Suspected Infection ?

jason@jason859. · 12-05-2008, 06:25 AM

hi guys wonder if there is any help available due to my pc becomin infected with i think is mailware not too sure what to do ive got my logs done , not too sure what info u guys require but any help would be ace thanks for time in this matter jason

jason@jason859. · 12-05-2008, 10:36 AM

sorry guys i ve been a bit vague about my prob but i really don't know where to begin on it please find attached DDS and GMER logs for u to look at thanks once again for your time.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-05 13:14:39
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF74CE818]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xF74CE7D0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF74C2A20]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF74C32A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF74CE910]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF74CE794]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF74C32C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF74CE866]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF74CE0B0]
SSDT sptd.sys ZwSetValueKey [0xF7505D56]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA721F20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAA6649CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAA664978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAA66498C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAA664A76]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAA664AA2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAA664A0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAA664B39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAA664950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAA664964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAA6649DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAA664AE4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAA664A8C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAA664B61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAA664B4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAA6649B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAA6649A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAA664A39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAA664B23]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAA664A20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAA6649F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwYieldExecution 80515A6A 7 Bytes JMP AA6649F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP AA6649CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8057CFC0 5 Bytes JMP AA6649A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP AA664A24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP AA664A0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80581702 5 Bytes JMP AA664954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP AA6649E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B7CD 7 Bytes JMP AA664990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP AA664A3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80591F8B 7 Bytes JMP AA664AA6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80593334 7 Bytes JMP AA664A7A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0470 5 Bytes JMP AA66497C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 805E1939 5 Bytes JMP AA664968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 805E218F 5 Bytes JMP AA664B3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 80635947 5 Bytes JMP AA6649BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 80654DB2 7 Bytes JMP AA664B27 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 806556D8 7 Bytes JMP AA664AE8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 80655B56 7 Bytes JMP AA664A90 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 80656049 5 Bytes JMP AA664B51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 806564B2 5 Bytes JMP AA664B65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\windows\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B78158AC 5 Bytes JMP 8A9B91B8

---- User code sections - GMER 1.0.14 ----

.text C:\windows\system32\services.exe[772] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01100000
.text C:\windows\system32\services.exe[772] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01100F83
.text C:\windows\system32\services.exe[772] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0110006E
.text C:\windows\system32\services.exe[772] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01100051
.text C:\windows\system32\services.exe[772] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01100F94
.text C:\windows\system32\services.exe[772] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01100036
.text C:\windows\system32\services.exe[772] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011000BA
.text C:\windows\system32\services.exe[772] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0110009D
.text C:\windows\system32\services.exe[772] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01100F46
.text C:\windows\system32\services.exe[772] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011000DF
.text C:\windows\system32\services.exe[772] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 011000FA
.text C:\windows\system32\services.exe[772] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01100FAF
.text C:\windows\system32\services.exe[772] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01100FEF
.text C:\windows\system32\services.exe[772] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01100F72
.text C:\windows\system32\services.exe[772] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01100025
.text C:\windows\system32\services.exe[772] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01100FD4
.text C:\windows\system32\services.exe[772] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01100F61
.text C:\windows\system32\services.exe[772] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 010F002C
.text C:\windows\system32\services.exe[772] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 010F0F94
.text C:\windows\system32\services.exe[772] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 010F0FE5
.text C:\windows\system32\services.exe[772] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 010F0011
.text C:\windows\system32\services.exe[772] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 010F0051
.text C:\windows\system32\services.exe[772] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 010F0000
.text C:\windows\system32\services.exe[772] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 010F0FAF
.text C:\windows\system32\services.exe[772] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 2F, 89 ]
.text C:\windows\system32\services.exe[772] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 010F0FC0
.text C:\windows\system32\services.exe[772] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF
.text C:\windows\system32\lsass.exe[792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011B0FEF
.text C:\windows\system32\lsass.exe[792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011B0FA8
.text C:\windows\system32\lsass.exe[792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011B009D
.text C:\windows\system32\lsass.exe[792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011B0FB9
.text C:\windows\system32\lsass.exe[792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011B0076
.text C:\windows\system32\lsass.exe[792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011B0FD4
.text C:\windows\system32\lsass.exe[792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011B0F5F
.text C:\windows\system32\lsass.exe[792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011B0F70
.text C:\windows\system32\lsass.exe[792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011B0F29
.text C:\windows\system32\lsass.exe[792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011B0F3A
.text C:\windows\system32\lsass.exe[792] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 011B00DD
.text C:\windows\system32\lsass.exe[792] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 011B005B
.text C:\windows\system32\lsass.exe[792] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 011B000A
.text C:\windows\system32\lsass.exe[792] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 011B0F8D
.text C:\windows\system32\lsass.exe[792] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 011B0040
.text C:\windows\system32\lsass.exe[792] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 011B0025
.text C:\windows\system32\lsass.exe[792] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 011B00C2
.text C:\windows\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01190FB9
.text C:\windows\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0119006C
.text C:\windows\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01190FCA
.text C:\windows\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0119000A
.text C:\windows\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01190051
.text C:\windows\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01190FE5
.text C:\windows\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01190040
.text C:\windows\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0119002F
.text C:\windows\system32\lsass.exe[792] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\windows\system32\lsass.exe[792] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 011A0000
.text C:\windows\system32\lsass.exe[792] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 011A0FE5
.text C:\windows\system32\lsass.exe[792] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 011A0011
.text C:\windows\system32\lsass.exe[792] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 011A0FB6
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B4000A
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B400C9
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B400AE
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40093
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40076
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B4004A
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B40F92
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B40FAF
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B40F52
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B40F6D
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B40F41
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B4005B
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B40FEF
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B400DA
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B40FD4
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B40025
.text C:\windows\system32\svchost.exe[1004] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B400EB
.text C:\windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B30FB9
.text C:\windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B30F9E
.text C:\windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B30FCA
.text C:\windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B3000A
.text C:\windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B3005B
.text C:\windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B30FEF
.text C:\windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B30040
.text C:\windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B30025
.text C:\windows\system32\svchost.exe[1004] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B1000A
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70FEF
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C7004C
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C70F57
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70F72
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70F83
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C70025
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C7007D
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C70F2B
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C70EE4
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C70EFF
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C70098
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C70F9E
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C70FDE
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C70F3C
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C70FC3
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C70014
.text C:\windows\system32\svchost.exe[1064] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C70F10
.text C:\windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C6001B
.text C:\windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C60062
.text C:\windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C60FCA
.text C:\windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C60000
.text C:\windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C60051
.text C:\windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C60FE5
.text C:\windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C60036
.text C:\windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C60FAF
.text C:\windows\system32\svchost.exe[1064] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C40FEF
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027D0FEF
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027D0F5E
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027D0F6F
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027D0047
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027D0F8A
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027D0FA5
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027D0F2B
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027D0F3C
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027D0F09
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027D0F1A
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 027D00C7
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 027D002C
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 027D0000
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 027D0F4D
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 027D0011
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 027D0FCA
.text C:\windows\System32\svchost.exe[1112] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 027D0098
.text C:\windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01F20FC3
.text C:\windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01F20F8D
.text C:\windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01F2000A
.text C:\windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01F20FD4
.text C:\windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01F2004A
.text C:\windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01F20FEF
.text C:\windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01F20039
.text C:\windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01F20FB2
.text C:\windows\System32\svchost.exe[1112] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01F00FEF
.text C:\windows\System32\svchost.exe[1112] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01F3000A
.text C:\windows\System32\svchost.exe[1112] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01F3001B
.text C:\windows\System32\svchost.exe[1112] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01F30036
.text C:\windows\System32\svchost.exe[1112] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 01F30051
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660000
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660058
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660F63
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660F7E
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660FA5
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660047
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006600A1
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00660084
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006600D4
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006600C3
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00660F20
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00660FC0
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0066001B
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00660073
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00660036
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00660FE5
.text C:\windows\system32\svchost.exe[1148] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 006600B2
.text C:\windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00650FC3
.text C:\windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0065004A
.text C:\windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00650FDE
.text C:\windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00650014
.text C:\windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00650039
.text C:\windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00650FEF
.text C:\windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00650F97
.text C:\windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 85, 88 ]
.text C:\windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00650FB2
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007C000A
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007C0089
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007C006E
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007C0F94
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007C0FA5
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007C0FD1
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007C0F6D
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007C00B5
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007C00FC
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007C00E1
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 007C0F3E
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 007C0FB6
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 007C001B
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 007C00A4
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 007C003D
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 007C002C
.text C:\windows\system32\svchost.exe[1220] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 007C00D0
.text C:\windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007B002C
.text C:\windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007B0F9E
.text C:\windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007B001B
.text C:\windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007B000A
.text C:\windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007B0FAF
.text C:\windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007B0FEF
.text C:\windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 007B0051
.text C:\windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007B0FCA
.text C:\windows\system32\svchost.exe[1220] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C000A
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80000
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80F63
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80F74
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C8004E
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C8003D
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C8002C
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C80F37
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C8007F
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C800AE
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80F15
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C800C9
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C80F9B
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C80FE5
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C80F48
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C80FCA
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C8001B
.text C:\windows\system32\svchost.exe[1304] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C80F26
.text C:\windows\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A10F9E
.text C:\windows\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A10F68
.text C:\windows\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A10FB9
.text C:\windows\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A10FD4
.text C:\windows\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A10F79
.text C:\windows\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A10FE5
.text C:\windows\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00A10025
.text C:\windows\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A1000A
.text C:\windows\system32\svchost.exe[1304] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F000A
.text C:\windows\system32\svchost.exe[1304] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A20FEF
.text C:\windows\system32\svchost.exe[1304] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A20014
.text C:\windows\system32\svchost.exe[1304] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A20FDE
.text C:\windows\system32\svchost.exe[1304] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00A20FCD
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660000
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660F7B
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660070
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660F96
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660055
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660044
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0066009C
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00660F60
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00660F39
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006600DC
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 006600F7
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00660FB3
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00660011
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0066008B
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00660033
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00660022
.text C:\windows\system32\svchost.exe[1564] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 006600B7
.text C:\windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00650014
.text C:\windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00650F8D
.text C:\windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00650FB9
.text C:\windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00650FD4
.text C:\windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00650F9E
.text C:\windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00650FEF
.text C:\windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00650040
.text C:\windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00650025
.text C:\windows\system32\svchost.exe[1564] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00630FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1784] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B60FEF
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B60F7A
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B60F8B
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B60FB2
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B60065
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B6002F
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B60F49
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B6009B
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B60F1D
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B60F2E
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B600C7
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B60054
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B60014
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B6008A
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B60FC3
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B60FDE
.text C:\windows\system32\svchost.exe[2052] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B600B6
.text C:\windows\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B50FB9
.text C:\windows\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B50F8D
.text C:\windows\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B5000A
.text C:\windows\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B50FD4
.text C:\windows\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B50040
.text C:\windows\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B50FEF
.text C:\windows\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B5002F
.text C:\windows\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B50F9E
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] kernel32.dll!MultiByteToWideChar 7C809C88 5 Bytes JMP 00C773AD C:\windows\system32\urqQGYSk.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] WS2_32.dll!send 71AB4C27 5 Bytes JMP 1000CEA6 C:\windows\system32\yduiws.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 10015472 C:\windows\system32\yduiws.dll

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \windows\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F7514580] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F751452C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752EAB8] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8AC161D8
Device \FileSystem\Ntfs \Ntfs 8ABAAB60

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \FatCdrom 8A208980
Device \FileSystem\Fastfat \FatCdrom 8A9FCA88
Device \FileSystem\Udfs \UdfsCdRom 8A226980
Device \FileSystem\Udfs \UdfsCdRom 8A312CA8
Device \FileSystem\Udfs \UdfsDisk 8A226980
Device \FileSystem\Udfs \UdfsDisk 8A312CA8
Device \Driver\usbstor \Device\0000009b 8903A980
Device \Driver\usbstor \Device\0000009b sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{AC3FBEC7-7AED-49AC-8515-38632EA73961} 8A1BF980
Device \Driver\usbuhci \Device\USBPDO-0 8AA08980
Device \Driver\usbuhci \Device\USBPDO-1 8AA08980
Device \Driver\usbuhci \Device\USBPDO-2 8AA08980
Device \Driver\usbuhci \Device\USBPDO-3 8AA08980
Device \Driver\usbehci \Device\USBPDO-4 8AA80980

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8AC181D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AC181D8
Device \Driver\Cdrom \Device\CdRom0 8A72AF00
Device \Driver\Cdrom \Device\CdRom0 8A6B9D10
Device \Driver\Cdrom \Device\CdRom0 8A987010
Device \FileSystem\Rdbss \Device\FsWrap 8A1D3178
Device \Driver\Cdrom \Device\CdRom1 8A72AF00
Device \Driver\Cdrom \Device\CdRom1 8A6B9D10
Device \Driver\Cdrom \Device\CdRom1 8A987010
Device \Driver\atapi \Device\Ide\IdePort0 8A74E898
Device \Driver\atapi \Device\Ide\IdePort0 8A6632B8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 8A74E898
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 8A6632B8
Device \Driver\atapi \Device\Ide\IdePort1 8A74E898
Device \Driver\atapi \Device\Ide\IdePort1 8A6632B8
Device \Driver\atapi \Device\Ide\IdePort2 8A74E898
Device \Driver\atapi \Device\Ide\IdePort2 8A6632B8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 8A74E898
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 8A6632B8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 8A74E898
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 8A6632B8
Device \Driver\Cdrom \Device\CdRom2 8A72AF00
Device \Driver\Cdrom \Device\CdRom2 8A6B9D10
Device \Driver\Cdrom \Device\CdRom2 8A987010
Device \Driver\Cdrom \Device\CdRom3 8A72AF00
Device \Driver\Cdrom \Device\CdRom3 8A6B9D10
Device \Driver\Cdrom \Device\CdRom3 8A987010
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A1BF980
Device \Driver\usbstor \Device\00000090 8903A980
Device \Driver\usbstor \Device\00000090 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\usbstor \Device\00000091 8903A980
Device \Driver\usbstor \Device\00000091 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\NetBT \Device\NetbiosSmb 8A1BF980
Device \FileSystem\Srv \Device\LanmanServer 8A2DB3A8

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbstor \Device\00000096 8903A980
Device \Driver\usbstor \Device\00000096 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbstor \Device\00000097 8903A980
Device \Driver\usbstor \Device\00000097 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\usbstor \Device\00000098 8903A980
Device \Driver\usbstor \Device\00000098 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\usbstor \Device\00000099 8903A980
Device \Driver\usbstor \Device\00000099 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\usbuhci \Device\USBFDO-0 8AA08980
Device \Driver\usbuhci \Device\USBFDO-1 8AA08980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A19F4E0
Device \Driver\usbuhci \Device\USBFDO-2 8AA08980
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A19F4E0
Device \Driver\usbuhci \Device\USBFDO-3 8AA08980
Device \FileSystem\Npfs \Device\NamedPipe 8A2C7378
Device \Driver\usbehci \Device\USBFDO-4 8AA80980
Device \Driver\Ftdisk \Device\FtControl 8AC181D8
Device \FileSystem\Msfs \Device\Mailslot 8A2E6668
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 8A6E54F8
Device \Driver\axsaki \Device\Scsi\axsaki1Port4Path0Target0Lun0 8A3D52D0
Device \Driver\axsaki \Device\Scsi\axsaki1Port4Path0Target0Lun0 8A6606E8
Device \Driver\axsaki \Device\Scsi\axsaki1 8A3D52D0
Device \Driver\axsaki \Device\Scsi\axsaki1 8A6606E8
Device \Driver\d347prt \Device\Scsi\d347prt1 8A6E54F8
Device \Driver\usbstor \Device\0000009a 8903A980
Device \Driver\usbstor \Device\0000009a sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\Fastfat \Fat 8A208980
Device \FileSystem\Fastfat \Fat 8A9FCA88

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8A2ED5E8
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8A2ED5E8
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8A2ED5E8
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8A2ED5E8
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8A2ED5E8
Device \FileSystem\Cdfs \Cdfs 8A1A0980
Device \FileSystem\Cdfs \Cdfs 8A21AC98

---- Modules - GMER 1.0.14 ----

Module _________ BA7E8000-BA800000 (98304 bytes)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCD 0xEA 0xAA 0xA1 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x55 0xBF 0xB9 0xD9 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD7 0x4D 0xD8 0x9D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCD 0xEA 0xAA 0xA1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x55 0xBF 0xB9 0xD9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD7 0x4D 0xD8 0x9D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000ee750143f
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000ee750143f@001b59379b8f 0xF5 0x4B 0x48 0xA4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0xF8 0x89 0x94 0x50 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z1 0x38 0x89 0x94 0x50 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z2 0x38 0x89 0x94 0x50 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z3 0x38 0x89 0x94 0x50 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z4 0x38 0x89 0x94 0x50 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z5 0x38 0x89 0x94 0x50 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z6 0x38 0x89 0x94 0x50 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z7 0x38 0x89 0x94 0x50 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z8 0x38 0x89 0x94 0x50 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1881078541
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1401951717
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8B 0x43 0x6E 0x74 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD7 0x8C 0x82 0xAD ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCD 0xEA 0xAA 0xA1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x55 0xBF 0xB9 0xD9 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD7 0x4D 0xD8 0x9D ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCD 0xEA 0xAA 0xA1 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x55 0xBF 0xB9 0xD9 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD7 0x4D 0xD8 0x9D ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCD 0xEA 0xAA 0xA1 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x55 0xBF 0xB9 0xD9 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD7 0x4D 0xD8 0x9D ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBE 0x0E 0xCB 0x8E ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE1 0x31 0xCF 0xA6 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x22 0x34 0x18 0x68 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCD 0xEA 0xAA 0xA1 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x55 0xBF 0xB9 0xD9 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0E 0x70 0x6C 0xCB ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8B 0x43 0x6E 0x74 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD7 0x8C 0x82 0xAD ...
Reg HKLM\SYSTEM\ControlSet009\Services\BTHPORT\Parameters\Keys\000ee750143f
Reg HKLM\SYSTEM\ControlSet009\Services\BTHPORT\Parameters\Keys\000ee750143f@001b59379b8f 0xF5 0x4B 0x48 0xA4 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8B 0x43 0x6E 0x74 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD7 0x8C 0x82 0xAD ...

---- EOF - GMER 1.0.14 ----

tetonbob · 12-06-2008, 11:49 AM

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Also....once ComboFix is done...

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

jason@jason859. · 12-06-2008, 03:25 PM

thanks bob for your help here is logs as requested . see what u think ?

ComboFix 08-12-06.03 - jay 2008-12-06 21:44:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1432 [GMT 0:00]
Running from: c:\documents and settings\jay\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jay\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\jay\jay.exe
c:\recycler\ADAPT_Installer.exe
c:\windows\fmark2.dat
c:\windows\struct~.ini
c:\windows\system32\_000111_.tmp.dll
c:\windows\system32\~.exe
c:\windows\system32\agdnoaib.dll
c:\windows\system32\biaondga.ini
c:\windows\system32\cennjg.dll
c:\windows\system32\dbptopgf.ini
c:\windows\system32\eberikxp.dll
c:\windows\system32\elvccxaj.ini
c:\windows\system32\fwyiheyt.dll
c:\windows\system32\jaduzumi.dll
c:\windows\system32\kirasahi.dll
c:\windows\system32\kpeqvdom.ini
c:\windows\system32\kSYGQqru.ini
c:\windows\system32\kSYGQqru.ini2
c:\windows\system32\lvksqnlg.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\nemarato.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\pwsudqxt.ini
c:\windows\system32\txqduswp.dll
c:\windows\system32\urqQGYSk.dll
c:\windows\system32\yduiws.dll
c:\windows\system32\zqydux.dll
c:\windows\Tasks\szqrbyje.job

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 17:01 . 2008-12-05 17:01 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\eBay
2008-12-05 12:54 . 2008-12-05 12:54 250 --a------ c:\windows\gmer.ini
2008-12-04 22:40 . 2008-12-04 22:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-04 22:39 . 2008-12-04 22:40 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-04 22:39 . 2008-12-04 22:39 <DIR> d-------- c:\documents and settings\jay\Application Data\SUPERAntiSpyware.com
2008-12-03 14:45 . 2008-12-03 14:45 <DIR> d-------- C:\ProgramData
2008-12-03 14:45 . 2008-12-03 14:45 9,118 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-12-03 13:34 . 2008-12-03 13:34 3,120 --a------ c:\windows\system32\CB4CPW8G.ocx
2008-12-03 13:33 . 2008-12-03 13:33 <DIR> d-------- c:\program files\Planetwide Games
2008-12-03 10:34 . 2008-12-03 10:34 <DIR> d-------- c:\windows\7A9B63233F5E4A2E939E8A1F4F6A0CA8.TMP
2008-11-27 23:06 . 2008-11-27 23:06 3,120 --a------ c:\windows\system32\7UMKDEOF.ocx
2008-11-27 23:05 . 2008-11-27 23:05 3,120 --a------ c:\windows\system32\AAD8B5D8.ocx
2008-11-27 23:04 . 2008-11-27 23:04 <DIR> d-------- c:\program files\Marvel
2008-11-26 20:25 . 2008-11-26 20:25 <DIR> d-------- c:\program files\HiYo
2008-11-26 20:25 . 2008-11-26 20:25 <DIR> d-------- c:\documents and settings\jay\Application Data\HiYo
2008-11-26 20:25 . 2008-11-26 20:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\HiYo
2008-11-23 16:42 . 2008-11-23 18:47 4,379 ---h----- c:\windows\be49f4d98.dat
2008-11-22 12:31 . 2008-11-22 12:32 <DIR> d-------- c:\program files\SopCast
2008-11-20 20:44 . 2008-11-20 20:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-17 20:04 . 2008-11-17 20:04 2,306,113 --a------ c:\windows\system32\GPhotos.scr
2008-11-13 07:42 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 07:41 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-09 15:32 . 2008-11-11 18:28 <DIR> d-------- c:\windows\system32\Nagasoft
2008-11-08 16:52 . 2008-11-15 16:10 15 --a------ c:\windows\Powerplayer.ini
2008-11-07 14:25 . 2008-11-07 14:25 <DIR> d-------- c:\documents and settings\jay\Application Data\Sonic
2008-11-06 14:57 . 2008-11-06 14:57 34,492 --ah----- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 22:01 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-12-06 14:12 139,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-06 10:17 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2008-12-06 10:10 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-05 17:02 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity
2008-12-05 13:17 --------- d-----w c:\documents and settings\jay\Application Data\MailWasherPro
2008-12-04 22:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-03 22:19 --------- d-----w c:\program files\Google
2008-12-03 14:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-03 14:45 --------- d-----w c:\program files\Electronic Arts
2008-12-03 13:23 --------- d-s---w c:\program files\Xfire
2008-12-02 21:47 --------- d-----w c:\documents and settings\jay\Application Data\Xfire
2008-11-28 11:17 --------- d-----w c:\documents and settings\jay\Application Data\CopyToDvd
2008-11-22 15:57 --------- d-----w c:\program files\uusee
2008-11-16 13:23 --------- d-----w c:\program files\McAfee
2008-11-15 19:36 --------- d-----w c:\program files\Activision
2008-11-15 17:10 --------- d-----w c:\program files\Common Files\uusee
2008-11-14 18:20 --------- d-----w c:\program files\MP3 Player Utilities 4.03
2008-11-14 14:04 22,328 ----a-w c:\documents and settings\jay\Application Data\PnkBstrK.sys
2008-11-13 14:55 --------- d-----w c:\program files\UseNeXT
2008-11-11 17:04 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-09 14:26 --------- d-----w c:\documents and settings\jay\Application Data\dvdcss
2008-11-07 23:25 --------- d-----w c:\program files\dvdSanta
2008-11-07 22:58 --------- d-----w c:\documents and settings\jay\Application Data\Roxio
2008-11-02 22:02 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-11-02 21:44 --------- d-----w c:\program files\TVAnts
2008-11-02 21:05 --------- d-----w c:\program files\ATI Technologies
2008-11-01 12:45 48,396 ----a-w c:\windows\UninstVeetleTVPlayer.exe
2008-11-01 11:38 --------- d-----w c:\documents and settings\LocalService\Application Data\Roxio
2008-11-01 11:21 --------- d-----w c:\documents and settings\All Users\Application Data\Uninstall
2008-11-01 11:19 --------- d-----w c:\program files\Roxio
2008-11-01 11:18 --------- d-----w c:\program files\Roxio Creator 2009
2008-11-01 11:18 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-11-01 11:17 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2008-11-01 11:16 --------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2008-11-01 11:15 --------- d-----w c:\program files\Windows Sidebar
2008-11-01 11:15 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-11-01 11:10 --------- d-----w c:\program files\SmartSound Software
2008-11-01 11:10 --------- d-----w c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2008-11-01 11:07 --------- d-----w c:\program files\Reference Assemblies
2008-11-01 11:07 --------- d-----w c:\program files\MSBuild
2008-10-27 23:35 --------- d-----w c:\documents and settings\jay\Application Data\UseNeXT
2008-10-27 20:38 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-27 18:45 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 21:43 --------- d-----w c:\program files\Creative
2008-10-21 21:40 --------- d-----w c:\documents and settings\jay\Application Data\Creative
2008-10-21 18:12 --------- d-----w c:\program files\AGEIA Technologies
2008-10-21 18:08 --------- d-----w c:\program files\D-Tools
2008-10-19 09:56 --------- d-----w c:\program files\Windows Live
2008-10-19 09:51 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-10-19 09:41 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-10-18 13:19 --------- d-----w c:\program files\Orange
2008-10-18 10:48 --------- d-----w c:\documents and settings\jay\Application Data\ppStream
2008-10-18 10:43 --------- d-----w c:\program files\Common Files\Synacast
2008-10-18 10:43 --------- d-----w c:\documents and settings\jay\Application Data\PPMate
2008-10-15 08:46 --------- d-----w c:\program files\iTunes
2008-10-15 08:46 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-15 08:45 --------- d-----w c:\program files\iPod
2008-10-15 08:44 --------- d-----w c:\program files\QuickTime
2008-10-15 08:44 --------- d-----w c:\program files\Common Files\Apple
2008-10-15 08:41 --------- d-----w c:\program files\Apple Software Update
2008-10-13 10:18 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-09-29 20:28 24,192 ----a-w c:\documents and settings\jay\usbsermptxp.sys
2008-09-29 20:28 22,768 ----a-w c:\documents and settings\jay\usbsermpt.sys
2008-09-29 20:05 92,064 ----a-w c:\documents and settings\jay\mqdmmdm.sys
2008-09-29 20:05 9,232 ----a-w c:\documents and settings\jay\mqdmmdfl.sys
2008-09-29 20:05 79,328 ----a-w c:\documents and settings\jay\mqdmserd.sys
2008-09-29 20:05 66,656 ----a-w c:\documents and settings\jay\mqdmbus.sys
2008-09-29 20:05 6,208 ----a-w c:\documents and settings\jay\mqdmcmnt.sys
2008-09-29 20:05 5,936 ----a-w c:\documents and settings\jay\mqdmwhnt.sys
2008-09-29 20:05 4,048 ----a-w c:\documents and settings\jay\mqdmcr.sys
2007-01-06 22:59 774,144 ----a-w c:\program files\RngInterstitial.dll
2006-12-21 22:21 278,528 ----a-w c:\program files\Common Files\FDEUnInstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"SetDefaultMIDI"="MIDIDEF.EXE" [2003-06-20 c:\windows\MIDIDEF.EXE]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll
"msacm.divxa32"= divxa32.acm
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^jay^Start Menu^Programs^Startup^Fujitsu Dial-Up PPP Connection.lnk]
path=c:\documents and settings\jay\Start Menu\Programs\Startup\Fujitsu Dial-Up PPP Connection.lnk
backup=c:\windows\pss\Fujitsu Dial-Up PPP Connection.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 22:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
--a------ 2008-03-22 12:36 652528 c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-11-27 11:58 1032376 c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-11-15 19:34 1271032 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UUSEE]
--a------ 2008-11-13 15:50 787784 c:\program files\Common Files\uusee\UUSeeMediaCenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2008-04-14 00:12 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\uusee\\UUSeePlayer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\uusee\\UUSeeMediaCenter.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Ubisoft\\Gearbox Software\\Brothers in Arms - Hell's Highway\\Binaries\\biahh.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Documents and Settings\\jay\\Desktop\\Dead Space.exe"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-10-13 35328]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-09-30 203280]
R3 axsaki;axsaki;c:\windows\system32\DRIVERS\axsaki.sys [2003-03-30 102624]
R3 axskbus;axskbus;c:\windows\system32\DRIVERS\axskbus.sys [2003-03-28 8640]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe" [2008-08-14 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe" [2008-08-14 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe" [2008-08-14 170480]
S3 mamotou;mamotou;c:\windows\system32\DRIVERS\mamotou.sys [2008-07-18 49377]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys []
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" [2008-08-14 313840]
S3 RoxMediaDB11;RoxMediaDB11;"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe" [2008-08-14 1124848]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\DRIVERS\s115bus.sys [2007-04-23 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s115mdfl.sys [2007-04-23 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s115mdm.sys [2007-04-23 108680]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2006-12-04 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2006-12-04 12672]
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\McAfee\MQC\QcConsol.exe [2008-07-09 17:10]

2008-12-05 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-11-24 c:\windows\Tasks\scan.job
- c:\program files\McAfee\MQC\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0706ae74-7548-4617-acf7-409d5e745f81} - c:\windows\system32\kirasahi.dll
BHO-{530A65B9-AD2F-48AD-BC18-D349660E1731} - c:\windows\system32\urqQGYSk.dll
BHO-{d44cedd3-0681-493a-a09a-69d8c2e286ee} - c:\windows\system32\zqydux.dll
HKCU-Run-RemoteCenter - c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE
HKLM-Run-HPHUPD08 - c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
HKLM-Run-CTxfiHlp - CTXFIHLP.EXE
Notify-rqRLcAQj - rqRLcAQj.dll
MSConfigStartUp-miniQQLive - c:\program files\Tencent\QQLive\MiniQQLive.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-PCSuiteTrayApplication - c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
MSConfigStartUp-PcSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-SpeedTouch USB Diagnostics - c:\program files\Thomson\SpeedTouchUSB\Dragdiag.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.arsenal.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZRxdm696YYGB
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.03\AMVConverter\grab.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.03\MediaManager\grab.html
IE: Ê¹ÓÃUUSee¼ÓËÙ²¥·Å - c:\program files\uusee\geturltoplay.htm
IE: Ê¹ÓÃUUSeeÏÂÔØ - c:\program files\uusee\geturltodown.htm
FireFox -: Profile - c:\documents and settings\jay\Application Data\Mozilla\Firefox\Profiles\f6egmqgd.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.tdk-gaming.co.uk/
FF -: plugin - c:\documents and settings\jay\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0810164_SUA_900\npoctoshape.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Picasa3\npPicasa2.dll
FF -: plugin - c:\program files\Google\Picasa3\npPicasa3.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF -: plugin - c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF -: plugin - c:\program files\Veetle\plugins\npVeetle.dll
FF -: plugin - c:\program files\Veetle\VLC\npvlc.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 21:59:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2704)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Kontiki\KService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\MsPMSPSv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-12-06 22:09:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 22:09:29
ComboFix2.txt 2007-05-10 10

26

Pre-Run: 41,682,640,896 bytes free
Post-Run: 41,777,299,456 bytes free

365 --- E O F --- 2008-11-13 14:55:54

tetonbob · 12-06-2008, 05:56 PM

Looks better.

P2P - I see you have P2P software ( eMule, µTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

http://www.techsupportforum.com/secu...e-sharing.html

I would strongly recommend that you uninstall these. You can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on Settings. Uncheck Mail databases.
Next, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving?

tetonbob · 12-12-2008, 05:58 PM

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html

jason@jason859. · 12-14-2008, 05:22 PM

http://www.techsupportforum.com/secu...infection.html

To Tentonbob Sorry About Not Gettin Back With My Report From Kaspesky I Have So Busy At Work And The Scan Takes So Long That I Just Have Not Had The Time To Run Scan And Post It. Really Sorry Thanks For Your Help With My Pc Prob Bob You Have Yourself A Merry Xmas And To All The Guys At The Forum Thanks For Everything We Would Be Lost Without You Guys Help . Merry Christmas One And All . Jason

tetonbob · 12-14-2008, 07:16 PM

Run the scan, post the logs so we can complete your cleansing and I can issue final instructions.

jason@jason859. · 12-15-2008, 10:47 AM

ok bob here is my kaspersky log at long last thanks again mate,

KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 15, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 14, 2008 20:58:20
Records in database: 1461208
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
N:\
Scan statistics
Files scanned 124625
Threat name 4
Infected objects 6
Suspicious objects 0
Duration of the scan 07:38:49

File name Threat name Threats count
C:\Documents and Settings\jay\Desktop\PROG CUTS\zaasSetup_70_462_000_en.exe Infected: Trojan.Win32.Agent.avcx 1
C:\Documents and Settings\jay\Local Settings\Application Data\Identities\{DB1C8295-3C63-44D0-8354-039F955731D2}\Microsoft\Outlook Express\ANYOTHERITEMS.dbx Infected: Trojan-Spy.HTML.Bayfraud.ma 1
C:\Documents and Settings\jay\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Inbox\ANYOTHERITEMS\202C5713-00000032.eml Infected: Trojan-Spy.HTML.Bayfraud.ma 1
C:\Program Files\Orange\OBar\orange3setup.exe Infected: not-a-virus:AdWare.Win32.BHO.ahy 1
C:\Program Files\Orange\setup\Orange_icons.EXE Infected: not-a-virus:AdWare.Win32.BHO.ahy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan.Win32.VB.hfs 1
The selected area was scanned.

tetonbob · 12-15-2008, 11:14 AM

Cheers, Jason

Can you tell me what this installer file is for? Is it for ZoneAlarm Antispy/Security Suite?

C:\Documents and Settings\jay\Desktop\PROG CUTS\zaasSetup_70_462_000_en.exe

Did you download it from Checkpoint/ZoneAlarm's site? It seems it would be a false positive detection if so. I just downloaded the file from ZA, and scanned it at VirusTotal. Results seem to confirm it's a false positive find by Kaspersky.

http://www.virustotal.com/analisis/9...6729180f4155f7

You can ignore it, but if you don't need it any longer, might as well delete it.

The Orange items found, we can ignore.

Also, Kaspersky has shown infection in your email clients, Outlook Express and Windows Live Mail, in the ANYOTHERITEMS folder.

Unfortunately, Kaspersky does not identify specific mails. Please review and delete any unrecognized mails. Be careful not to open any attachments or click on any links while doing so.

Other than that....if there are no remaining issues...

The other items by Kasperksky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

jason@jason859. · 12-15-2008, 11:53 AM

bob done all that u said pc is running sweet as a nut as i said earlier thanks for your time and patience in this matter have a good xmas mate cheers jason

tetonbob · 12-15-2008, 12:17 PM

Cheers, Jason. Happy holidays to you as well.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.

12-05-2008, 06:25 AM	#1 (permalink)
jason@jason859. Registered User Join Date: Sep 2005 Posts: 41 OS: win xp	suspected infection ? hi guys wonder if there is any help available due to my pc becomin infected with i think is mailware not too sure what to do ive got my logs done , not too sure what info u guys require but any help would be ace thanks for time in this matter jason

12-06-2008, 11:49 AM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,444 OS: 2000 Pro; XP Pro; XP Home	Re: suspected infection ? Please visit this webpage for download links, and instructions for running combofix: http://www.bleepingcomputer.com/comb...o-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. Also....once ComboFix is done... Please go to Start > Run and copy/paste the following, then press Enter: C:\QooBox\Add-Remove Programs.txt A text file should open. Please post the contents of that file in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-06-2008, 05:56 PM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,444 OS: 2000 Pro; XP Pro; XP Home	Re: suspected infection ? Looks better. P2P - I see you have P2P software ( eMule, µTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares. Please see this topic for more information: http://www.techsupportforum.com/secu...e-sharing.html I would strongly recommend that you uninstall these. You can do so via Control Panel >> Add or Remove Programs. --------------------------------------------------------------------------------------------- Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop. Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11. The Java SE Runtime Environment (JRE) allows end-users to run Java applications." Click the "Download" button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. --------------------------------------------------------------------------------------------- Please perform this online scan to help look for remnants Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner Note To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on Settings. Uncheck Mail databases. Next, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. --------------------------------------------------------------------------------------------- How is the machine behaving? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-12-2008, 05:58 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,444 OS: 2000 Pro; XP Pro; XP Home	Re: suspected infection ? Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here: http://www.techsupportforum.com/secu...oval-help.html __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-14-2008, 05:22 PM	#7 (permalink)
jason@jason859. Registered User Join Date: Sep 2005 Posts: 41 OS: win xp	Suspected Infection ? http://www.techsupportforum.com/secu...infection.html To Tentonbob Sorry About Not Gettin Back With My Report From Kaspesky I Have So Busy At Work And The Scan Takes So Long That I Just Have Not Had The Time To Run Scan And Post It. Really Sorry Thanks For Your Help With My Pc Prob Bob You Have Yourself A Merry Xmas And To All The Guys At The Forum Thanks For Everything We Would Be Lost Without You Guys Help . Merry Christmas One And All . Jason

12-14-2008, 07:16 PM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,444 OS: 2000 Pro; XP Pro; XP Home	Re: Suspected Infection ? Run the scan, post the logs so we can complete your cleansing and I can issue final instructions. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-15-2008, 10:47 AM	#9 (permalink)
jason@jason859. Registered User Join Date: Sep 2005 Posts: 41 OS: win xp	Re: Suspected Infection ? ok bob here is my kaspersky log at long last thanks again mate, KASPERSKY ONLINE SCANNER 7 REPORT Monday, December 15, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Sunday, December 14, 2008 20:58:20 Records in database: 1461208 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ K:\ L:\ N:\ Scan statistics Files scanned 124625 Threat name 4 Infected objects 6 Suspicious objects 0 Duration of the scan 07:38:49 File name Threat name Threats count C:\Documents and Settings\jay\Desktop\PROG CUTS\zaasSetup_70_462_000_en.exe Infected: Trojan.Win32.Agent.avcx 1 C:\Documents and Settings\jay\Local Settings\Application Data\Identities\{DB1C8295-3C63-44D0-8354-039F955731D2}\Microsoft\Outlook Express\ANYOTHERITEMS.dbx Infected: Trojan-Spy.HTML.Bayfraud.ma 1 C:\Documents and Settings\jay\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Inbox\ANYOTHERITEMS\202C5713-00000032.eml Infected: Trojan-Spy.HTML.Bayfraud.ma 1 C:\Program Files\Orange\OBar\orange3setup.exe Infected: not-a-virus:AdWare.Win32.BHO.ahy 1 C:\Program Files\Orange\setup\Orange_icons.EXE Infected: not-a-virus:AdWare.Win32.BHO.ahy 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan.Win32.VB.hfs 1 The selected area was scanned.

12-15-2008, 11:14 AM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,444 OS: 2000 Pro; XP Pro; XP Home	Re: Suspected Infection ? Cheers, Jason Can you tell me what this installer file is for? Is it for ZoneAlarm Antispy/Security Suite? C:\Documents and Settings\jay\Desktop\PROG CUTS\zaasSetup_70_462_000_en.exe Did you download it from Checkpoint/ZoneAlarm's site? It seems it would be a false positive detection if so. I just downloaded the file from ZA, and scanned it at VirusTotal. Results seem to confirm it's a false positive find by Kaspersky. http://www.virustotal.com/analisis/9...6729180f4155f7 You can ignore it, but if you don't need it any longer, might as well delete it. The Orange items found, we can ignore. Also, Kaspersky has shown infection in your email clients, Outlook Express and Windows Live Mail, in the ANYOTHERITEMS folder. Unfortunately, Kaspersky does not identify specific mails. Please review and delete any unrecognized mails. Be careful not to open any attachments or click on any links while doing so. Other than that....if there are no remaining issues... The other items by Kasperksky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles How did I get infected in the first place? PC Safety and Security--What Do I Need? If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-15-2008, 11:53 AM	#11 (permalink)
jason@jason859. Registered User Join Date: Sep 2005 Posts: 41 OS: win xp	Re: Suspected Infection ? bob done all that u said pc is running sweet as a nut as i said earlier thanks for your time and patience in this matter have a good xmas mate cheers jason

12-15-2008, 12:17 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,444 OS: 2000 Pro; XP Pro; XP Home	Re: Suspected Infection ? Cheers, Jason. Happy holidays to you as well. Surf Safely, and Think Prevention! Since this issue is resolved, this topic will be archived. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009