Popup help - Page 2

AWildrick · 12-05-2008, 01:23 AM

I had to redownload the program. It stopped running. I ran the run.bat and recieved an error message that windows could not find "omer"

sUBs · 12-05-2008, 01:24 AM

Quote:

Last time is ran for 24ish hours

That's too long. Stop it now

Use these settings ...

In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and uncheck these

* ShowAll
* Files

sUBs · 12-05-2008, 01:26 AM

Quote:

I ran the run.bat and recieved an error message that windows could not find "omer"

Just double click on gmer.exe & use the settings from above

tetonbob · 12-05-2008, 01:45 AM

And just to answer the question about time...it should not take longer than 15 minutes or so, usually less.

I think you're in the same time zone as I....we need to grab some sleep.

Hopefully, gmer has run and produced a log. In either case...

Shut the machine down, and we'll see a better day tomorrow after some rest.

AWildrick · 12-05-2008, 01:49 AM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-05 02:48:24
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA8B1A9CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8B1A978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA8B1A98C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA8B1AA0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA8B1A950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA8B1A964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA8B1A9DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA8B1A9B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA8B1A9A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA8B1AA39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA8B1AA20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA8B1A9F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A8B1A9F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A8B1A9CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP A8B1AA0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP A8B1AA24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP A8B1A9E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP A8B1A954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP A8B1A968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP A8B1A9A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP A8B1A990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP A8B1A97C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP A8B1A9BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP A8B1AA3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01650FEF
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01650F77
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01650076
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01650FA8
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0165005B
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0165002F
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01650F52
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 016500A4
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01650F37
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 016500C6
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 016500EB
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01650040
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01650014
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01650087
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01650FC3
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01650FD4
.text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 016500B5
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0156001B
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01560047
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01560FD4
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01560FE5
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01560F94
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0156000A
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01560FA5
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 76, 89 ]
.text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0156002C
.text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 01540FDE
.text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 01540FEF
.text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 01540020
.text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 01540FCD
.text C:\WINDOWS\Explorer.EXE[384] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01530FEF
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F20093
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F20F9E
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F20FB9
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F2006C
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F20047
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F200B8
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F20F7C
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F20F30
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F20F4B
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F20F1F
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F20FCA
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F2001B
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F20F8D
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F2002C
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F20FDB
.text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F200D3
.text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F1003D
.text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F10FA5
.text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F1002C
.text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F10011
.text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F10062
.text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F10FC0
.text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 11, 89 ]
.text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F10FDB
.text C:\WINDOWS\system32\svchost.exe[740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000700A4
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070093
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070082
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700E1
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700D0
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F77
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F88
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00070F5C
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 000700BF
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070106
.text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 000600A2
.text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0006007D
.text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060058
.text C:\WINDOWS\system32\services.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01210FEF
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01210073
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01210062
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01210051
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01210F94
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0121002C
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012100B5
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01210F6D
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01210F23
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01210F48
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 012100D7
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01210FA5
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01210FCA
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01210098
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0121001B
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01210000
.text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 012100C6
.text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0120001B
.text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01200F83
.text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0120000A
.text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01200FD4
.text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01200040
.text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01200FEF
.text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01200F9E
.text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 40, 89 ]
.text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01200FB9
.text C:\WINDOWS\system32\lsass.exe[1216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011E0FE5
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 028D0FEF
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 028D0F5C
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 028D0051
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 028D0F77
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 028D0040
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 028D0FB9
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 028D008E
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 028D007D
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 028D00B0
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 028D0F17
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 028D0F06
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 028D0F9E
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 028D0000
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 028D006C
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 028D0025
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 028D0FD4
.text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 028D009F
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 028C0FB9
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 028C0040
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 028C0FCA
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 028C0000
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 028C002F
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 028C0FE5
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 028C0F97
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ AC, 8A ]
.text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 028C0FA8
.text C:\WINDOWS\system32\svchost.exe[1424] WS2_32.dll!socket 71AB4211 5 Bytes JMP 028A0FE5
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01190FEF
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011900A4
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01190FAF
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01190093
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0119006C
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01190040
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011900DC
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01190F8A
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01190119
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011900FE
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 0119012A
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0119005B
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01190FDE
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 011900B5
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01190025
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01190014
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 011900ED
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01180FB9
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01180051
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01180FD4
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01180FEF
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01180F94
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01180000
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01180036
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0118001B
.text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01160000
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90F6F
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90F8A
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F9006E
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90051
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90FCA
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F4D
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F90089
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F900BA
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F90F17
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F90F06
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F90FB9
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F90011
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F90F5E
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F90036
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F90FDB
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F90F28
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F80F9E
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F8002C
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F80011
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F80FAF
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F80FC0
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 18, 89 ]
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F80051
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60000
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05140FEF
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05140F5C
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05140F77
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0514005B
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0514004A
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0514001E
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05140076
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05140F3A
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05140EE7
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05140F02
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 05140ED6
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0514002F
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 05140FD4
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 05140F4B
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 05140FB2
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 05140FC3
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 05140F13
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 05130000
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 05130039
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 05130FAF
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 05130FCA
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 05130F72
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 05130FEF
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 05130F83
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 33, 8D ]
.text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 05130F94
.text C:\WINDOWS\System32\svchost.exe[1552] WS2_32.dll!socket 71AB4211 5 Bytes JMP 050A0FE5
.text C:\WINDOWS\System32\svchost.exe[1552] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 05110FEF
.text C:\WINDOWS\System32\svchost.exe[1552] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 05110000
.text C:\WINDOWS\System32\svchost.exe[1552] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 05110025
.text C:\WINDOWS\System32\svchost.exe[1552] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 05110040
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC0F53
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0F64
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0F75
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0F86
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0FA8
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0F1D
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0F2E
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC0080
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC0EE7
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DC0EC2
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DC0F97
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DC0FDE
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DC0059
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DC0FC3
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DC001E
.text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DC0F02
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DB0FB9
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DB0051
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DB0014
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DB0FD4
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DB0F94
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00DB0040
.text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DB002F
.text C:\WINDOWS\system32\svchost.exe[1688] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DD0000
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01630FEF
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01630F83
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01630078
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01630067
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01630F9E
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01630025
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01630089
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01630F4D
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 016300C9
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 016300AE
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 016300DA
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01630040
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0163000A
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01630F5E
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01630FC3
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01630FD4
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01630F30
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0162002C
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01620080
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01620FDB
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01620011
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01620065
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01620000
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01620FB9
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 82, 89 ]
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01620FCA
.text C:\WINDOWS\system32\svchost.exe[1728] WS2_32.dll!socket 71AB4211 5 Bytes JMP 015F0000
.text C:\WINDOWS\system32\svchost.exe[1728] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 01600FE5
.text C:\WINDOWS\system32\svchost.exe[1728] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 01600000
.text C:\WINDOWS\system32\svchost.exe[1728] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 0160001B
.text C:\WINDOWS\system32\svchost.exe[1728] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 01600FD4
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1984] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3092] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011D0FE5
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011D0F3F
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011D0F50
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011D0F6B
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011D0F7C
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011D0FA8
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011D0065
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011D0F13
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011D0EDD
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011D0EEE
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 011D0ECC
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 011D0F97
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 011D0FD4
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 011D0F24
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 011D0014
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 011D0FC3
.text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 011D0076
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FF001E
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FF004D
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FF0FCD
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FF0F90
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00FF0FA1
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 1F, 89 ]
.text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FF0FB2
.text C:\WINDOWS\System32\svchost.exe[3956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008B000A
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F63
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F74
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0058
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0047
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0036
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0084
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F48
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0095
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F06
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00A6
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0FA5
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A000A
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0073
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A001B
.text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F17
.text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002A0FC0
.text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002A005B
.text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002A0F9E
.text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002A0036
.text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002A0FAF
.text C:\WINDOWS\system32\dllhost.exe[4568] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0000
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260000
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0026007D
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260062
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260F8A
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260047
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0026002C
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260F6D
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002600B5
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260F2D
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002600D0
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 002600E1
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00260FA5
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00260FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 011D2482 c:\windows\system32\feyiweku.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00260098
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00260FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00260011
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00260F5C
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00360FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00360040
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00360FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00360FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0036002F
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00360FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0036001E
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00360F8D
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00380FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00380000
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00380FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00380025
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AA0000
.text C:\Program Files\Internet Explorer\iexplore.exe[5380] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 011D2AA1 c:\windows\system32\feyiweku.dll

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A63BCD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@CPMbb7c96ae Rundll32.exe "c:\windows\system32\gehayipe.dll",a
Reg HKLM\SOFTWARE\Classes\CLSID\{397A1CDF-CE10-9F24-4188-062E91923DFC}\InprocServer32@ C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{397A1CDF-CE10-9F24-4188-062E91923DFC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{C72D3FBA-64F2-9F1E-BAC2-DAC12F05686A}\InprocServer32@ C:\Program Files\Common Files\MSSoap\Binaries\WHSC30.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{C72D3FBA-64F2-9F1E-BAC2-DAC12F05686A}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{C72D3FBA-64F2-9F1E-BAC2-DAC12F05686A}\ProgID@ MSSOAP.WinHttpConnector30
Reg HKLM\SOFTWARE\Classes\CLSID\{C72D3FBA-64F2-9F1E-BAC2-DAC12F05686A}\TypeLib@ {46BF17C2-9257-11D5-87EA-00B0D0BE6479}
Reg HKLM\SOFTWARE\Classes\CLSID\{CE8EC9FD-1451-F211-1F56-707BB8F1CB5A}\InProcServer32@ C:\Program Files\Yahoo!\Common\yiesrvc.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{CE8EC9FD-1451-F211-1F56-707BB8F1CB5A}\InProcServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32@ c:\windows\system32\gehayipe.dll

---- EOF - GMER 1.0.14 ----

tetonbob · 12-05-2008, 02:30 AM

Download The Avenger by Swandog46 from here.
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C.

Quote:

Files to delete:
C:\WINDOWS\system32\uniwavow.ini
C:\WINDOWS\system32\apahiyik.ini
C:\WINDOWS\system32\aroririz.ini
C:\WINDOWS\system32\ohurubok.ini
C:\WINDOWS\system32\ozokaref.ini
C:\WINDOWS\system32\uyumifok.ini
C:\WINDOWS\system32\aviyomer.ini
C:\WINDOWS\system32\odaradip.ini
C:\WINDOWS\system32\ajodarog.ini
C:\WINDOWS\system32\ahewugid.ini
C:\WINDOWS\system32\efipituk.ini
C:\WINDOWS\system32\omeborun.ini
C:\WINDOWS\system32\unedulop.ini
C:\WINDOWS\system32\wovawinu.dll
C:\WINDOWS\system32\sekivate.dll
C:\WINDOWS\system32\muremano.dll
C:\WINDOWS\system32\kiyihapa.dll
C:\WINDOWS\system32\feyiweku.dll
C:\WINDOWS\system32\zirirora.dll
C:\WINDOWS\system32\pibumedu.dll
C:\WINDOWS\system32\mezotehi.dll
C:\WINDOWS\system32\koburuho.dll
C:\WINDOWS\system32\silebovu.dll
C:\WINDOWS\system32\gehayipe.dll
C:\WINDOWS\system32\ferakozo.dll
C:\WINDOWS\system32\kofimuyu.dll
C:\WINDOWS\system32\yumovovi.dll
C:\WINDOWS\system32\netabiri.dll
C:\WINDOWS\system32\remoyiva.dll
C:\WINDOWS\system32\zelohije.dll
C:\WINDOWS\system32\pidarado.dll
C:\WINDOWS\system32\goradoja.dll
C:\WINDOWS\system32\jukihoda.dll
C:\WINDOWS\system32\doyapera.dll
C:\WINDOWS\system32\diguweha.dll
C:\WINDOWS\system32\vegewibe.dll
C:\WINDOWS\system32\nurobemo.dll
C:\WINDOWS\system32\poludenu.dll
C:\WINDOWS\system32\gevewupi.dll

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLS
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | b84fa532
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | gevepuhofa
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | CPMbb7c96ae

In the avenger window, click the Paste Script from Clipboard, button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log in your next reply.

Now try to run ComboFix. Post that log also.

AWildrick · 12-05-2008, 02:58 AM

ogfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\uniwavow.ini" deleted successfully.
File "C:\WINDOWS\system32\apahiyik.ini" deleted successfully.
File "C:\WINDOWS\system32\aroririz.ini" deleted successfully.
File "C:\WINDOWS\system32\ohurubok.ini" deleted successfully.
File "C:\WINDOWS\system32\ozokaref.ini" deleted successfully.
File "C:\WINDOWS\system32\uyumifok.ini" deleted successfully.
File "C:\WINDOWS\system32\aviyomer.ini" deleted successfully.
File "C:\WINDOWS\system32\odaradip.ini" deleted successfully.
File "C:\WINDOWS\system32\ajodarog.ini" deleted successfully.
File "C:\WINDOWS\system32\ahewugid.ini" deleted successfully.
File "C:\WINDOWS\system32\efipituk.ini" deleted successfully.
File "C:\WINDOWS\system32\omeborun.ini" deleted successfully.
File "C:\WINDOWS\system32\unedulop.ini" deleted successfully.
File "C:\WINDOWS\system32\wovawinu.dll" deleted successfully.
File "C:\WINDOWS\system32\sekivate.dll" deleted successfully.
File "C:\WINDOWS\system32\muremano.dll" deleted successfully.
File "C:\WINDOWS\system32\kiyihapa.dll" deleted successfully.
File "C:\WINDOWS\system32\feyiweku.dll" deleted successfully.
File "C:\WINDOWS\system32\zirirora.dll" deleted successfully.
File "C:\WINDOWS\system32\pibumedu.dll" deleted successfully.
File "C:\WINDOWS\system32\mezotehi.dll" deleted successfully.
File "C:\WINDOWS\system32\koburuho.dll" deleted successfully.
File "C:\WINDOWS\system32\silebovu.dll" deleted successfully.
File "C:\WINDOWS\system32\gehayipe.dll" deleted successfully.
File "C:\WINDOWS\system32\ferakozo.dll" deleted successfully.
File "C:\WINDOWS\system32\kofimuyu.dll" deleted successfully.
File "C:\WINDOWS\system32\yumovovi.dll" deleted successfully.
File "C:\WINDOWS\system32\netabiri.dll" deleted successfully.
File "C:\WINDOWS\system32\remoyiva.dll" deleted successfully.
File "C:\WINDOWS\system32\zelohije.dll" deleted successfully.
File "C:\WINDOWS\system32\pidarado.dll" deleted successfully.
File "C:\WINDOWS\system32\goradoja.dll" deleted successfully.
File "C:\WINDOWS\system32\jukihoda.dll" deleted successfully.
File "C:\WINDOWS\system32\doyapera.dll" deleted successfully.
File "C:\WINDOWS\system32\diguweha.dll" deleted successfully.
File "C:\WINDOWS\system32\vegewibe.dll" deleted successfully.
File "C:\WINDOWS\system32\nurobemo.dll" deleted successfully.
File "C:\WINDOWS\system32\poludenu.dll" deleted successfully.
File "C:\WINDOWS\system32\gevewupi.dll" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLS" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run|b84fa532" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run|gevepuhofa" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run|CPMbb7c96ae" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Combofix to follow...

tetonbob · 12-05-2008, 03:03 AM

Adam, have you run ComboFix already? If not, please wait and let me know...if so, we'll move forward from there.

AWildrick · 12-05-2008, 03:27 AM

ComboFix 08-12-04.04 - Adam 2008-12-05 4

53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1237 [GMT -6:00]
Running from: c:\documents and settings\Adam\Desktop\Combo-Fix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\bak\mwsoemon.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\npf.sys
c:\windows\system32\gefesohi.dll
c:\windows\system32\ihosefeg.ini
c:\windows\system32\kajikewi.dll
c:\windows\system32\lowopami.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pepejidu.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\vefanobe.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 18:05 . 2008-12-04 18:11 <DIR> d-------- c:\program files\trend micro
2008-12-04 18:04 . 2008-12-04 18:11 <DIR> d-------- C:\rsit
2008-12-04 14:30 . 2008-12-04 14:30 <DIR> d-------- c:\documents and settings\Adam\Application Data\Lexmark Productivity Studio
2008-12-04 14:27 . 2008-12-04 14:54 <DIR> d-------- c:\documents and settings\All Users\lx_cats
2008-12-04 14:26 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-04 14:26 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\dllcache\usbccgp.sys
2008-12-04 14:21 . 2007-10-10 07:40 348,160 --a------ c:\windows\system32\lxdvcoin.dll
2008-12-04 14:21 . 2008-07-16 00:49 40,960 --a------ c:\windows\system32\lxdvvs.dll
2008-12-04 14:20 . 2007-09-06 14:40 692,224 --a------ c:\windows\system32\lxdvdrs.dll
2008-12-04 14:20 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll
2008-12-04 14:20 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\dllcache\wiafbdrv.dll
2008-12-04 14:20 . 2007-07-16 11:53 69,632 --a------ c:\windows\system32\lxdvcnv4.dll
2008-12-04 14:20 . 2007-08-10 13:49 65,536 --a------ c:\windows\system32\lxdvcaps.dll
2008-12-04 14:20 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-04 14:20 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2008-12-04 14:18 . 2008-12-04 14:19 <DIR> d-------- c:\program files\Abbyy FineReader 6.0 Sprint
2008-12-04 14:11 . 2008-12-04 14:20 <DIR> d-------- c:\program files\Lexmark X5400 Series
2008-12-04 14:11 . 2008-07-16 21:15 77,915 --a------ c:\windows\system32\LXDVcfg.dll
2008-12-04 14:11 . 2008-12-04 14:21 76,139 --a------ c:\windows\system32\LexFiles.ulf
2008-12-04 14:11 . 2008-07-24 07:26 2,072 --a------ c:\windows\system32\lxdv.loc
2008-12-03 23:02 . 2008-12-03 23:45 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-01 16:40 . 2008-12-05 02:28 250 --a------ c:\windows\gmer.ini
2008-11-30 00:38 . 2008-12-01 01:24 <DIR> d-------- c:\program files\Mystery Case Files - Return to Ravenhearst
2008-11-29 19:02 . 2008-12-03 23:58 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-29 19:02 . 2008-12-03 23:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 17:51 . 2008-11-22 17:52 <DIR> d-------- c:\program files\Build-a-lot 3 - Passport to Europe
2008-11-12 00:46 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 00:45 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:08 . 2008-11-11 20:08 <DIR> d-------- c:\program files\Governor of Poker
2008-11-11 18:47 . 2008-11-11 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayPond
2008-11-09 21:46 . 2008-11-09 21:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Redrum

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 02:31 --------- d-----w c:\program files\Windows Defender
2008-12-04 17:47 --------- d-----w c:\program files\DellSupport
2008-12-03 08:12 --------- d-----w c:\program files\PokerStars.NET
2008-12-03 08:11 --------- d-----w c:\program files\PokerStars
2008-12-01 07:54 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 06:41 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-11-25 00:40 --------- d-----w c:\documents and settings\Marisa\Application Data\Wildfire
2008-11-22 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\HipSoft
2008-11-14 16:37 --------- d--h--w c:\documents and settings\Marisa\Application Data\Move Networks
2008-11-11 22:28 --------- d-----w c:\program files\World of Warcraft
2008-11-10 03:43 --------- d-----w c:\program files\bfgclient
2008-10-24 17:30 --------- d-----w c:\documents and settings\Adam\Application Data\Wildfire
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 16:17 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-03-24 00:40 0 ----a-w c:\program files\temp01
2005-11-30 07:55 0 ---ha-w c:\documents and settings\All Users\Application Data\gwseh.dat
2007-10-21 16:17 104 --sh--r c:\windows\system32\5293A892C3.sys
2007-09-17 13:25 88 --sh--r c:\windows\system32\C392A89352.sys
2007-10-21 16:17 4,184 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 81,920 2005-06-10 16:44:02 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 249,856 2005-06-10 16:44:02 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

----a-w 180,269 2006-02-12 04:16:35 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 106,496 2006-02-09 22:34:54 c:\program files\Corel\Corel Photo Album 6\bak\MediaDetect.exe

----a-w 102,400 2004-12-03 00:23:34 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe

----a-w 57,344 2005-02-15 22:10:16 c:\program files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe

----a-w 53,248 2005-02-23 22:19:56 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 460,784 2007-03-15 16:09:36 c:\program files\DellSupport\bak\DSAgnt.exe

----a-w 68,856 2007-06-18 01:28:01 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

----a-w 221,184 2003-09-04 02:12:44 c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe

----a-w 271,672 2007-08-16 01:15:24 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2008-01-15 09:22:56 c:\program files\iTunes\iTunesHelper.exe

----a-w 83,608 2007-03-14 08:43:44 c:\program files\Java\jre1.6.0_01\bin\bak\jusched.exe

----a-w 582,992 2007-08-04 07:33:14 c:\program files\McAfee.com\Agent\bak\mcagent.exe
----a-w 641,208 2008-07-11 23:48:54 c:\program files\McAfee.com\Agent\mcagent.exe

----a-w 286,720 2007-06-29 11:24:52 c:\program files\QuickTime\bak\QTTask.exe
----a-w 385,024 2008-01-10 21:27:36 c:\program files\QuickTime\QTTask.exe

----a-w 866,584 2006-11-04 00:20:12 c:\program files\Windows Defender\bak\MSASCui.exe

----a-w 408,064 2006-08-25 01:32:50 c:\program files\Windows Media Player\bak\WMPNSCFG.exe

----a-w 413,208 2006-02-24 06:59:28 c:\program files\Yahoo!\YCentral\bak\YahooCentral.exe

----a-w 28,672 2007-10-17 04:03:50 c:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\bak\mwsoemon.exe.vir

----a-w 90,112 2000-05-11 07:00:00 c:\windows\bak\UpdReg.EXE

----a-w 67,584 2005-09-29 20:01:14 c:\windows\ehome\bak\ehtray.exe

----a-w 77,824 2005-07-20 05

12 c:\windows\system32\bak\hkcmd.exe
----a-w 77,824 2006-03-24 02:13:40 c:\windows\system32\hkcmd.exe

----a-w 114,688 2005-07-20 05:10:06 c:\windows\system32\bak\igfxpers.exe
----a-w 118,784 2006-03-24 02:17:50 c:\windows\system32\igfxpers.exe

----a-w 94,208 2005-07-20 05:09:26 c:\windows\system32\bak\igfxtray.exe
----a-w 94,208 2006-03-24 02:17:04 c:\windows\system32\igfxtray.exe

----a-w 122,941 2005-05-31 11:33:00 c:\windows\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"lxdvmon.exe"="c:\program files\Lexmark X5400 Series\lxdvmon.exe" [2008-08-05 455336]
"lxdvamon"="c:\program files\Lexmark X5400 Series\lxdvamon.exe" [2008-08-05 25256]
"MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL]
"NWEReboot"="" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-12-06 315392]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-09-03 176128]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]
NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-04 1503232]
Program Neighborhood Agent.lnk - c:\program files\Citrix\ICA Client\pnagent.exe [2005-11-29 233744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\WINDOWS\\system32\\lxdvcoms.exe"=
"c:\\Program Files\\Lexmark X5400 Series\\lxdvmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvpswx.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvtime.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe -service []
R2 RMSvc;Media Center Extender Resource Monitor;c:\windows\ehome\RMSvc.exe [2005-10-20 28160]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-09-15 24652]
S2 BIRPBQPQ;BIRPBQPQ;\??\c:\windows\system32\birpbqpq.paf []
S2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [2008-12-04 98984]
S3 gtermddo;gtermddo;\??\c:\docume~1\Adam\LOCALS~1\Temp\gtermddo.sys []
S3 QWAVE;QWAVE service;c:\windows\system32\svchost.exe -k QWAVE [2005-08-16 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25432b37-0d8c-11dc-b813-00132093bcde}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-11-29 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DG1QBX81-Administrator).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{f2b4c71d-b36d-42a7-af83-ef4e38800a63} - c:\windows\system32\lowopami.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search - ?p=ZJxdm186NJUS
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

c:\windows\Downloaded Program Files\ActiveGS.ocx - O16 -: ActiveGS.cab
hxxp://www.virtualapple.org/activegs.cab
c:\windows\Downloaded Program Files\OSDA56.OSD
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 04:14:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\Adam\LOCALS~1\Temp\me_8McV72g6ofWOeQF 0 bytes
c:\docume~1\Adam\LOCALS~1\Temp\me_8SMov5lO71utUA5 0 bytes
c:\docume~1\Adam\LOCALS~1\Temp\me_kfdFIBWJGcob6pV 0 bytes
c:\docume~1\Adam\LOCALS~1\Temp\me_kOur80Mpwsg1hYe 0 bytes
c:\docume~1\Adam\LOCALS~1\Temp\me_kOur80Mpwsg1hYe-journal 20 bytes
c:\docume~1\Adam\LOCALS~1\Temp\me_mNi7eMbxhT4hUQt 0 bytes
c:\docume~1\Adam\LOCALS~1\Temp\me_N4MqGff1dlOj7K9 0 bytes
c:\docume~1\Adam\LOCALS~1\Temp\me_yKEbZzjdEL0Si7n 0 bytes

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BIRPBQPQ]
"ImagePath"="\??\c:\windows\system32\birpbqpq.paf"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\acs.exe
c:\docume~1\Adam\LOCALS~1\Temp\clclean.0001
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\lxdvcoms.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-12-05 4:23:55 - machine was rebooted [Adam]
ComboFix-quarantined-files.txt 2008-12-05 10:22:34

Pre-Run: 113,968,828,416 bytes free
Post-Run: 114,439,745,536 bytes free

286 --- E O F --- 2008-12-01 21:16:38

AWildrick · 12-05-2008, 03:28 AM

Sorry for keeping you up so late/early

tetonbob · 12-05-2008, 03:33 AM

Heheh, no worries...this has been interesting, and I keep odd hours.

Things are looking better, but we'll have more work to do.

While I work on the next steps....please go to C:\Avenger, and right click on it, Send to >Compressed Folder to zip it up.

Please submit it to this site, and include a link to this topic.

http://www.bleepingcomputer.com/subm....php?channel=4

AWildrick · 12-05-2008, 03:37 AM

ok, thats done...

tetonbob · 12-05-2008, 03:44 AM

Hi Adam -

The file which was uploaded appears to be the Avenger executable. Let's do it this way...

Open notepad and copy/paste the text in the codebox below into it:

Code:

@echo off
@Vfind -tf C:\Avenger\* | Zip -@Sq Uploadthis
@DEL %0

Save this as grab.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this:

Double click on grab.bat & allow it to run

A file, UploadThis will be created on your desktop. Please upload that file here:

http://www.bleepingcomputer.com/subm....php?channel=4

In the Link to topic where this file was requested: area, copy and paste this :

http://www.techsupportforum.com/secu...ml#post1839352

Once it shows:

Quote:

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

Close the site and let me know.

AWildrick · 12-05-2008, 04:03 AM

Ok, done

tetonbob · 12-05-2008, 04:07 AM

Great, thanks for taking the time. We and others will appreciate it.

This next bit will take some time. I'm going to grab some Zzzz....

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
c:\documents and settings\All Users\Application Data\gwseh.dat
c:\program files\temp01

Folder::
c:\Program Files\Common Files\InstallShield\UpdateService\bak
c:\Program Files\Common Files\Real\Update_OB\bak
c:\Program Files\Corel\Corel Photo Album 6\bak
c:\Program Files\Creative\MediaSource\Detector\bak
c:\Program Files\Creative\SBAudigy\Surround Mixer\bak
c:\Program Files\CyberLink\PowerDVD\bak
c:\Program Files\DellSupport\bak
c:\Program Files\Google\GoogleToolbarNotifier\bak
c:\Program Files\Intel\Modem Event Monitor\bak
c:\Program Files\iTunes\bak
c:\Program Files\Java\jre1.6.0_01\bin\bak
c:\Program Files\McAfee.com\Agent\bak
c:\Program Files\QuickTime\bak
c:\Program Files\Windows Defender\bak
c:\Program Files\Windows Media Player\bak
c:\Program Files\Yahoo!\YCentral\bak
c:\windows\bak
c:\windows\ehome\bak
c:\windows\system32\bak
c:\windows\system32\dla\bak
C:\Avenger

Driver::
BIRPBQPQ
gtermddo

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
- Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
- Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
- Click the "Download" button to the right.
- Select the Windows platform from the dropdown menu.
- Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
- Click on the link to download Windows Offline Installation and save the file to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
- Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
- After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  - On the General tab, under Temporary Internet Files, click the Settings button.
  - Next, click on the Delete Files button
  - There are two options in the window to clear the cache - Leave BOTH Checked
    - Applications and Applets
      Trace and Log Files
  - Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  - Click OK to leave the Temporary Files Window
  - Click OK to leave the Java Control Panel.
---------------------------------------------------------------------------------------------
Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
- Close any open programs
- Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
- Click Run at the Security prompt.
- The program will then begin downloading and installing and will also update the database.
- Please be patient as this can take several minutes.
- Once the update is complete, click on Settings. Uncheck Mail databases.
- Next, click on My Computer under the green Scan bar to the left to start the scan.
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
- Click View scan report at the bottom.
- Click the Save Report As... button.
- Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
---------------------------------------------------------------------------------------------

How is the machine behaving, please?

---------------------------------------------------------------------------------------------

AWildrick · 12-05-2008, 12:48 PM

As above steps were followed and the computer seems to be running fine. Posted below are the logs you requested.

ComboFix 08-12-04.04 - Adam 2008-12-05 5:29:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1490 [GMT -6:00]
Running from: c:\documents and settings\Adam\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Adam\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

FILE ::
c:\documents and settings\All Users\Application Data\gwseh.dat
c:\program files\temp01
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Avenger
c:\avenger\backup.zip
c:\documents and settings\All Users\Application Data\gwseh.dat
c:\program files\Common Files\InstallShield\UpdateService\bak
c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
c:\program files\Common Files\Real\Update_OB\bak
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\Corel\Corel Photo Album 6\bak
c:\program files\Corel\Corel Photo Album 6\bak\MediaDetect.exe
c:\program files\Creative\MediaSource\Detector\bak
c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe
c:\program files\Creative\SBAudigy\Surround Mixer\bak
c:\program files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe
c:\program files\CyberLink\PowerDVD\bak
c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe
c:\program files\DellSupport\bak
c:\program files\DellSupport\bak\DSAgnt.exe
c:\program files\Google\GoogleToolbarNotifier\bak
c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
c:\program files\Intel\Modem Event Monitor\bak
c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe
c:\program files\iTunes\bak
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Java\jre1.6.0_01\bin\bak
c:\program files\Java\jre1.6.0_01\bin\bak\jusched.exe
c:\program files\McAfee.com\Agent\bak
c:\program files\McAfee.com\Agent\bak\mcagent.exe
c:\program files\QuickTime\bak
c:\program files\QuickTime\bak\QTTask.exe
c:\program files\temp01
c:\program files\Windows Defender\bak
c:\program files\Windows Defender\bak\MSASCui.exe
c:\program files\Windows Media Player\bak
c:\program files\Windows Media Player\bak\WMPNSCFG.exe
c:\program files\Yahoo!\YCentral\bak
c:\program files\Yahoo!\YCentral\bak\YahooCentral.exe
c:\windows\bak
c:\windows\bak\UpdReg.EXE
c:\windows\ehome\bak
c:\windows\ehome\bak\ehtray.exe
c:\windows\system32\bak
c:\windows\system32\bak\hkcmd.exe
c:\windows\system32\bak\igfxpers.exe
c:\windows\system32\bak\igfxtray.exe
c:\windows\system32\dla\bak
c:\windows\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BIRPBQPQ
-------\Legacy_GTERMDDO
-------\Service_BIRPBQPQ
-------\Service_gtermddo

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 04:35 . 2008-12-05 04:35 2,798,143 --a------ C:\Avenger.zip
2008-12-04 18:05 . 2008-12-04 18:11 <DIR> d-------- c:\program files\trend micro
2008-12-04 18:04 . 2008-12-04 18:11 <DIR> d-------- C:\rsit
2008-12-04 14:30 . 2008-12-04 14:30 <DIR> d-------- c:\documents and settings\Adam\Application Data\Lexmark Productivity Studio
2008-12-04 14:27 . 2008-12-04 14:54 <DIR> d-------- c:\documents and settings\All Users\lx_cats
2008-12-04 14:26 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-04 14:26 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\dllcache\usbccgp.sys
2008-12-04 14:21 . 2007-10-10 07:40 348,160 --a------ c:\windows\system32\lxdvcoin.dll
2008-12-04 14:21 . 2008-07-16 00:49 40,960 --a------ c:\windows\system32\lxdvvs.dll
2008-12-04 14:20 . 2007-09-06 14:40 692,224 --a------ c:\windows\system32\lxdvdrs.dll
2008-12-04 14:20 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll
2008-12-04 14:20 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\dllcache\wiafbdrv.dll
2008-12-04 14:20 . 2007-07-16 11:53 69,632 --a------ c:\windows\system32\lxdvcnv4.dll
2008-12-04 14:20 . 2007-08-10 13:49 65,536 --a------ c:\windows\system32\lxdvcaps.dll
2008-12-04 14:20 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-04 14:20 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2008-12-04 14:18 . 2008-12-04 14:19 <DIR> d-------- c:\program files\Abbyy FineReader 6.0 Sprint
2008-12-04 14:11 . 2008-12-04 14:20 <DIR> d-------- c:\program files\Lexmark X5400 Series
2008-12-04 14:11 . 2008-07-16 21:15 77,915 --a------ c:\windows\system32\LXDVcfg.dll
2008-12-04 14:11 . 2008-12-04 14:21 76,139 --a------ c:\windows\system32\LexFiles.ulf
2008-12-04 14:11 . 2008-07-24 07:26 2,072 --a------ c:\windows\system32\lxdv.loc
2008-12-03 23:02 . 2008-12-03 23:45 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-01 16:40 . 2008-12-05 02:28 250 --a------ c:\windows\gmer.ini
2008-11-30 00:38 . 2008-12-01 01:24 <DIR> d-------- c:\program files\Mystery Case Files - Return to Ravenhearst
2008-11-29 19:02 . 2008-12-03 23:58 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-29 19:02 . 2008-12-03 23:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 17:51 . 2008-11-22 17:52 <DIR> d-------- c:\program files\Build-a-lot 3 - Passport to Europe
2008-11-12 00:46 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 00:45 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:08 . 2008-11-11 20:08 <DIR> d-------- c:\program files\Governor of Poker
2008-11-11 18:47 . 2008-11-11 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayPond
2008-11-09 21:46 . 2008-11-09 21:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Redrum

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 11:29 --------- d-----w c:\program files\Windows Defender
2008-12-05 11:29 --------- d-----w c:\program files\QuickTime
2008-12-05 11:29 --------- d-----w c:\program files\iTunes
2008-12-05 11:29 --------- d-----w c:\program files\DellSupport
2008-12-03 08:12 --------- d-----w c:\program files\PokerStars.NET
2008-12-03 08:11 --------- d-----w c:\program files\PokerStars
2008-12-01 07:54 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 06:41 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-11-25 00:40 --------- d-----w c:\documents and settings\Marisa\Application Data\Wildfire
2008-11-22 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\HipSoft
2008-11-14 16:37 --------- d--h--w c:\documents and settings\Marisa\Application Data\Move Networks
2008-11-11 22:28 --------- d-----w c:\program files\World of Warcraft
2008-11-10 03:43 --------- d-----w c:\program files\bfgclient
2008-10-24 17:30 --------- d-----w c:\documents and settings\Adam\Application Data\Wildfire
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 16:17 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2007-10-21 16:17 104 --sh--r c:\windows\system32\5293A892C3.sys
2007-09-17 13:25 88 --sh--r c:\windows\system32\C392A89352.sys
2007-10-21 16:17 4,184 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"lxdvmon.exe"="c:\program files\Lexmark X5400 Series\lxdvmon.exe" [2008-08-05 455336]
"lxdvamon"="c:\program files\Lexmark X5400 Series\lxdvamon.exe" [2008-08-05 25256]
"MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-12-06 315392]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-09-03 176128]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]
NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-04 1503232]
Program Neighborhood Agent.lnk - c:\program files\Citrix\ICA Client\pnagent.exe [2005-11-29 233744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\WINDOWS\\system32\\lxdvcoms.exe"=
"c:\\Program Files\\Lexmark X5400 Series\\lxdvmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvpswx.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvtime.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe -service []
R2 RMSvc;Media Center Extender Resource Monitor;c:\windows\ehome\RMSvc.exe [2005-10-20 28160]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-09-15 24652]
S2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [2008-12-04 98984]
S3 QWAVE;QWAVE service;c:\windows\system32\svchost.exe -k QWAVE [2005-08-16 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25432b37-0d8c-11dc-b813-00132093bcde}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-11-29 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DG1QBX81-Administrator).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search - ?p=ZJxdm186NJUS
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

c:\windows\Downloaded Program Files\ActiveGS.ocx - O16 -: ActiveGS.cab
hxxp://www.virtualapple.org/activegs.cab
c:\windows\Downloaded Program Files\OSDA56.OSD
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 05:33:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\rundll32.exe
c:\docume~1\Adam\LOCALS~1\Temp\clclean.0001
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\lxdvcoms.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-12-05 5:39:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 11:38:27
ComboFix2.txt 2008-12-05 10:23:58

Pre-Run: 114,580,856,832 bytes free
Post-Run: 114,551,754,752 bytes free

282 --- E O F --- 2008-12-01 21:16:38

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 05, 2008 09:03:58
Records in database: 1438362
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 323813
Threat name: 4
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:27:15

File name / Threat name / Threats count
C:\Documents and Settings\Adam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-27406485-3a5f108d.zip Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\Documents and Settings\Marisa\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-3b772b05.zip Infected: Exploit.Java.Gimsh.b 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\bak\mwsoemon.exe.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\WanPacket.dll.vir Infected: Backdoor.Win32.ForBot.am 1

The selected area was scanned.

tetonbob · 12-05-2008, 12:52 PM

Looks good.

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\Adam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-27406485-3a5f108d.zip"
"C:\Documents and Settings\Marisa\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-3b772b05.zip"


) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says

AWildrick · 12-05-2008, 12:57 PM

A black box appeared and said that the items were successfully deleted and asked I press enter to continue.

tetonbob · 12-05-2008, 01:04 PM

Please do so, if you've not already.

Any of the upload zip files still remaining can be deleted, as can gmer and Avenger.

The other items found by Kaspersky are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

AWildrick · 12-05-2008, 01:31 PM

Y=Thank you SOOOOOO much for all of your help!

12-05-2008, 01:23 AM	#21 (permalink)
AWildrick Registered User Join Date: Dec 2008 Posts: 20 OS: WinXP	Re: Popup help I had to redownload the program. It stopped running. I ran the run.bat and recieved an error message that windows could not find "omer"

12-05-2008, 01:45 AM	#24 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: Popup help And just to answer the question about time...it should not take longer than 15 minutes or so, usually less. I think you're in the same time zone as I....we need to grab some sleep. Hopefully, gmer has run and produced a log. In either case... Shut the machine down, and we'll see a better day tomorrow after some rest. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-05-2008, 01:49 AM	#25 (permalink)
AWildrick Registered User Join Date: Dec 2008 Posts: 20 OS: WinXP	Re: Popup help GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-12-05 02:48:24 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA8B1A9CA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8B1A978] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA8B1A98C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA8B1AA0A] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA8B1A950] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA8B1A964] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA8B1A9DE] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA8B1A9B6] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA8B1A9A2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA8B1AA39] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA8B1AA20] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA8B1A9F4] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.14 ---- .text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A8B1A9F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A8B1A9CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP A8B1AA0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP A8B1AA24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP A8B1A9E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP A8B1A954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP A8B1A968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP A8B1A9A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP A8B1A990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP A8B1A97C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP A8B1A9BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP A8B1AA3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ---- User code sections - GMER 1.0.14 ---- .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01650FEF .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01650F77 .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01650076 .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01650FA8 .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0165005B .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0165002F .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01650F52 .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 016500A4 .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01650F37 .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 016500C6 .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 016500EB .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01650040 .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01650014 .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01650087 .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01650FC3 .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01650FD4 .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 016500B5 .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0156001B .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01560047 .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01560FD4 .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01560FE5 .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01560F94 .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0156000A .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01560FA5 .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 76, 89 ] .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0156002C .text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 01540FDE .text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 01540FEF .text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 01540020 .text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 01540FCD .text C:\WINDOWS\Explorer.EXE[384] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01530FEF .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F20000 .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F20093 .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F20F9E .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F20FB9 .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F2006C .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F20047 .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F200B8 .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F20F7C .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F20F30 .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F20F4B .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F20F1F .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F20FCA .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F2001B .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F20F8D .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F2002C .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F20FDB .text C:\WINDOWS\system32\svchost.exe[740] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F200D3 .text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F1003D .text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F10FA5 .text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F1002C .text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F10011 .text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F10062 .text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F10000 .text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F10FC0 .text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 11, 89 ] .text C:\WINDOWS\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F10FDB .text C:\WINDOWS\system32\svchost.exe[740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF0FEF .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000 .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000700A4 .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070093 .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070082 .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FB9 .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070051 .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700E1 .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700D0 .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F77 .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F88 .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00070F5C .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070FCA .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0007001B .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 000700BF .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070036 .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FE5 .text C:\WINDOWS\system32\services.exe[1204] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070106 .text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060047 .text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 000600A2 .text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0006002C .text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0006001B .text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060FDB .text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060000 .text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0006007D .text C:\WINDOWS\system32\services.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060058 .text C:\WINDOWS\system32\services.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0004000A .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01210FEF .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01210073 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01210062 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01210051 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01210F94 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0121002C .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012100B5 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01210F6D .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01210F23 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01210F48 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 012100D7 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01210FA5 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01210FCA .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01210098 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0121001B .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01210000 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 012100C6 .text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0120001B .text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01200F83 .text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0120000A .text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01200FD4 .text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01200040 .text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01200FEF .text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01200F9E .text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 40, 89 ] .text C:\WINDOWS\system32\lsass.exe[1216] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01200FB9 .text C:\WINDOWS\system32\lsass.exe[1216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011E0FE5 .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 028D0FEF .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 028D0F5C .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 028D0051 .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 028D0F77 .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 028D0040 .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 028D0FB9 .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 028D008E .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 028D007D .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 028D00B0 .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 028D0F17 .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 028D0F06 .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 028D0F9E .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 028D0000 .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 028D006C .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 028D0025 .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 028D0FD4 .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 028D009F .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 028C0FB9 .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 028C0040 .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 028C0FCA .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 028C0000 .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 028C002F .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 028C0FE5 .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 028C0F97 .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ AC, 8A ] .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 028C0FA8 .text C:\WINDOWS\system32\svchost.exe[1424] WS2_32.dll!socket 71AB4211 5 Bytes JMP 028A0FE5 .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01190FEF .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011900A4 .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01190FAF .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01190093 .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0119006C .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01190040 .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011900DC .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01190F8A .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01190119 .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011900FE .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 0119012A .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0119005B .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01190FDE .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 011900B5 .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01190025 .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01190014 .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 011900ED .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01180FB9 .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01180051 .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01180FD4 .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01180FEF .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01180F94 .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01180000 .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01180036 .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0118001B .text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01160000 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90000 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90F6F .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90F8A .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F9006E .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90051 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90FCA .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F4D .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F90089 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F900BA .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F90F17 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F90F06 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F90FB9 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F90011 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F90F5E .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F90036 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F90FDB .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F90F28 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F80FE5 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F80F9E .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F8002C .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F80011 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F80FAF .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F80000 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F80FC0 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 18, 89 ] .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F80051 .text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60000 .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05140FEF .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05140F5C .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05140F77 .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0514005B .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0514004A .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0514001E .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05140076 .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05140F3A .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05140EE7 .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05140F02 .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 05140ED6 .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0514002F .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 05140FD4 .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 05140F4B .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 05140FB2 .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 05140FC3 .text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 05140F13 .text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 05130000 .text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 05130039 .text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 05130FAF .text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 05130FCA .text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 05130F72 .text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 05130FEF .text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 05130F83 .text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 33, 8D ] .text C:\WINDOWS\System32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 05130F94 .text C:\WINDOWS\System32\svchost.exe[1552] WS2_32.dll!socket 71AB4211 5 Bytes JMP 050A0FE5 .text C:\WINDOWS\System32\svchost.exe[1552] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 05110FEF .text C:\WINDOWS\System32\svchost.exe[1552] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 05110000 .text C:\WINDOWS\System32\svchost.exe[1552] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 05110025 .text C:\WINDOWS\System32\svchost.exe[1552] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 05110040 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC0FEF .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC0F53 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0F64 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0F75 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0F86 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC0FA8 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC0F1D .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0F2E .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC0080 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC0EE7 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DC0EC2 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DC0F97 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DC0FDE .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DC0059 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DC0FC3 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DC001E .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DC0F02 .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DB0FB9 .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DB0051 .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DB0014 .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DB0FD4 .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DB0F94 .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DB0FEF .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00DB0040 .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DB002F .text C:\WINDOWS\system32\svchost.exe[1688] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DD0000 .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01630FEF .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01630F83 .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01630078 .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01630067 .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01630F9E .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01630025 .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01630089 .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01630F4D .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 016300C9 .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 016300AE .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 016300DA .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01630040 .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0163000A .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01630F5E .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01630FC3 .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01630FD4 .text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01630F30 .text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0162002C .text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01620080 .text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01620FDB .text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01620011 .text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01620065 .text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01620000 .text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01620FB9 .text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 82, 89 ] .text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01620FCA .text C:\WINDOWS\system32\svchost.exe[1728] WS2_32.dll!socket 71AB4211 5 Bytes JMP 015F0000 .text C:\WINDOWS\system32\svchost.exe[1728] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 01600FE5 .text C:\WINDOWS\system32\svchost.exe[1728] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 01600000 .text C:\WINDOWS\system32\svchost.exe[1728] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 0160001B .text C:\WINDOWS\system32\svchost.exe[1728] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 01600FD4 .text C:\Program Files\MSN Messenger\msnmsgr.exe[1984] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3092] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011D0FE5 .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011D0F3F .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011D0F50 .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011D0F6B .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011D0F7C .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011D0FA8 .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011D0065 .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011D0F13 .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011D0EDD .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011D0EEE .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 011D0ECC .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 011D0F97 .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 011D0FD4 .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 011D0F24 .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 011D0014 .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 011D0FC3 .text C:\WINDOWS\System32\svchost.exe[3956] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 011D0076 .text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FF001E .text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FF004D .text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FF0FCD .text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FF0FDE .text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FF0F90 .text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FF0FEF .text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00FF0FA1 .text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 1F, 89 ] .text C:\WINDOWS\System32\svchost.exe[3956] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FF0FB2 .text C:\WINDOWS\System32\svchost.exe[3956] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008B000A .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F63 .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F74 .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0058 .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0047 .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0036 .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0084 .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F48 .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0095 .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F06 .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00A6 .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0FA5 .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A000A .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0073 .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FCA .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A001B .text C:\WINDOWS\system32\dllhost.exe[4568] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F17 .text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002A0FC0 .text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002A005B .text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002A001B .text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002A0000 .text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002A0F9E .text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002A0FEF .text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002A0036 .text C:\WINDOWS\system32\dllhost.exe[4568] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002A0FAF .text C:\WINDOWS\system32\dllhost.exe[4568] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0000 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260000 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0026007D .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260062 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260F8A .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260047 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0026002C .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260F6D .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002600B5 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260F2D .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002600D0 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 002600E1 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00260FA5 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00260FE5 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 011D2482 c:\windows\system32\feyiweku.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00260098 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00260FC0 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00260011 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00260F5C .text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00360FA8 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00360040 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00360FB9 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00360FD4 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0036002F .text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00360FE5 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0036001E .text C:\Program Files\Internet Explorer\iexplore.exe[5380] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00360F8D .text C:\Program Files\Internet Explorer\iexplore.exe[5380] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00380FE5 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00380000 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00380FD4 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00380025 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AA0000 .text C:\Program Files\Internet Explorer\iexplore.exe[5380] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 011D2AA1 c:\windows\system32\feyiweku.dll ---- User IAT/EAT - GMER 1.0.14 ---- IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2676] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.) ---- Devices - GMER 1.0.14 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) Device \FileSystem\Fastfat \Fat A63BCD20 AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) ---- Registry - GMER 1.0.14 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@CPMbb7c96ae Rundll32.exe "c:\windows\system32\gehayipe.dll",a Reg HKLM\SOFTWARE\Classes\CLSID\{397A1CDF-CE10-9F24-4188-062E91923DFC}\InprocServer32@ C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{397A1CDF-CE10-9F24-4188-062E91923DFC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{C72D3FBA-64F2-9F1E-BAC2-DAC12F05686A}\InprocServer32@ C:\Program Files\Common Files\MSSoap\Binaries\WHSC30.dll Reg HKLM\SOFTWARE\Classes\CLSID\{C72D3FBA-64F2-9F1E-BAC2-DAC12F05686A}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{C72D3FBA-64F2-9F1E-BAC2-DAC12F05686A}\ProgID@ MSSOAP.WinHttpConnector30 Reg HKLM\SOFTWARE\Classes\CLSID\{C72D3FBA-64F2-9F1E-BAC2-DAC12F05686A}\TypeLib@ {46BF17C2-9257-11D5-87EA-00B0D0BE6479} Reg HKLM\SOFTWARE\Classes\CLSID\{CE8EC9FD-1451-F211-1F56-707BB8F1CB5A}\InProcServer32@ C:\Program Files\Yahoo!\Common\yiesrvc.dll Reg HKLM\SOFTWARE\Classes\CLSID\{CE8EC9FD-1451-F211-1F56-707BB8F1CB5A}\InProcServer32@ThreadingModel Both Reg HKLM\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32@ c:\windows\system32\gehayipe.dll ---- EOF - GMER 1.0.14 ----

12-05-2008, 02:58 AM	#27 (permalink)
AWildrick Registered User Join Date: Dec 2008 Posts: 20 OS: WinXP	Re: Popup help ogfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ***************** Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\WINDOWS\system32\uniwavow.ini" deleted successfully. File "C:\WINDOWS\system32\apahiyik.ini" deleted successfully. File "C:\WINDOWS\system32\aroririz.ini" deleted successfully. File "C:\WINDOWS\system32\ohurubok.ini" deleted successfully. File "C:\WINDOWS\system32\ozokaref.ini" deleted successfully. File "C:\WINDOWS\system32\uyumifok.ini" deleted successfully. File "C:\WINDOWS\system32\aviyomer.ini" deleted successfully. File "C:\WINDOWS\system32\odaradip.ini" deleted successfully. File "C:\WINDOWS\system32\ajodarog.ini" deleted successfully. File "C:\WINDOWS\system32\ahewugid.ini" deleted successfully. File "C:\WINDOWS\system32\efipituk.ini" deleted successfully. File "C:\WINDOWS\system32\omeborun.ini" deleted successfully. File "C:\WINDOWS\system32\unedulop.ini" deleted successfully. File "C:\WINDOWS\system32\wovawinu.dll" deleted successfully. File "C:\WINDOWS\system32\sekivate.dll" deleted successfully. File "C:\WINDOWS\system32\muremano.dll" deleted successfully. File "C:\WINDOWS\system32\kiyihapa.dll" deleted successfully. File "C:\WINDOWS\system32\feyiweku.dll" deleted successfully. File "C:\WINDOWS\system32\zirirora.dll" deleted successfully. File "C:\WINDOWS\system32\pibumedu.dll" deleted successfully. File "C:\WINDOWS\system32\mezotehi.dll" deleted successfully. File "C:\WINDOWS\system32\koburuho.dll" deleted successfully. File "C:\WINDOWS\system32\silebovu.dll" deleted successfully. File "C:\WINDOWS\system32\gehayipe.dll" deleted successfully. File "C:\WINDOWS\system32\ferakozo.dll" deleted successfully. File "C:\WINDOWS\system32\kofimuyu.dll" deleted successfully. File "C:\WINDOWS\system32\yumovovi.dll" deleted successfully. File "C:\WINDOWS\system32\netabiri.dll" deleted successfully. File "C:\WINDOWS\system32\remoyiva.dll" deleted successfully. File "C:\WINDOWS\system32\zelohije.dll" deleted successfully. File "C:\WINDOWS\system32\pidarado.dll" deleted successfully. File "C:\WINDOWS\system32\goradoja.dll" deleted successfully. File "C:\WINDOWS\system32\jukihoda.dll" deleted successfully. File "C:\WINDOWS\system32\doyapera.dll" deleted successfully. File "C:\WINDOWS\system32\diguweha.dll" deleted successfully. File "C:\WINDOWS\system32\vegewibe.dll" deleted successfully. File "C:\WINDOWS\system32\nurobemo.dll" deleted successfully. File "C:\WINDOWS\system32\poludenu.dll" deleted successfully. File "C:\WINDOWS\system32\gevewupi.dll" deleted successfully. Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\|AppInit_DLLS" deleted successfully. Registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\|b84fa532" deleted successfully. Registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\|gevepuhofa" deleted successfully. Registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\|CPMbb7c96ae" deleted successfully. Completed script processing. ***************** Finished! Terminate. Combofix to follow...

12-05-2008, 03:03 AM	#28 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: Popup help Adam, have you run ComboFix already? If not, please wait and let me know...if so, we'll move forward from there. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-05-2008, 03:27 AM	#29 (permalink)
AWildrick Registered User Join Date: Dec 2008 Posts: 20 OS: WinXP	Re: Popup help ComboFix 08-12-04.04 - Adam 2008-12-05 453.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1237 [GMT -6:00] Running from: c:\documents and settings\Adam\Desktop\Combo-Fix.exe * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\MyWebSearch c:\program files\MyWebSearch\bar\1.bin\bak\mwsoemon.exe c:\windows\IE4 Error Log.txt c:\windows\system32\drivers\npf.sys c:\windows\system32\gefesohi.dll c:\windows\system32\ihosefeg.ini c:\windows\system32\kajikewi.dll c:\windows\system32\lowopami.dll c:\windows\system32\Packet.dll c:\windows\system32\pepejidu.dll c:\windows\system32\pthreadVC.dll c:\windows\system32\vefanobe.dll c:\windows\system32\WanPacket.dll c:\windows\system32\wpcap.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 ))))))))))))))))))))))))))))))) . 2008-12-04 18:05 . 2008-12-04 18:11 <DIR> d-------- c:\program files\trend micro 2008-12-04 18:04 . 2008-12-04 18:11 <DIR> d-------- C:\rsit 2008-12-04 14:30 . 2008-12-04 14:30 <DIR> d-------- c:\documents and settings\Adam\Application Data\Lexmark Productivity Studio 2008-12-04 14:27 . 2008-12-04 14:54 <DIR> d-------- c:\documents and settings\All Users\lx_cats 2008-12-04 14:26 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys 2008-12-04 14:26 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\dllcache\usbccgp.sys 2008-12-04 14:21 . 2007-10-10 07:40 348,160 --a------ c:\windows\system32\lxdvcoin.dll 2008-12-04 14:21 . 2008-07-16 00:49 40,960 --a------ c:\windows\system32\lxdvvs.dll 2008-12-04 14:20 . 2007-09-06 14:40 692,224 --a------ c:\windows\system32\lxdvdrs.dll 2008-12-04 14:20 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll 2008-12-04 14:20 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\dllcache\wiafbdrv.dll 2008-12-04 14:20 . 2007-07-16 11:53 69,632 --a------ c:\windows\system32\lxdvcnv4.dll 2008-12-04 14:20 . 2007-08-10 13:49 65,536 --a------ c:\windows\system32\lxdvcaps.dll 2008-12-04 14:20 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys 2008-12-04 14:20 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys 2008-12-04 14:18 . 2008-12-04 14:19 <DIR> d-------- c:\program files\Abbyy FineReader 6.0 Sprint 2008-12-04 14:11 . 2008-12-04 14:20 <DIR> d-------- c:\program files\Lexmark X5400 Series 2008-12-04 14:11 . 2008-07-16 21:15 77,915 --a------ c:\windows\system32\LXDVcfg.dll 2008-12-04 14:11 . 2008-12-04 14:21 76,139 --a------ c:\windows\system32\LexFiles.ulf 2008-12-04 14:11 . 2008-07-24 07:26 2,072 --a------ c:\windows\system32\lxdv.loc 2008-12-03 23:02 . 2008-12-03 23:45 <DIR> d-------- c:\program files\Windows Live Safety Center 2008-12-01 16:40 . 2008-12-05 02:28 250 --a------ c:\windows\gmer.ini 2008-11-30 00:38 . 2008-12-01 01:24 <DIR> d-------- c:\program files\Mystery Case Files - Return to Ravenhearst 2008-11-29 19:02 . 2008-12-03 23:58 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-29 19:02 . 2008-12-03 23:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-22 17:51 . 2008-11-22 17:52 <DIR> d-------- c:\program files\Build-a-lot 3 - Passport to Europe 2008-11-12 00:46 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-12 00:45 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll 2008-11-11 20:08 . 2008-11-11 20:08 <DIR> d-------- c:\program files\Governor of Poker 2008-11-11 18:47 . 2008-11-11 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayPond 2008-11-09 21:46 . 2008-11-09 21:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Redrum . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-05 02:31 --------- d-----w c:\program files\Windows Defender 2008-12-04 17:47 --------- d-----w c:\program files\DellSupport 2008-12-03 08:12 --------- d-----w c:\program files\PokerStars.NET 2008-12-03 08:11 --------- d-----w c:\program files\PokerStars 2008-12-01 07:54 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-11-30 06:41 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache 2008-11-25 00:40 --------- d-----w c:\documents and settings\Marisa\Application Data\Wildfire 2008-11-22 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\HipSoft 2008-11-14 16:37 --------- d--h--w c:\documents and settings\Marisa\Application Data\Move Networks 2008-11-11 22:28 --------- d-----w c:\program files\World of Warcraft 2008-11-10 03:43 --------- d-----w c:\program files\bfgclient 2008-10-24 17:30 --------- d-----w c:\documents and settings\Adam\Application Data\Wildfire 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-14 16:17 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard 2008-03-24 00:40 0 ----a-w c:\program files\temp01 2005-11-30 07:55 0 ---ha-w c:\documents and settings\All Users\Application Data\gwseh.dat 2007-10-21 16:17 104 --sh--r c:\windows\system32\5293A892C3.sys 2007-09-17 13:25 88 --sh--r c:\windows\system32\C392A89352.sys 2007-10-21 16:17 4,184 --sha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 81,920 2005-06-10 16:44:02 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe ----a-w 249,856 2005-06-10 16:44:02 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe ----a-w 180,269 2006-02-12 04:16:35 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe ----a-w 106,496 2006-02-09 22:34:54 c:\program files\Corel\Corel Photo Album 6\bak\MediaDetect.exe ----a-w 102,400 2004-12-03 00:23:34 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe ----a-w 57,344 2005-02-15 22:10:16 c:\program files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe ----a-w 53,248 2005-02-23 22:19:56 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe ----a-w 460,784 2007-03-15 16:09:36 c:\program files\DellSupport\bak\DSAgnt.exe ----a-w 68,856 2007-06-18 01:28:01 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe ----a-w 221,184 2003-09-04 02:12:44 c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe ----a-w 271,672 2007-08-16 01:15:24 c:\program files\iTunes\bak\iTunesHelper.exe ----a-w 267,048 2008-01-15 09:22:56 c:\program files\iTunes\iTunesHelper.exe ----a-w 83,608 2007-03-14 08:43:44 c:\program files\Java\jre1.6.0_01\bin\bak\jusched.exe ----a-w 582,992 2007-08-04 07:33:14 c:\program files\McAfee.com\Agent\bak\mcagent.exe ----a-w 641,208 2008-07-11 23:48:54 c:\program files\McAfee.com\Agent\mcagent.exe ----a-w 286,720 2007-06-29 11:24:52 c:\program files\QuickTime\bak\QTTask.exe ----a-w 385,024 2008-01-10 21:27:36 c:\program files\QuickTime\QTTask.exe ----a-w 866,584 2006-11-04 00:20:12 c:\program files\Windows Defender\bak\MSASCui.exe ----a-w 408,064 2006-08-25 01:32:50 c:\program files\Windows Media Player\bak\WMPNSCFG.exe ----a-w 413,208 2006-02-24 06:59:28 c:\program files\Yahoo!\YCentral\bak\YahooCentral.exe ----a-w 28,672 2007-10-17 04:03:50 c:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\bak\mwsoemon.exe.vir ----a-w 90,112 2000-05-11 07:00:00 c:\windows\bak\UpdReg.EXE ----a-w 67,584 2005-09-29 20:01:14 c:\windows\ehome\bak\ehtray.exe ----a-w 77,824 2005-07-20 0512 c:\windows\system32\bak\hkcmd.exe ----a-w 77,824 2006-03-24 02:13:40 c:\windows\system32\hkcmd.exe ----a-w 114,688 2005-07-20 05:10:06 c:\windows\system32\bak\igfxpers.exe ----a-w 118,784 2006-03-24 02:17:50 c:\windows\system32\igfxpers.exe ----a-w 94,208 2005-07-20 05:09:26 c:\windows\system32\bak\igfxtray.exe ----a-w 94,208 2006-03-24 02:17:04 c:\windows\system32\igfxtray.exe ----a-w 122,941 2005-05-31 11:33:00 c:\windows\system32\dla\bak\tfswctrl.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704] "msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048] "lxdvmon.exe"="c:\program files\Lexmark X5400 Series\lxdvmon.exe" [2008-08-05 455336] "lxdvamon"="c:\program files\Lexmark X5400 Series\lxdvamon.exe" [2008-08-05 25256] "MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL] "NWEReboot"="" [N/A] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-12-06 315392] Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-09-03 176128] Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423] NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-04 1503232] Program Neighborhood Agent.lnk - c:\program files\Citrix\ICA Client\pnagent.exe [2005-11-29 233744] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\WINDOWS\\system32\\LEXPPS.EXE"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\SightSpeed\\SightSpeed.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"= "c:\\Program Files\\QuickTime\\QTTask.exe"= "c:\\WINDOWS\\system32\\lxdvcoms.exe"= "c:\\Program Files\\Lexmark X5400 Series\\lxdvmon.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvpswx.exe"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvjswx.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvtime.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3776:UDP"= 3776:UDP:Media Center Extender Service "3390:TCP"= 3390:TCP:Remote Media Center Experience R2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe -service [] R2 RMSvc;Media Center Extender Resource Monitor;c:\windows\ehome\RMSvc.exe [2005-10-20 28160] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-09-15 24652] S2 BIRPBQPQ;BIRPBQPQ;\??\c:\windows\system32\birpbqpq.paf [] S2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [2008-12-04 98984] S3 gtermddo;gtermddo;\??\c:\docume~1\Adam\LOCALS~1\Temp\gtermddo.sys [] S3 QWAVE;QWAVE service;c:\windows\system32\svchost.exe -k QWAVE [2005-08-16 14336] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE REG_MULTI_SZ QWAVE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25432b37-0d8c-11dc-b813-00132093bcde}] \Shell\AutoRun\command - E:\Autorun.exe /run \Shell\Shell00\Command - E:\Autorun.exe /run \Shell\Shell01\Command - E:\Autorun.exe /action \Shell\Shell02\Command - E:\Autorun.exe /uninstall [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe . Contents of the 'Scheduled Tasks' folder 2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] 2008-11-29 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DG1QBX81-Administrator).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe [] 2008-11-15 c:\windows\Tasks\McDefragTask.job - c:\windows\system32\defrag.exe [2008-04-13 18:12] 2008-12-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10] . - - - - ORPHANS REMOVED - - - - BHO-{f2b4c71d-b36d-42a7-af83-ef4e38800a63} - c:\windows\system32\lowopami.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.dell4me.com/myway IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html IE: &Search - ?p=ZJxdm186NJUS IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm c:\windows\Downloaded Program Files\ActiveGS.ocx - O16 -: ActiveGS.cab hxxp://www.virtualapple.org/activegs.cab c:\windows\Downloaded Program Files\OSDA56.OSD . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-05 04:14:10 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\Adam\LOCALS~1\Temp\me_8McV72g6ofWOeQF 0 bytes c:\docume~1\Adam\LOCALS~1\Temp\me_8SMov5lO71utUA5 0 bytes c:\docume~1\Adam\LOCALS~1\Temp\me_kfdFIBWJGcob6pV 0 bytes c:\docume~1\Adam\LOCALS~1\Temp\me_kOur80Mpwsg1hYe 0 bytes c:\docume~1\Adam\LOCALS~1\Temp\me_kOur80Mpwsg1hYe-journal 20 bytes c:\docume~1\Adam\LOCALS~1\Temp\me_mNi7eMbxhT4hUQt 0 bytes c:\docume~1\Adam\LOCALS~1\Temp\me_N4MqGff1dlOj7K9 0 bytes c:\docume~1\Adam\LOCALS~1\Temp\me_yKEbZzjdEL0Si7n 0 bytes ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BIRPBQPQ] "ImagePath"="\??\c:\windows\system32\birpbqpq.paf" . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\windows\system32\rundll32.exe c:\windows\system32\acs.exe c:\docume~1\Adam\LOCALS~1\Temp\clclean.0001 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\system32\CTSVCCDA.EXE c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\windows\system32\lxdvcoms.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\program files\Common Files\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\windows\ehome\McrdSvc.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\dllhost.exe . ************************************************************************ . Completion time: 2008-12-05 4:23:55 - machine was rebooted [Adam] ComboFix-quarantined-files.txt 2008-12-05 10:22:34 Pre-Run: 113,968,828,416 bytes free Post-Run: 114,439,745,536 bytes free 286 --- E O F --- 2008-12-01 21:16:38

12-05-2008, 03:28 AM	#30 (permalink)
AWildrick Registered User Join Date: Dec 2008 Posts: 20 OS: WinXP	Re: Popup help Sorry for keeping you up so late/early

12-05-2008, 03:33 AM	#31 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: Popup help Heheh, no worries...this has been interesting, and I keep odd hours. Things are looking better, but we'll have more work to do. While I work on the next steps....please go to C:\Avenger, and right click on it, Send to >Compressed Folder to zip it up. Please submit it to this site, and include a link to this topic. http://www.bleepingcomputer.com/subm....php?channel=4 __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-05-2008, 03:37 AM	#32 (permalink)
AWildrick Registered User Join Date: Dec 2008 Posts: 20 OS: WinXP	Re: Popup help ok, thats done...

12-05-2008, 04:03 AM	#34 (permalink)
AWildrick Registered User Join Date: Dec 2008 Posts: 20 OS: WinXP	Re: Popup help Ok, done

12-05-2008, 12:48 PM	#36 (permalink)
AWildrick Registered User Join Date: Dec 2008 Posts: 20 OS: WinXP	Re: Popup help As above steps were followed and the computer seems to be running fine. Posted below are the logs you requested. ComboFix 08-12-04.04 - Adam 2008-12-05 5:29:32.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1490 [GMT -6:00] Running from: c:\documents and settings\Adam\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Adam\Desktop\CFScript.txt * Created a new restore point * Resident AV is active FILE :: c:\documents and settings\All Users\Application Data\gwseh.dat c:\program files\temp01 . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Avenger c:\avenger\backup.zip c:\documents and settings\All Users\Application Data\gwseh.dat c:\program files\Common Files\InstallShield\UpdateService\bak c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe c:\program files\Common Files\Real\Update_OB\bak c:\program files\Common Files\Real\Update_OB\bak\realsched.exe c:\program files\Corel\Corel Photo Album 6\bak c:\program files\Corel\Corel Photo Album 6\bak\MediaDetect.exe c:\program files\Creative\MediaSource\Detector\bak c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe c:\program files\Creative\SBAudigy\Surround Mixer\bak c:\program files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe c:\program files\CyberLink\PowerDVD\bak c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe c:\program files\DellSupport\bak c:\program files\DellSupport\bak\DSAgnt.exe c:\program files\Google\GoogleToolbarNotifier\bak c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe c:\program files\Intel\Modem Event Monitor\bak c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe c:\program files\iTunes\bak c:\program files\iTunes\bak\iTunesHelper.exe c:\program files\Java\jre1.6.0_01\bin\bak c:\program files\Java\jre1.6.0_01\bin\bak\jusched.exe c:\program files\McAfee.com\Agent\bak c:\program files\McAfee.com\Agent\bak\mcagent.exe c:\program files\QuickTime\bak c:\program files\QuickTime\bak\QTTask.exe c:\program files\temp01 c:\program files\Windows Defender\bak c:\program files\Windows Defender\bak\MSASCui.exe c:\program files\Windows Media Player\bak c:\program files\Windows Media Player\bak\WMPNSCFG.exe c:\program files\Yahoo!\YCentral\bak c:\program files\Yahoo!\YCentral\bak\YahooCentral.exe c:\windows\bak c:\windows\bak\UpdReg.EXE c:\windows\ehome\bak c:\windows\ehome\bak\ehtray.exe c:\windows\system32\bak c:\windows\system32\bak\hkcmd.exe c:\windows\system32\bak\igfxpers.exe c:\windows\system32\bak\igfxtray.exe c:\windows\system32\dla\bak c:\windows\system32\dla\bak\tfswctrl.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BIRPBQPQ -------\Legacy_GTERMDDO -------\Service_BIRPBQPQ -------\Service_gtermddo ((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 ))))))))))))))))))))))))))))))) . 2008-12-05 04:35 . 2008-12-05 04:35 2,798,143 --a------ C:\Avenger.zip 2008-12-04 18:05 . 2008-12-04 18:11 <DIR> d-------- c:\program files\trend micro 2008-12-04 18:04 . 2008-12-04 18:11 <DIR> d-------- C:\rsit 2008-12-04 14:30 . 2008-12-04 14:30 <DIR> d-------- c:\documents and settings\Adam\Application Data\Lexmark Productivity Studio 2008-12-04 14:27 . 2008-12-04 14:54 <DIR> d-------- c:\documents and settings\All Users\lx_cats 2008-12-04 14:26 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys 2008-12-04 14:26 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\dllcache\usbccgp.sys 2008-12-04 14:21 . 2007-10-10 07:40 348,160 --a------ c:\windows\system32\lxdvcoin.dll 2008-12-04 14:21 . 2008-07-16 00:49 40,960 --a------ c:\windows\system32\lxdvvs.dll 2008-12-04 14:20 . 2007-09-06 14:40 692,224 --a------ c:\windows\system32\lxdvdrs.dll 2008-12-04 14:20 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll 2008-12-04 14:20 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\dllcache\wiafbdrv.dll 2008-12-04 14:20 . 2007-07-16 11:53 69,632 --a------ c:\windows\system32\lxdvcnv4.dll 2008-12-04 14:20 . 2007-08-10 13:49 65,536 --a------ c:\windows\system32\lxdvcaps.dll 2008-12-04 14:20 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys 2008-12-04 14:20 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys 2008-12-04 14:18 . 2008-12-04 14:19 <DIR> d-------- c:\program files\Abbyy FineReader 6.0 Sprint 2008-12-04 14:11 . 2008-12-04 14:20 <DIR> d-------- c:\program files\Lexmark X5400 Series 2008-12-04 14:11 . 2008-07-16 21:15 77,915 --a------ c:\windows\system32\LXDVcfg.dll 2008-12-04 14:11 . 2008-12-04 14:21 76,139 --a------ c:\windows\system32\LexFiles.ulf 2008-12-04 14:11 . 2008-07-24 07:26 2,072 --a------ c:\windows\system32\lxdv.loc 2008-12-03 23:02 . 2008-12-03 23:45 <DIR> d-------- c:\program files\Windows Live Safety Center 2008-12-01 16:40 . 2008-12-05 02:28 250 --a------ c:\windows\gmer.ini 2008-11-30 00:38 . 2008-12-01 01:24 <DIR> d-------- c:\program files\Mystery Case Files - Return to Ravenhearst 2008-11-29 19:02 . 2008-12-03 23:58 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-29 19:02 . 2008-12-03 23:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-22 17:51 . 2008-11-22 17:52 <DIR> d-------- c:\program files\Build-a-lot 3 - Passport to Europe 2008-11-12 00:46 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-12 00:45 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll 2008-11-11 20:08 . 2008-11-11 20:08 <DIR> d-------- c:\program files\Governor of Poker 2008-11-11 18:47 . 2008-11-11 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayPond 2008-11-09 21:46 . 2008-11-09 21:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Redrum . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-05 11:29 --------- d-----w c:\program files\Windows Defender 2008-12-05 11:29 --------- d-----w c:\program files\QuickTime 2008-12-05 11:29 --------- d-----w c:\program files\iTunes 2008-12-05 11:29 --------- d-----w c:\program files\DellSupport 2008-12-03 08:12 --------- d-----w c:\program files\PokerStars.NET 2008-12-03 08:11 --------- d-----w c:\program files\PokerStars 2008-12-01 07:54 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-11-30 06:41 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache 2008-11-25 00:40 --------- d-----w c:\documents and settings\Marisa\Application Data\Wildfire 2008-11-22 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\HipSoft 2008-11-14 16:37 --------- d--h--w c:\documents and settings\Marisa\Application Data\Move Networks 2008-11-11 22:28 --------- d-----w c:\program files\World of Warcraft 2008-11-10 03:43 --------- d-----w c:\program files\bfgclient 2008-10-24 17:30 --------- d-----w c:\documents and settings\Adam\Application Data\Wildfire 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-14 16:17 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard 2007-10-21 16:17 104 --sh--r c:\windows\system32\5293A892C3.sys 2007-09-17 13:25 88 --sh--r c:\windows\system32\C392A89352.sys 2007-10-21 16:17 4,184 --sha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704] "msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048] "lxdvmon.exe"="c:\program files\Lexmark X5400 Series\lxdvmon.exe" [2008-08-05 455336] "lxdvamon"="c:\program files\Lexmark X5400 Series\lxdvamon.exe" [2008-08-05 25256] "MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-12-06 315392] Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-09-03 176128] Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423] NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-04 1503232] Program Neighborhood Agent.lnk - c:\program files\Citrix\ICA Client\pnagent.exe [2005-11-29 233744] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\WINDOWS\\system32\\LEXPPS.EXE"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\SightSpeed\\SightSpeed.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"= "c:\\Program Files\\QuickTime\\QTTask.exe"= "c:\\WINDOWS\\system32\\lxdvcoms.exe"= "c:\\Program Files\\Lexmark X5400 Series\\lxdvmon.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvpswx.exe"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvjswx.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvtime.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3776:UDP"= 3776:UDP:Media Center Extender Service "3390:TCP"= 3390:TCP:Remote Media Center Experience R2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe -service [] R2 RMSvc;Media Center Extender Resource Monitor;c:\windows\ehome\RMSvc.exe [2005-10-20 28160] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-09-15 24652] S2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [2008-12-04 98984] S3 QWAVE;QWAVE service;c:\windows\system32\svchost.exe -k QWAVE [2005-08-16 14336] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE REG_MULTI_SZ QWAVE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25432b37-0d8c-11dc-b813-00132093bcde}] \Shell\AutoRun\command - E:\Autorun.exe /run \Shell\Shell00\Command - E:\Autorun.exe /run \Shell\Shell01\Command - E:\Autorun.exe /action \Shell\Shell02\Command - E:\Autorun.exe /uninstall [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe . Contents of the 'Scheduled Tasks' folder 2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] 2008-11-29 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DG1QBX81-Administrator).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe [] 2008-11-15 c:\windows\Tasks\McDefragTask.job - c:\windows\system32\defrag.exe [2008-04-13 18:12] 2008-12-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10] . - - - - ORPHANS REMOVED - - - - HKLM-Run-NWEReboot - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.dell4me.com/myway IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html IE: &Search - ?p=ZJxdm186NJUS IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm c:\windows\Downloaded Program Files\ActiveGS.ocx - O16 -: ActiveGS.cab hxxp://www.virtualapple.org/activegs.cab c:\windows\Downloaded Program Files\OSDA56.OSD . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-05 05:33:19 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\windows\system32\rundll32.exe c:\docume~1\Adam\LOCALS~1\Temp\clclean.0001 c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe c:\windows\system32\acs.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\system32\CTSVCCDA.EXE c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\windows\system32\lxdvcoms.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\program files\Common Files\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\windows\ehome\McrdSvc.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\dllhost.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe . ************************************************************************ . Completion time: 2008-12-05 5:39:47 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-05 11:38:27 ComboFix2.txt 2008-12-05 10:23:58 Pre-Run: 114,580,856,832 bytes free Post-Run: 114,551,754,752 bytes free 282 --- E O F --- 2008-12-01 21:16:38 -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, December 5, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, December 05, 2008 09:03:58 Records in database: 1438362 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: no Scan area - My Computer: A:\ C:\ D:\ Scan statistics: Files scanned: 323813 Threat name: 4 Infected objects: 4 Suspicious objects: 0 Duration of the scan: 02:27:15 File name / Threat name / Threats count C:\Documents and Settings\Adam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-27406485-3a5f108d.zip Infected: Trojan-Downloader.Java.OpenConnection.ap 1 C:\Documents and Settings\Marisa\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-3b772b05.zip Infected: Exploit.Java.Gimsh.b 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\bak\mwsoemon.exe.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\WanPacket.dll.vir Infected: Backdoor.Win32.ForBot.am 1 The selected area was scanned.

12-05-2008, 12:52 PM	#37 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: Popup help Looks good. Open NOTEPAD.exe and copy/paste the text in the codebox below into it: Code: @echo off if exist "%temp%\log.txt" del "%temp%\log.txt" for %%g in ( "C:\Documents and Settings\Adam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-27406485-3a5f108d.zip" "C:\Documents and Settings\Marisa\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-3b772b05.zip" ) do ( del /a/f %%g >nul 2>&1 if exist %%g echo.%%g>>"%temp%\log.txt" ) if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt" ) else echo.Deleted Successfully !! pause del %0 Save this as fix.bat Choose to "Save type as - All Files" It should look like this: Double click on fix.bat & allow it to run Post back to tell me what it says __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-05-2008, 12:57 PM	#38 (permalink)
AWildrick Registered User Join Date: Dec 2008 Posts: 20 OS: WinXP	Re: Popup help A black box appeared and said that the items were successfully deleted and asked I press enter to continue.

12-05-2008, 01:04 PM	#39 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,151 OS: 2000 Pro; XP Pro; XP Home	Re: Popup help Please do so, if you've not already. Any of the upload zip files still remaining can be deleted, as can gmer and Avenger. The other items found by Kaspersky are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below Other than that.... Your logs appear clean.You should be good to go. We still have a few items to address. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety. http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles How did I get infected in the first place? PC Safety and Security--What Do I Need? If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-05-2008, 01:31 PM	#40 (permalink)
AWildrick Registered User Join Date: Dec 2008 Posts: 20 OS: WinXP	Re: Popup help Y=Thank you SOOOOOO much for all of your help!