azada
2011-09-23 00:28:44 -------- d-----w- c:\program files\Pat Sajak's Lucky Letters
2011-09-23 00:28:02 -------- d-----w- c:\program files\Mystery Case Files - Madame Fate
2011-09-23 00:26:45 -------- d-----w- c:\program files\Jewel Quest II
2011-09-23 00:26:21 -------- d-----w- c:\program files\DNA
2011-09-23 00:25:59 -------- d-----w- c:\program files\Coffee Rush
2011-09-23 00:25:52 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2011-09-23 00:25:52 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2011-09-23 00:25:45 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2011-09-23 00:02:49 -------- d-----w- c:\program files\Brain Challenge
2011-09-23 00:01:23 -------- d-----w- c:\program files\Big City Adventure - Sydney Australia
2011-09-22 23:59:23 -------- d-----w- c:\program files\Around the World in 80 Days
2011-09-22 23:57:20 -------- d-----w- c:\documents and settings\all users\application data\Big Fish Games
2011-09-22 23:57:09 -------- d-----w- c:\program files\bfgclient
2011-09-22 23:55:58 -------- d-----w- c:\documents and settings\all users\application data\BigFishGamesCache
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
user != kernel MBR !!!
.
============= FINISH: 17:46:38.20 ===============

Attached File  attach.txt   35.32KB   0 downloads

GMER Log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-10 17:17:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 rev.
Running: t60oju25.exe; Driver: C:\DOCUME~1\Bev\LOCALS~1\Temp\kgtoykow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF72C3210]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF72C3224]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF72C3250]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF72C32A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF72C31FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF72C31D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF72C31E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF72C323A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF72C327C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF72C3266]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF72C32D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF72C32BC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF72C3290]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00640FD4
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00630F92
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00630087
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00630076
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00630065
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00630FC3
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006300C9
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006300AC
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00630F55
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006300E4
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00630109
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00630054
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00630025
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00630F81
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00630FD4
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00630FE5
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00630F66
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B1003D
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B10FAC
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B1002C
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B1001B
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B10069
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B10FBD
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D1, 88]
.text C:\WINDOWS\system32\svchost.exe[600] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B1004E
.text C:\WINDOWS\system32\svchost.exe[600] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B00F9C
.text C:\WINDOWS\system32\svchost.exe[600] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B00027
.text C:\WINDOWS\system32\svchost.exe[600] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B00FC1
.text C:\WINDOWS\system32\svchost.exe[600] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B00FE3
.text C:\WINDOWS\system32\svchost.exe[600] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B00016
.text C:\WINDOWS\system32\svchost.exe[600] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B00FD2
.text C:\WINDOWS\system32\svchost.exe[600] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00650FE5
.text C:\WINDOWS\system32\svchost.exe[600] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[600] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00650011
.text C:\WINDOWS\system32\svchost.exe[600] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00650022
.text C:\WINDOWS\system32\svchost.exe[600] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B0000A
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B0002C
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B0001B
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AF0073
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AF0062
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AF0047
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AF0F8A
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AF0FC0
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AF0F48
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AF0F63
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AF0F0B
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AF0F1C
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AF0EF0
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AF0F9B
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AF0FDB
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AF0084
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AF002C
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AF0011
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AF0F2D
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B20FC3
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B2004A
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B20FDE
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B20039
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B20F97
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D2, 88]
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B20FA8
.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B10F95
.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B1002A
.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B10FC1
.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B10FB0
.text C:\WINDOWS\system32\svchost.exe[868] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B10FD2
.text C:\WINDOWS\system32\services.exe[1064] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\services.exe[1064] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E90025
.text C:\WINDOWS\system32\services.exe[1064] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E800A1
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E80090
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E8007F
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80062
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80047
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E800DE
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E800CD
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E80111
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E80100
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E80F5D
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E80FC0
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E800BC
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E80036
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E8001B
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E800EF
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F00FD4
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F00F8A
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F00025
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F0000A
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F00FA5
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F00FEF
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F00047
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F00036
.text C:\WINDOWS\system32\services.exe[1064] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EF0FDE
.text C:\WINDOWS\system32\services.exe[1064] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EF005F
.text C:\WINDOWS\system32\services.exe[1064] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\services.exe[1064] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EF000C
.text C:\WINDOWS\system32\services.exe[1064] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EF0044
.text C:\WINDOWS\system32\services.exe[1064] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EF0029
.text C:\WINDOWS\system32\services.exe[1064] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\lsass.exe[1076] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CA000A
.text C:\WINDOWS\system32\lsass.exe[1076] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\system32\lsass.exe[1076] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90F6A
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C9005F
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C9004E
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90F91
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C9002C
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90095
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C9007A
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90EFC
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C90F17
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C900B0
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C9003D
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90F4F
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90FCA
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C9001B
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C90F28
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CE0047
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CE0FCA
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CE0F9E
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EE, 88]
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CE0FAF
.text C:\WINDOWS\system32\lsass.exe[1076] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CC0FB9
.text C:\WINDOWS\system32\lsass.exe[1076] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CC0044
.text C:\WINDOWS\system32\lsass.exe[1076] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\lsass.exe[1076] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CC000C
.text C:\WINDOWS\system32\lsass.exe[1076] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CC0FDE
.text C:\WINDOWS\system32\lsass.exe[1076] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CC001D
.text C:\WINDOWS\system32\lsass.exe[1076] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CB000A
.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B50FCA
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B40000
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B40F79
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40F94
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B4006E
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40051
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B40FB9
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B400A6
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B40F5E
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B40F32
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B40F43
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B40F21
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B40040
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B40FE5
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B40089
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B40FD4
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B40025
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B400C1
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B8002F
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80FA8
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80FDE
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80014
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B80FB9
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B8005B
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B80040
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70FAD
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70038
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B70FD2
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70FE3
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70027
.text C:\WINDOWS\system32\svchost.exe[1228] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B7000C
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D00FDE
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D0000A
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F8B
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0080
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0F9C
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0FB9
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0040
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF00AE
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF0091
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF00F5
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF00DA
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF0F37
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF005B
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0F66
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF0025
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF00C9
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D30FC3
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D30F61
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D30FD4
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D30FE5
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D30F72
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D30F97
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F3, 88]
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D30FA8
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D2006E
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D2005D
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D2001D
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D20038
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D2000C
.text C:\WINDOWS\system32\svchost.exe[1296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\System32\svchost.exe[1328] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01CF000A
.text C:\WINDOWS\System32\svchost.exe[1328] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01CF001B
.text C:\WINDOWS\System32\svchost.exe[1328] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01CF0FE5
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0168000A
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0168007F
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0168006E
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0168005D
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01680F9E
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01680FC0
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 016800AD
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01680F65
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 016800D9
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01680F4A
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01680F2F
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01680FAF
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01680FEF
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01680090
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01680036
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01680025
.text C:\WINDOWS\System32\svchost.exe[1328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 016800C8
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01CE0022
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01CE0FAC
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01CE0FDB
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01CE0011
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01CE0069
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01CE0000
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01CE004E
.text C:\WINDOWS\System32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01CE0033
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01CD0027
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 01CD0F9C
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01CD0FD2
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01CD0FEF
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01CD0FC1
.text C:\WINDOWS\System32\svchost.exe[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01CD0000
.text C:\WINDOWS\System32\svchost.exe[1328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01CC0000
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 01CB0000
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 01CB0FE5
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 01CB0FD4
.text C:\WINDOWS\System32\svchost.exe[1328] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 01CB0FC3
.text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009F0022
.text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009F0011
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006C0075
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006C0F8A
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006C0058
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006C0047
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006C0FB6
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006C0F48
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006C0F65
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006C00BC
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006C00AB
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006C00D7
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006C0F9B
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006C0090
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006C0022
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006C0011
.text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006C0F2D
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A20FB2
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A20F57
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A20FC3
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A20FD4
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A2001E
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A20FE5
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A20F7C
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C2, 88]
.text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A20F97
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A10FBE
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A10053
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A10027
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A1000C
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A10042
.text C:\WINDOWS\system32\svchost.exe[1476] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1476] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A00000
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1604] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1604] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[1664] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00700FE5
.text C:\WINDOWS\System32\svchost.exe[1664] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00700FB9
.text C:\WINDOWS\System32\svchost.exe[1664] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00700FD4
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006F0040
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006F0025
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006F0F4B
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006F0F68
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006F0F94
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006F0F1F
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006F005B
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006F0EE9
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006F0EFA
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006F00A7
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006F0F83
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006F0F30
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006F0FAF
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\System32\svchost.exe[1664] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006F0078
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006E002C
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006E0F94
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006E0011
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006E0051
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006E0FAF
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8E, 88]
.text C:\WINDOWS\System32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006E0FCA
.text C:\WINDOWS\System32\svchost.exe[1664] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00720053
.text C:\WINDOWS\System32\svchost.exe[1664] msvcrt.dll!system 77C293C7 5 Bytes JMP 00720FC8
.text C:\WINDOWS\System32\svchost.exe[1664] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00720FE3
.text C:\WINDOWS\System32\svchost.exe[1664] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00720000
.text C:\WINDOWS\System32\svchost.exe[1664] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00720038
.text C:\WINDOWS\System32\svchost.exe[1664] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0072001D
.text C:\WINDOWS\System32\svchost.exe[1664] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00710000
.text C:\WINDOWS\System32\svchost.exe[1684] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00700FEF
.text C:\WINDOWS\System32\svchost.exe[1684] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00700025
.text C:\WINDOWS\System32\svchost.exe[1684] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00700014
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006F0000
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006F0093
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006F0078
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006F0F9E
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006F0FAF
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006F0036
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006F0F68
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006F00B0
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006F00E6
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006F00C1
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006F0F32
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006F0047
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006F0FE5
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006F0F83
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006F0FD4
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006F0025
.text C:\WINDOWS\System32\svchost.exe[1684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006F0F43
.text C:\WINDOWS\System32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006E0FB9
.text C:\WINDOWS\System32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006E0F83
.text C:\WINDOWS\System32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006E0FDE
.text C:\WINDOWS\System32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006E0036
.text C:\WINDOWS\System32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\System32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006E0F94
.text C:\WINDOWS\System32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8E, 88]
.text C:\WINDOWS\System32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006E001B
.text C:\WINDOWS\System32\svchost.exe[1684] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00720049
.text C:\WINDOWS\System32\svchost.exe[1684] msvcrt.dll!system 77C293C7 5 Bytes JMP 0072002E
.text C:\WINDOWS\System32\svchost.exe[1684] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0072001D
.text C:\WINDOWS\System32\svchost.exe[1684] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00720FEF
.text C:\WINDOWS\System32\svchost.exe[1684] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00720FC8
.text C:\WINDOWS\System32\svchost.exe[1684] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00720000
.text C:\WINDOWS\System32\svchost.exe[1684] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00710FEF
.text C:\WINDOWS\system32\svchost.exe[1940] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1940] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BE0014
.text C:\WINDOWS\system32\svchost.exe[1940] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F8D
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD006C
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD005B
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0040
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD00AE
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD009D
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD00E4
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F4B
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00FF
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F72
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FDB
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD00C9
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC0F83
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0FA8
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DC, 88]
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0040
.text C:\WINDOWS\system32\svchost.exe[1940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0F7A
.text C:\WINDOWS\system32\svchost.exe[1940] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0F8B
.text C:\WINDOWS\system32\svchost.exe[1940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0FB7
.text C:\WINDOWS\system32\svchost.exe[1940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0FA6
.text C:\WINDOWS\system32\svchost.exe[1940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\Explorer.EXE[2296] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\Explorer.EXE[2296] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FD4
.text C:\WINDOWS\Explorer.EXE[2296] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090000
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F5C
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F6D
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0051
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0036
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B001B
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B007F
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F37
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F0B
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00A4
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00BF
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FDB
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0062
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\Explorer.EXE[2296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F26
.text C:\WINDOWS\Explorer.EXE[2296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0014
.text C:\WINDOWS\Explorer.EXE[2296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F61
.text C:\WINDOWS\Explorer.EXE[2296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FC3
.text C:\WINDOWS\Explorer.EXE[2296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\Explorer.EXE[2296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0F72
.text C:\WINDOWS\Explorer.EXE[2296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\Explorer.EXE[2296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0F8D
.text C:\WINDOWS\Explorer.EXE[2296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\Explorer.EXE[2296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0F9E
.text C:\WINDOWS\Explorer.EXE[2296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0FBE
.text C:\WINDOWS\Explorer.EXE[2296] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0049
.text C:\WINDOWS\Explorer.EXE[2296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B001D
.text C:\WINDOWS\Explorer.EXE[2296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[2296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B002E
.text C:\WINDOWS\Explorer.EXE[2296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B000C
.text C:\WINDOWS\Explorer.EXE[2296] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\Explorer.EXE[2296] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 002D0FDE
.text C:\WINDOWS\Explorer.EXE[2296] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 002D0014
.text C:\WINDOWS\Explorer.EXE[2296] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 002D0FCD
.text C:\WINDOWS\Explorer.EXE[2296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01C60000
.text C:\WINDOWS\system32\dllhost.exe[2396] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FEF
.text C:\WINDOWS\system32\dllhost.exe[2396] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FD4
.text C:\WINDOWS\system32\dllhost.exe[2396] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090000
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0067
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F7C
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0056
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F8D
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F37
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0089
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F08
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00AB
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0EF7
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0078
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\dllhost.exe[2396] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B009A
.text C:\WINDOWS\system32\dllhost.exe[2396] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FB7
.text C:\WINDOWS\system32\dllhost.exe[2396] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0042
.text C:\WINDOWS\system32\dllhost.exe[2396] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A001D
.text C:\WINDOWS\system32\dllhost.exe[2396] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A000C
.text C:\WINDOWS\system32\dllhost.exe[2396] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\system32\dllhost.exe[2396] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[2396] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FA8
.text C:\WINDOWS\system32\dllhost.exe[2396] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0043
.text C:\WINDOWS\system32\dllhost.exe[2396] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FB9
.text C:\WINDOWS\system32\dllhost.exe[2396] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\system32\dllhost.exe[2396] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0028
.text C:\WINDOWS\system32\dllhost.exe[2396] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\dllhost.exe[2396] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F86
.text C:\WINDOWS\system32\dllhost.exe[2396] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\system32\dllhost.exe[2396] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0F97
.text C:\WINDOWS\system32\dllhost.exe[2396] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006F0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Edited by m0le, 15 October 2011 - 08:27 PM.
bbcode was annoying me :)

Warm hearts wait...

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:36 AM

Posted 15 October 2011 - 06:48 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 SherylEber

SherylEber
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:02:36 AM

Posted 15 October 2011 - 08:08 PM

Hi m0le!

Many thanks for taking a look. Yes, we do need help. I turned mom's computer off after posting my request and have been patiently waiting. WOO HOO!

When you are ready, I can set up our laptops side by side to comply with your instructions. We have identical laptops and while she is still unable to find her disks, I should be able to copy clean files from my system.

Warm regards,
Sheryl
Warm hearts wait...

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:36 AM

Posted 15 October 2011 - 08:28 PM

Gmer's flagging a possible rootkit so let's see.

Please download and run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 SherylEber

SherylEber
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:02:36 AM

Posted 15 October 2011 - 09:32 PM

Thanks! Here's the result...

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-15 19:27:46
-----------------------------
19:27:46.484 OS Version: Windows 5.1.2600 Service Pack 3
19:27:46.484 Number of processors: 2 586 0xE08
19:27:46.484 ComputerName: PC785018295244 UserName: Bev
19:27:47.093 Initialize success
19:28:06.937 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
19:28:06.984 Disk 0 Vendor: Size: 0MB BusType: 0
19:28:07.031 Disk 0 MBR read successfully
19:28:07.046 Disk 0 MBR scan
19:28:07.046 Disk 0 unknown MBR code
19:28:07.062 Disk 0 MBR hidden
19:28:07.171 Disk 0 scanning C:\WINDOWS\system32\drivers
19:28:14.812 Service scanning
19:28:16.703 Modules scanning
19:28:20.953 Disk 0 trace - called modules:
19:28:21.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
19:28:21.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8710aab8]
19:28:21.015 3 CLASSPNP.SYS[f7610fd7] -> nt!IofCallDriver -> \Device\0000008c[0x871699a0]
19:28:21.031 5 ACPI.sys[f7487620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8714b030]
19:28:21.046 Scan finished successfully
19:28:32.656 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bev\Desktop\MBR.dat"
19:28:32.671 The log file has been saved successfully to "C:\Documents and Settings\Bev\Desktop\aswMBR.txt"
Warm hearts wait...

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:36 AM

Posted 16 October 2011 - 01:30 PM

Just need a check on the MBR that's showing unknown

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#7 SherylEber

SherylEber
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:02:36 AM

Posted 16 October 2011 - 05:08 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 149):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7AB0000 \WINDOWS\system32\KDCOM.DLL
0xF79C0000 \WINDOWS\system32\BOOTVID.dll
0xF7481000 ACPI.sys
0xF7AB2000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7470000 pci.sys
0xF75B0000 isapnp.sys
0xF75C0000 ohci1394.sys
0xF75D0000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF79C4000 compbatt.sys
0xF79C8000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B78000 pciide.sys
0xF7830000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7AB4000 intelide.sys
0xF7AB6000 viaide.sys
0xF7AB8000 aliide.sys
0xF7452000 pcmcia.sys
0xF75E0000 MountMgr.sys
0xF7433000 ftdisk.sys
0xF7ABA000 dmload.sys
0xF740D000 dmio.sys
0xF79CC000 ACPIEC.sys
0xF7B79000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7838000 PartMgr.sys
0xF75F0000 VolSnap.sys
0xF73F5000 atapi.sys
0xF731F000 iaStor.sys
0xF7600000 disk.sys
0xF7610000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF72FF000 fltmgr.sys
0xF72ED000 sr.sys
0xF7290000 mfehidk.sys
0xF7620000 PxHelp20.sys
0xF7279000 KSecDD.sys
0xF71EC000 Ntfs.sys
0xF71BF000 NDIS.sys
0xF7630000 Serial.sys
0xF71A5000 Mup.sys
0xF7650000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7800000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7108000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7104000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF5D29000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF5D15000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF5CED000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF5B8F000 \SystemRoot\system32\DRIVERS\w39n51.sys
0xF7900000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF5B6B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7908000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF5B57000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF7910000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xF7810000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xF5B0B000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xF5AE3000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF70F4000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0xF7820000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7918000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7660000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7920000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF5AB3000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7AF0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7928000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7670000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7680000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7690000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF5A90000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7930000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF7C9E000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF5A7C000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF76A0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A78000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5A65000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76B0000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76C0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7938000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5A54000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76D0000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF5A30000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF59BD000 \SystemRoot\system32\drivers\mfefirek.sys
0xF7940000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7948000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7950000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF598D000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF76E0000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7AF4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF592F000 \SystemRoot\system32\DRIVERS\update.sys
0xF6049000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF6045000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF76F0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA897B000 \SystemRoot\system32\drivers\CHDAud.sys
0xA8957000 \SystemRoot\system32\drivers\portcls.sys
0xA94EA000 \SystemRoot\system32\drivers\drmk.sys
0xA8924000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xA8830000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xA877E000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF78B8000 \SystemRoot\System32\Drivers\Modem.SYS
0xA5916000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xA5797000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7B56000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA575A000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B5C000 \SystemRoot\System32\Drivers\Beep.SYS
0xA5428000 \SystemRoot\System32\drivers\vga.sys
0xF7B58000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B5E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA5420000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA5418000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA5501000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA4AE6000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA4AD3000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xA4AAB000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA4A89000 \SystemRoot\System32\drivers\afd.sys
0xA58D6000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA68A3000 \SystemRoot\system32\DRIVERS\eabfiltr.sys
0xA4A5E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA49EE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA5384000 \SystemRoot\System32\Drivers\Fips.SYS
0xA5304000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
0xA52F4000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xF78D0000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
0xA49CA000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA48F4000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xF5544000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78E0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xA8B52000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBF16E000 \SystemRoot\System32\ATMFD.DLL
0xA7016000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xA67CB000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA489F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA6893000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xA445F000 \SystemRoot\System32\Drivers\HTTP.sys
0xA43B7000 \SystemRoot\system32\DRIVERS\srv.sys
0xA4387000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA4328000 \??\C:\WINDOWS\system32\drivers\mqac.sys
0xA3F17000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA3C29000 \SystemRoot\system32\drivers\cfwids.sys
0xA3BCC000 \SystemRoot\system32\drivers\wdmaud.sys
0xA3C99000 \SystemRoot\system32\drivers\sysaudio.sys
0xA389E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA26E0000 \SystemRoot\system32\drivers\mfeapfk.sys
0xA3775000 \SystemRoot\system32\drivers\mfebopk.sys
0xA26B5000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 64):
0 System Idle Process
4 System
888 C:\WINDOWS\system32\smss.exe
996 csrss.exe
1020 C:\WINDOWS\system32\winlogon.exe
1064 C:\WINDOWS\system32\services.exe
1076 C:\WINDOWS\system32\lsass.exe
1224 C:\WINDOWS\system32\svchost.exe
1292 svchost.exe
1324 C:\WINDOWS\system32\svchost.exe
1472 svchost.exe
1884 C:\WINDOWS\system32\spoolsv.exe
616 svchost.exe
656 msdtc.exe
776 C:\WINDOWS\ehome\ehrecvr.exe
796 C:\WINDOWS\ehome\ehSched.exe
876 C:\WINDOWS\system32\svchost.exe
984 C:\Program Files\Java\jre6\bin\jqs.exe
1404 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1360 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
1604 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
1624 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
1676 C:\WINDOWS\system32\mfevtps.exe
1736 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
1964 C:\WINDOWS\system32\svchost.exe
1988 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
288 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
340 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
408 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
1840 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2140 C:\WINDOWS\system32\dllhost.exe
3164 C:\WINDOWS\explorer.exe
3176 C:\WINDOWS\system32\wscntfy.exe
3308 C:\WINDOWS\ehome\ehtray.exe
3320 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
3332 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3348 C:\WINDOWS\system32\hkcmd.exe
3356 C:\WINDOWS\system32\igfxpers.exe
3388 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3408 C:\Program Files\HP\QuickPlay\QPService.exe
3432 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3488 wmiprvse.exe
3500 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
3528 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
3604 C:\Program Files\Real\RealPlayer\realplay.exe
3616 C:\Program Files\Common Files\AOL\1250486336\ee\aolsoftware.exe
3656 C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
3716 C:\Program Files\QuickTime\QTTask.exe
3724 C:\Program Files\iTunes\iTunesHelper.exe
3740 C:\WINDOWS\ehome\ehmsas.exe
3788 C:\Program Files\McAfee.com\Agent\mcagent.exe
3812 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
3868 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3972 C:\WINDOWS\system32\ctfmon.exe
2548 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
1380 C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
2672 C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
3376 C:\Program Files\iPod\bin\iPodService.exe
1572 C:\Program Files\Common Files\AOL\1250486336\ee\aolsoftware.exe
3536 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
2660 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
3364 C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
3700 C:\WINDOWS\system32\svchost.exe
3648 C:\Documents and Settings\Bev\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000018`c6111000 (FAT32)

PhysicalDrive0 Model Number: ST9120821AS, Rev: 7.24

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F19F100B4DC860880BDC331CC9D56B1C13F605D5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

Thanks, again!
Warm hearts wait...

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:36 AM

Posted 16 October 2011 - 06:00 PM

No problems there. Let's run Combofix and see what there is to deal with

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 SherylEber

SherylEber
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:02:36 AM

Posted 16 October 2011 - 06:23 PM

the infected computer does not have access to the internet, so combofix is unable to connect and download the recovery console...Scanning anyway...

Do you have a link to download the console? I can port it over on my thumb drive.

Edited by SherylEber, 16 October 2011 - 06:32 PM.

Warm hearts wait...

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:36 AM

Posted 16 October 2011 - 06:24 PM

Please continue without the console at this stage :)
Posted Image
m0le is a proud member of UNITE

#11 SherylEber

SherylEber
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:02:36 AM

Posted 16 October 2011 - 06:51 PM

combofix log w/out recovery console (internet access disabled by malware)

ComboFix 11-10-16.02 - Bev 10/16/2011 16:29:50.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.313 [GMT -7:00]
Running from: c:\documents and settings\Bev\Desktop\comfix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\comfix.exe
c:\comfix.exe\NircmdB.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-09-16 to 2011-10-16 )))))))))))))))))))))))))))))))
.
.
2011-10-10 17:56 . 2011-10-10 18:13 -------- d-----w- C:\sherylfix.exe
2011-10-10 03:03 . 2011-10-10 03:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-08 18:44 . 2011-10-08 18:47 -------- d-----w- c:\documents and settings\boohoo
2011-10-08 16:26 . 2011-10-08 16:26 -------- d-----w- c:\program files\Vongo
2011-10-08 16:23 . 2011-10-08 18:38 -------- d-----w- c:\documents and settings\Super Administrator
2011-10-08 02:47 . 2011-10-08 02:47 -------- d-----w- c:\documents and settings\Bev\Application Data\Malwarebytes
2011-10-07 23:16 . 2011-10-07 23:16 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-07 23:13 . 2011-10-07 23:13 -------- d--h--w- c:\windows\PIF
2011-10-07 23:09 . 2011-10-10 20:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-07 23:09 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-07 23:02 . 2011-10-07 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2011-10-07 22:33 . 2011-10-07 22:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-10-07 22:25 . 2011-10-07 22:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Viewpoint
2011-10-07 22:25 . 2011-10-07 22:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2011-10-07 22:25 . 2011-10-07 22:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2011-10-07 22:01 . 2011-10-07 22:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2011-10-07 20:50 . 2011-10-07 20:50 -------- d-----w- c:\documents and settings\Bev\Application Data\McAfee
2011-10-07 03:21 . 2011-10-07 03:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-10-07 03:21 . 2011-10-08 00:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-07 03:21 . 2011-10-07 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-10-07 02:43 . 2011-10-07 02:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-10-07 02:43 . 2011-10-07 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-07 02:13 . 2011-10-07 02:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sammsoft
2011-10-07 02:09 . 2011-10-07 02:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-10-04 03:50 . 2011-10-04 03:50 -------- d-----w- c:\documents and settings\Bev\Application Data\Funambol
2011-10-04 03:50 . 2011-10-04 03:50 -------- d-----w- c:\program files\Funambol
2011-09-23 00:28 . 2011-09-23 00:29 -------- d-----w- c:\program files\Azada
2011-09-23 00:28 . 2011-09-23 00:28 -------- d-----w- c:\program files\Pat Sajak's Lucky Letters
2011-09-23 00:28 . 2011-09-23 00:28 -------- d-----w- c:\program files\Mystery Case Files - Madame Fate
2011-09-23 00:26 . 2011-09-23 00:28 -------- d-----w- c:\program files\Jewel Quest II
2011-09-23 00:26 . 2011-09-23 00:26 -------- d-----w- c:\program files\DNA
2011-09-23 00:25 . 2011-09-23 00:26 -------- d-----w- c:\program files\Coffee Rush
2011-09-23 00:25 . 2007-07-20 07:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2011-09-23 00:25 . 2007-07-20 07:54 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2011-09-23 00:25 . 2007-07-20 01:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2011-09-23 00:02 . 2011-09-23 00:03 -------- d-----w- c:\program files\Brain Challenge
2011-09-23 00:01 . 2011-09-23 00:01 -------- d-----w- c:\program files\Big City Adventure - Sydney Australia
2011-09-23 00:00 . 2011-09-23 01:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-09-22 23:59 . 2011-09-23 00:00 -------- d-----w- c:\program files\Around the World in 80 Days
2011-09-22 23:57 . 2011-09-22 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish Games
2011-09-22 23:57 . 2011-09-22 23:57 -------- d-----w- c:\program files\bfgclient
2011-09-22 23:55 . 2011-09-23 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2006-03-16 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-10_17.27.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-16 14:43 . 2011-10-16 14:43 16384 c:\windows\temp\Perflib_Perfdata_3d8.dat
+ 2006-09-12 06:46 . 2011-10-16 14:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-09-12 06:46 . 2011-10-08 23:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-10-11 00:07 . 2011-10-16 14:49 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-12-20 26112]
"HostManager"="c:\program files\Common Files\AOL\1250486336\ee\AOLSoftware.exe" [2010-02-10 41800]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe" [2010-02-12 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
.
c:\documents and settings\boohoo\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
.
c:\documents and settings\Super Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-20 102400]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1250486336\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/19/2010 10:21 AM 84200]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/7/2011 4:09 PM 366152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/23/2010 9:36 PM 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/19/2010 10:21 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [12/19/2010 10:21 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [12/19/2010 10:22 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/19/2010 10:21 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/19/2010 10:21 AM 56064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/7/2011 4:09 PM 22216]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/19/2010 10:21 AM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/19/2010 10:21 AM 88736]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 1:39 PM 61952]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/19/2010 10:21 AM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/19/2010 10:21 AM 84488]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-10-16 c:\windows\Tasks\User_Feed_Synchronization-{A709807C-4426-409E-92B8-11D7329AD555}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{2B163A73-0412-4980-AF2B-E6046C6A4DD9}: NameServer = 68.105.28.11,68.105.29.11
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-16 16:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???(T??????`?@?????L?@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-10-16 16:45:29
ComboFix-quarantined-files.txt 2011-10-16 23:45
ComboFix2.txt 2011-10-10 18:41
ComboFix3.txt 2011-10-10 18:13
ComboFix4.txt 2011-10-10 17:31
.
Pre-Run: 69,626,724,352 bytes free
Post-Run: 69,598,248,960 bytes free
.
- - End Of File - - 0110258798F935BE28B9381AD8B793EA


I did run combofix on the 10th if you would like to have that log to compare...
Warm hearts wait...

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:36 AM

Posted 16 October 2011 - 07:01 PM

I did run combofix on the 10th if you would like to have that log to compare...


You shouldn't have but thanks for letting me know and I would like the log please.
Posted Image
m0le is a proud member of UNITE

#13 SherylEber

SherylEber
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:02:36 AM

Posted 16 October 2011 - 07:23 PM

Here's one... - there's another one, too. I think it was able to install the recovery console somehow...

ComboFix 11-10-10.01 - Bev 10/10/2011 11:01:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.505 [GMT -7:00]
Running from: c:\documents and settings\Bev\Desktop\AV Killer\sherylfix.exe.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2011-09-10 to 2011-10-10 )))))))))))))))))))))))))))))))
.
.
2011-10-10 03:03 . 2011-10-10 03:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-08 18:44 . 2011-10-08 18:47 -------- d-----w- c:\documents and settings\boohoo
2011-10-08 16:26 . 2011-10-08 16:26 -------- d-----w- c:\program files\Vongo
2011-10-08 16:23 . 2011-10-08 18:38 -------- d-----w- c:\documents and settings\Super Administrator
2011-10-08 02:47 . 2011-10-08 02:47 -------- d-----w- c:\documents and settings\Bev\Application Data\Malwarebytes
2011-10-07 23:16 . 2011-10-07 23:16 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-07 23:13 . 2011-10-07 23:13 -------- d--h--w- c:\windows\PIF
2011-10-07 23:09 . 2011-10-07 23:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-07 23:09 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-07 23:02 . 2011-10-07 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2011-10-07 22:33 . 2011-10-07 22:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-10-07 22:25 . 2011-10-07 22:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Viewpoint
2011-10-07 22:25 . 2011-10-07 22:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2011-10-07 22:25 . 2011-10-07 22:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2011-10-07 22:01 . 2011-10-07 22:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2011-10-07 20:50 . 2011-10-07 20:50 -------- d-----w- c:\documents and settings\Bev\Application Data\McAfee
2011-10-07 03:21 . 2011-10-07 03:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-10-07 03:21 . 2011-10-08 00:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-07 03:21 . 2011-10-07 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-10-07 02:43 . 2011-10-07 02:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-10-07 02:43 . 2011-10-07 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-07 02:13 . 2011-10-07 02:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sammsoft
2011-10-07 02:09 . 2011-10-07 02:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-10-04 03:50 . 2011-10-04 03:50 -------- d-----w- c:\documents and settings\Bev\Application Data\Funambol
2011-10-04 03:50 . 2011-10-04 03:50 -------- d-----w- c:\program files\Funambol
2011-09-23 00:28 . 2011-09-23 00:29 -------- d-----w- c:\program files\Azada
2011-09-23 00:28 . 2011-09-23 00:28 -------- d-----w- c:\program files\Pat Sajak's Lucky Letters
2011-09-23 00:28 . 2011-09-23 00:28 -------- d-----w- c:\program files\Mystery Case Files - Madame Fate
2011-09-23 00:26 . 2011-09-23 00:28 -------- d-----w- c:\program files\Jewel Quest II
2011-09-23 00:26 . 2011-09-23 00:26 -------- d-----w- c:\program files\DNA
2011-09-23 00:25 . 2011-09-23 00:26 -------- d-----w- c:\program files\Coffee Rush
2011-09-23 00:25 . 2007-07-20 07:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2011-09-23 00:25 . 2007-07-20 07:54 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2011-09-23 00:25 . 2007-07-20 01:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2011-09-23 00:02 . 2011-09-23 00:03 -------- d-----w- c:\program files\Brain Challenge
2011-09-23 00:01 . 2011-09-23 00:01 -------- d-----w- c:\program files\Big City Adventure - Sydney Australia
2011-09-23 00:00 . 2011-09-23 01:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-09-22 23:59 . 2011-09-23 00:00 -------- d-----w- c:\program files\Around the World in 80 Days
2011-09-22 23:57 . 2011-09-22 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish Games
2011-09-22 23:57 . 2011-09-22 23:57 -------- d-----w- c:\program files\bfgclient
2011-09-22 23:55 . 2011-09-23 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2006-03-16 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2005-01-19 12:26 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-10_17.27.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-10 17:29 . 2011-10-10 17:29 16384 c:\windows\temp\Perflib_Perfdata_850.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-12-20 26112]
"HostManager"="c:\program files\Common Files\AOL\1250486336\ee\AOLSoftware.exe" [2010-02-10 41800]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe" [2010-02-12 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
.
c:\documents and settings\boohoo\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
.
c:\documents and settings\Super Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-20 102400]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1250486336\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/19/2010 10:21 AM 84200]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/23/2010 9:36 PM 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/19/2010 10:21 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [12/19/2010 10:21 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [12/19/2010 10:22 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/19/2010 10:21 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/19/2010 10:21 AM 56064]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/19/2010 10:21 AM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/19/2010 10:21 AM 88736]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 1:39 PM 61952]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/19/2010 10:21 AM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/19/2010 10:21 AM 84488]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-10-10 c:\windows\Tasks\User_Feed_Synchronization-{A709807C-4426-409E-92B8-11D7329AD555}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-10 11:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???(T??????`?@?????L?@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1444)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-10-10 11:13:50
ComboFix-quarantined-files.txt 2011-10-10 18:13
ComboFix2.txt 2011-10-10 17:31
.
Pre-Run: 69,400,236,032 bytes free
Post-Run: 69,442,191,360 bytes free
.
- - End Of File - - E6162036321AC00D37279617A0CBD815

And here's the second one...

ComboFix 11-10-10.01 - Bev 10/10/2011 11:32:34.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.368 [GMT -7:00]
Running from: c:\documents and settings\Bev\Desktop\sherylfix.exe.exe
Command switches used :: c:\documents and settings\Bev\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-10 to 2011-10-10 )))))))))))))))))))))))))))))))
.
.
2011-10-10 17:56 . 2011-10-10 18:13 -------- d-----w- C:\sherylfix.exe
2011-10-10 03:03 . 2011-10-10 03:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-08 18:44 . 2011-10-08 18:47 -------- d-----w- c:\documents and settings\boohoo
2011-10-08 16:26 . 2011-10-08 16:26 -------- d-----w- c:\program files\Vongo
2011-10-08 16:23 . 2011-10-08 18:38 -------- d-----w- c:\documents and settings\Super Administrator
2011-10-08 02:47 . 2011-10-08 02:47 -------- d-----w- c:\documents and settings\Bev\Application Data\Malwarebytes
2011-10-07 23:16 . 2011-10-07 23:16 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-07 23:13 . 2011-10-07 23:13 -------- d--h--w- c:\windows\PIF
2011-10-07 23:09 . 2011-10-07 23:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-07 23:09 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-07 23:02 . 2011-10-07 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2011-10-07 22:33 . 2011-10-07 22:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-10-07 22:25 . 2011-10-07 22:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Viewpoint
2011-10-07 22:25 . 2011-10-07 22:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2011-10-07 22:25 . 2011-10-07 22:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2011-10-07 22:01 . 2011-10-07 22:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee
2011-10-07 20:50 . 2011-10-07 20:50 -------- d-----w- c:\documents and settings\Bev\Application Data\McAfee
2011-10-07 03:21 . 2011-10-07 03:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-10-07 03:21 . 2011-10-08 00:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-07 03:21 . 2011-10-07 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-10-07 02:43 . 2011-10-07 02:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-10-07 02:43 . 2011-10-07 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-07 02:13 . 2011-10-07 02:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sammsoft
2011-10-07 02:09 . 2011-10-07 02:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-10-04 03:50 . 2011-10-04 03:50 -------- d-----w- c:\documents and settings\Bev\Application Data\Funambol
2011-10-04 03:50 . 2011-10-04 03:50 -------- d-----w- c:\program files\Funambol
2011-09-23 00:28 . 2011-09-23 00:29 -------- d-----w- c:\program files\Azada
2011-09-23 00:28 . 2011-09-23 00:28 -------- d-----w- c:\program files\Pat Sajak's Lucky Letters
2011-09-23 00:28 . 2011-09-23 00:28 -------- d-----w- c:\program files\Mystery Case Files - Madame Fate
2011-09-23 00:26 . 2011-09-23 00:28 -------- d-----w- c:\program files\Jewel Quest II
2011-09-23 00:26 . 2011-09-23 00:26 -------- d-----w- c:\program files\DNA
2011-09-23 00:25 . 2011-09-23 00:26 -------- d-----w- c:\program files\Coffee Rush
2011-09-23 00:25 . 2007-07-20 07:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2011-09-23 00:25 . 2007-07-20 07:54 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2011-09-23 00:25 . 2007-07-20 01:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2011-09-23 00:02 . 2011-09-23 00:03 -------- d-----w- c:\program files\Brain Challenge
2011-09-23 00:01 . 2011-09-23 00:01 -------- d-----w- c:\program files\Big City Adventure - Sydney Australia
2011-09-23 00:00 . 2011-09-23 01:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-09-22 23:59 . 2011-09-23 00:00 -------- d-----w- c:\program files\Around the World in 80 Days
2011-09-22 23:57 . 2011-09-22 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish Games
2011-09-22 23:57 . 2011-09-22 23:57 -------- d-----w- c:\program files\bfgclient
2011-09-22 23:55 . 2011-09-23 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2006-03-16 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2005-01-19 12:26 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-10_17.27.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-10 17:29 . 2011-10-10 17:29 16384 c:\windows\temp\Perflib_Perfdata_850.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-12-20 26112]
"HostManager"="c:\program files\Common Files\AOL\1250486336\ee\AOLSoftware.exe" [2010-02-10 41800]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe" [2010-02-12 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
.
c:\documents and settings\boohoo\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
.
c:\documents and settings\Super Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-20 102400]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1250486336\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/19/2010 10:21 AM 84200]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/23/2010 9:36 PM 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/19/2010 10:21 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [12/19/2010 10:21 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [12/19/2010 10:22 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/19/2010 10:21 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/19/2010 10:21 AM 56064]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/19/2010 10:21 AM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/19/2010 10:21 AM 88736]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 1:39 PM 61952]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/19/2010 10:21 AM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/19/2010 10:21 AM 84488]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-10-10 c:\windows\Tasks\User_Feed_Synchronization-{A709807C-4426-409E-92B8-11D7329AD555}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-10 11:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???(T??????`?@?????L?@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(500)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-10-10 11:41:46
ComboFix-quarantined-files.txt 2011-10-10 18:41
ComboFix2.txt 2011-10-10 18:13
ComboFix3.txt 2011-10-10 17:31
.
Pre-Run: 69,452,791,808 bytes free
Post-Run: 69,424,082,944 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 4D963D669DA9FD97C467D7C1386129B0

So grateful for your help!
Warm hearts wait...

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:36 AM

Posted 16 October 2011 - 07:27 PM

You have posted the same log twice, Sheryl. I'm still after the first log, the top line of which will look like this (or similar, the time will be different obviously). Note the "1" I have boldened.

ComboFix 11-10-10.01 - Bev 10/10/2011 11:01:25.2.1 - x86
Posted Image
m0le is a proud member of UNITE

#15 SherylEber

SherylEber
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:02:36 AM

Posted 16 October 2011 - 08:32 PM

I am sad to report that I am unable to locate a file with the .1 I have searched her system for *.txt files, as well as *fix* files and only have the ones I have posted here. Is it possible that the first one was overwritten by the second?

The logs I posted have different time stamps, one at 11:29 and the second at 11:43...

Edited by SherylEber, 16 October 2011 - 08:35 PM.

Warm hearts wait...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users