Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

XP Internet Security 2012 Firewall Alert

This is a discussion on XP Internet Security 2012 Firewall Alert within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello. Two days ago I got the virus XP Internet Security 2012 Firewall Alert. It does not let me open


 
 
Thread Tools Search this Thread
Old 06-22-2011, 03:38 PM   #1
Registered Member
 
Join Date: Jun 2011
Posts: 8
OS: xp



Hello.

Two days ago I got the virus XP Internet Security 2012 Firewall Alert. It does not let me open any file/folder/browser. When I try to google how to remove it, it redirects me to different websites. Please help!!!!!Also, it does not let me attach files.

Thank You!!!

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by user at 17:52:28 on 2011-06-22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.498 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\system32\taskmgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptcl.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SetupName] c:\docume~1\user\applic~1\jugsch~1\deleteaxis.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ttool] c:\windows\essledv.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [3365658722] c:\documents and settings\networkservice\local settings\application data\pma.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [cleanddm] %APPDATA%\cleanddm.exe
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: gamecolony.com
Trusted Zone: gamecolony.com\secure
Trusted Zone: gamecolony.com\secure2
Trusted Zone: gamecolony.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} - hxxp://rockyou.com/RockYouImageUploader.cab
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
TCP: Interfaces\{44E45E7D-1C73-403C-A237-A781A327FA49} : DhcpNameServer = 167.206.254.2 167.206.254.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 184.95.59.211 Google
Hosts: 184.95.59.212 search.yahoo.com
Hosts: 184.95.59.212 Bing
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\3chxq8dc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FWV5&o=14193&locale=en_US&apn_uid=2849fb85-1fa8-47da-a008-19ebdc778561&apn_ptnrs=FM&apn_sauid=E114FAE2-E7E5-4F35-9487-46FB1CC1734C&apn_dtid=TES002Z1US&q=
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\3chxq8dc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\3chxq8dc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\3chxq8dc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\3chxq8dc.default\extensions\[email protected]\components\RadioWMPCoreGecko19.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\[email protected]\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-21 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-21 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-21 108552]
R1 NEOFLTR_630_13881;Juniper Networks TDI Filter Driver (NEOFLTR_630_13881);c:\windows\system32\drivers\NEOFLTR_630_13881.sys [2009-1-23 64480]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-21 297752]
R2 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2007-8-27 540776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-26 88176]
R2 McRedirector;McAfee Redirector Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe [2007-8-27 256096]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-8-27 144960]
R2 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-8-27 643664]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-7 24652]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-8-27 71496]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-8-27 34184]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-8-27 171400]
R3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2007-8-27 37480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-23 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [2010-10-26 947528]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-23 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2007-8-27 32008]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
.
=============== File Associations ===============
.
exefile="c:\documents and settings\networkservice\local settings\application data\pma.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-06-21 01:16:40 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-21 01:16:40 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-21 01:13:51 0 ----a-w- c:\windows\Fquwodoruvozera.bin
2011-06-21 01:13:50 -------- d-----w- c:\documents and settings\user\local settings\application data\{F4F09E96-D934-4356-970A-102457012334}
2011-06-21 01:12:11 -------- d-----w- c:\documents and settings\user\application data\0FD8F87742ED621DCF79B08E1F2CF860
2011-06-17 12:51:57 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 14:16:49 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-05-24 14:50:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: WDC_WD1600JS-08NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A1564D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a15c7d0]; MOV EAX, [0x8a15c84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A20EAB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A1B5780]
\Driver\atapi[0x8A1BC310] -> IRP_MJ_CREATE -> 0x8A1564D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A15631B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:56:38.71 ===============
lilbrat0326 is offline  
Sponsored Links
Advertisement
 
Old 06-24-2011, 01:38 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

If necessary, download the file to USB drive on another computer.
  • Download EXE File Association Fix and Save it to your Desktop.
  • Extract the reg file then double-click xp_exe_fix.reg
  • Answer 'Yes' to merge/add it to the registry.
  • Click 'OK'.
  • X out of the window.
------------------------------------------------------

Quote:
Also, it does not let me attach files.
Simply post the Attach.txt and gmer logs like you did with DDS.txt.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-26-2011, 05:40 PM   #3
Registered Member
 
Join Date: Jun 2011
Posts: 8
OS: xp



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-12.02)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/23/2007 6:39:07 PM
System Uptime: 6/22/2011 5:18:54 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0M3918
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 110.536 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: TI Technologies Inc.
Description: RADEON X300 Series Secondary
Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_03031002&REV_00\4&166AB6CD&0&0108
Manufacturer: ATI Technologies Inc.
Name: RADEON X300 Series Secondary
PNP Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_03031002&REV_00\4&166AB6CD&0&0108
Service: ati2mtag
.
==== System Restore Points ===================
.
RP1201: 3/23/2011 1:27:00 PM - System Checkpoint
RP1202: 3/24/2011 10:39:37 AM - Software Distribution Service 3.0
RP1203: 3/25/2011 8:22:19 PM - System Checkpoint
RP1204: 3/27/2011 11:09:20 AM - System Checkpoint
RP1205: 3/28/2011 8:22:15 PM - System Checkpoint
RP1206: 3/30/2011 6:13:32 PM - System Checkpoint
RP1207: 4/1/2011 12:49:53 AM - Installed Rosetta Stone V3.
RP1208: 4/2/2011 11:40:37 AM - System Checkpoint
RP1209: 4/3/2011 9:43:37 PM - System Checkpoint
RP1210: 4/5/2011 4:25:50 PM - System Checkpoint
RP1211: 4/6/2011 4:51:56 PM - System Checkpoint
RP1212: 4/7/2011 7:19:50 PM - System Checkpoint
RP1213: 4/8/2011 7:23:57 PM - System Checkpoint
RP1214: 4/9/2011 7:47:46 PM - System Checkpoint
RP1215: 4/10/2011 9:21:13 PM - System Checkpoint
RP1216: 4/12/2011 7:02:11 AM - System Checkpoint
RP1217: 4/13/2011 2:30:54 PM - System Checkpoint
RP1218: 4/14/2011 7:35:15 PM - System Checkpoint
RP1219: 4/15/2011 10:00:30 AM - Software Distribution Service 3.0
RP1220: 4/16/2011 11:10:09 AM - System Checkpoint
RP1221: 4/17/2011 12:59:30 PM - System Checkpoint
RP1222: 4/18/2011 1:52:21 PM - System Checkpoint
RP1223: 4/19/2011 4:43:46 PM - System Checkpoint
RP1224: 4/21/2011 12:44:25 PM - System Checkpoint
RP1225: 4/22/2011 8:44:49 AM - Software Distribution Service 3.0
RP1226: 4/23/2011 12:02:21 PM - System Checkpoint
RP1227: 4/24/2011 12:15:37 PM - System Checkpoint
RP1228: 4/26/2011 3:01:03 PM - System Checkpoint
RP1229: 4/27/2011 3:45:14 PM - System Checkpoint
RP1230: 4/28/2011 11:16:55 AM - Software Distribution Service 3.0
RP1231: 4/29/2011 7:10:22 PM - System Checkpoint
RP1232: 4/30/2011 7:40:36 PM - System Checkpoint
RP1233: 5/1/2011 9:50:46 PM - System Checkpoint
RP1234: 5/2/2011 9:57:32 PM - System Checkpoint
RP1235: 5/3/2011 10:29:20 PM - System Checkpoint
RP1236: 5/4/2011 11:23:21 PM - System Checkpoint
RP1237: 5/6/2011 6:05:21 PM - System Checkpoint
RP1238: 5/7/2011 7:17:12 PM - System Checkpoint
RP1239: 5/8/2011 10:04:11 PM - System Checkpoint
RP1240: 5/9/2011 10:22:25 PM - System Checkpoint
RP1241: 5/11/2011 10:35:57 AM - System Checkpoint
RP1242: 5/12/2011 10:32:11 AM - Software Distribution Service 3.0
RP1243: 5/13/2011 5:55:08 PM - System Checkpoint
RP1244: 5/14/2011 9:05:05 PM - System Checkpoint
RP1245: 5/15/2011 3:00:15 AM - Software Distribution Service 3.0
RP1246: 5/16/2011 10:45:35 AM - System Checkpoint
RP1247: 5/17/2011 4:27:29 PM - System Checkpoint
RP1248: 5/18/2011 6:23:19 PM - System Checkpoint
RP1249: 5/20/2011 12:49:28 AM - System Checkpoint
RP1250: 5/21/2011 12:05:07 PM - System Checkpoint
RP1251: 5/22/2011 9:00:01 PM - System Checkpoint
RP1252: 5/24/2011 11:49:20 AM - System Checkpoint
RP1253: 5/25/2011 12:11:07 PM - System Checkpoint
RP1254: 5/26/2011 2:01:28 PM - System Checkpoint
RP1255: 5/27/2011 7:44:15 PM - System Checkpoint
RP1256: 5/29/2011 9:01:36 PM - System Checkpoint
RP1257: 5/31/2011 3:04:06 PM - System Checkpoint
RP1258: 6/1/2011 3:05:47 PM - System Checkpoint
RP1259: 6/2/2011 3:50:32 PM - System Checkpoint
RP1260: 6/3/2011 7:55:49 PM - System Checkpoint
RP1261: 6/4/2011 8:29:43 PM - System Checkpoint
RP1262: 6/6/2011 6:36:18 PM - System Checkpoint
RP1263: 6/8/2011 10:28:26 AM - System Checkpoint
RP1264: 6/9/2011 11:35:18 AM - System Checkpoint
RP1265: 6/10/2011 9:21:31 PM - System Checkpoint
RP1266: 6/12/2011 8:32:23 PM - System Checkpoint
RP1267: 6/14/2011 10:50:41 AM - System Checkpoint
RP1268: 6/16/2011 10:40:18 AM - System Checkpoint
RP1269: 6/17/2011 8:46:14 AM - Software Distribution Service 3.0
RP1270: 6/19/2011 4:18:06 PM - System Checkpoint
RP1271: 6/20/2011 6:00:11 PM - System Checkpoint
RP1272: 6/20/2011 9:15:28 PM - Restore Operation
RP1273: 6/21/2011 12:33:35 PM - Restore Operation
.
==== Installed Programs ======================
.
µTorrent
ABBYY FineReader 5.0 Sprint
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.2.1
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
AIM 7
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG 8.5
Bonjour
Camera Access Library
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Compatibility Pack for the 2007 Office system
Conduit Engine
Dell AIO Printer A920
Download Updater (AOL LLC)
FaxTools
FrostWire 4.21.5
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Illustrated Study Guide for the NCLEX-RN® Exam, 7th edition
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Adapters and Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 21
Juniper Networks Secure Application Manager
Juniper Terminal Services Client
LG PC Suite II
LG USB Modem driver
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MovieEdit Task
Mozilla Firefox 4.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero Suite
Norton Security Scan
PhotoStitch
PowerDVD
QuickTime
RAW Image Task 2.2
Roll
Saunders NCLEX-RN4e
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SoundMAX
SUPERAntiSpyware Free Edition
Tutor
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
uTorrentBar Toolbar
VC80CRTRedist - 8.0.50727.762
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
VLC media player 1.1.9
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
6/22/2011 3:59:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
6/21/2011 12:59:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/21/2011 12:59:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/21/2011 12:55:35 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
6/21/2011 1:25:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm SASDIFSV SASKUTIL
6/21/2011 1:24:37 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McAfee HackerWatch Service with arguments "" in order to run the server: {36C29AB6-FF73-4F74-A2D1-C5C09B54E5C9}
6/21/2011 1:01:25 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
6/21/2011 1:01:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
6/21/2011 1:00:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MPFP MRxSmb NEOFLTR_630_13881 NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
6/21/2011 1:00:18 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2011 1:00:18 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2011 1:00:18 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2011 1:00:18 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2011 1:00:18 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/21/2011 1:00:17 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/19/2011 3:36:36 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
6/19/2011 3:33:58 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: No more results can be returned by WSALookupServiceNext. (0x80072776)
6/17/2011 9:23:49 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.
6/17/2011 8:51:58 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
6/17/2011 8:51:58 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\AVG\AVG8\avgclitx.dll. Reference error message: The operation completed successfully. .
6/17/2011 8:51:58 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
.
==== End Of File ===========================


GMER 1.0.15.15640 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-06-22 18:36:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD1600JS-08NCB1 rev.10.02E01
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kwtoaaob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x9EEB28BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0x9EEB283B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x9EEB28E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0x9EEB284F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0x9EEB287B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x9EEB290F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0x9EEB2827]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x9EEB28CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0x9EEB2865]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0x9EEB2891]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x9EEB28A7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x9EEB2925]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x9EEB28F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80515AB2 7 Bytes JMP 9EEB28FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80572BDF 5 Bytes JMP 9EEB282B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 80573DFB 5 Bytes JMP 9EEB28BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80578AB4 5 Bytes JMP 9EEB283F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057A7A9 5 Bytes JMP 9EEB2929 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057AC21 7 Bytes JMP 9EEB2913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057F56B 7 Bytes JMP 9EEB28D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80580088 7 Bytes JMP 9EEB2895 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E8B1 5 Bytes JMP 9EEB28AB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 805991E8 7 Bytes JMP 9EEB287F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 8059A5C9 7 Bytes JMP 9EEB2853 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805C7A4D 5 Bytes JMP 9EEB28E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8065684C 7 Bytes JMP 9EEB2869 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xB92FF760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB8B7DF80]
? C:\DOCUME~1\user\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014A000A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 014A0F92
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 014A0087
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 014A0FB9
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 014A0076
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 014A0FE5
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 014A0F6B
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014A00B3
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014A0F3F
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014A00CE
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014A0F24
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 014A0FD4
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 014A0025
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 014A00A2
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 014A0051
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 014A0040
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 014A0F50
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0149002C
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01490F79
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0149001B
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0149000A
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01490F8A
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01490FE5
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01490FA5
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [69, 89]
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01490FB6
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01240FA4
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!system 77C293C7 5 Bytes JMP 01240FB5
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01240FD7
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01240000
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01240FC6
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_wopen 77C30055 3 Bytes JMP 01240011
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_wopen + 4 77C30059 1 Byte [89]
.text C:\WINDOWS\system32\services.exe[776] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01220000
.text C:\WINDOWS\system32\services.exe[776] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0122001B
.text C:\WINDOWS\system32\services.exe[776] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01220FDB
.text C:\WINDOWS\system32\services.exe[776] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 0122002C
.text C:\WINDOWS\system32\services.exe[776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01230FE5
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010E0073
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010E0062
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010E0F94
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010E0FA5
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010E0047
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010E00B5
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010E008E
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010E00F2
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010E00E1
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010E0117
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010E0FC0
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010E0FDB
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010E0F63
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateNamedPipeW 7C82F0DD 3 Bytes JMP 010E002C
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateNamedPipeW + 4 7C82F0E1 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010E0011
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010E00D0
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010D0FB2
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010D0028
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010D0FC3
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010D0FD4
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010D0F6B
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010D0FEF
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 010D0F86
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [2D, 89]
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010D0F97
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 010C0FC3
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!system 77C293C7 5 Bytes JMP 010C004E
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 010C0FDE
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 010C0FEF
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 010C0029
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 010C0018
.text C:\WINDOWS\system32\lsass.exe[788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 010B0000
.text C:\WINDOWS\system32\lsass.exe[788] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 010A0000
.text C:\WINDOWS\system32\lsass.exe[788] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 010A0FDB
.text C:\WINDOWS\system32\lsass.exe[788] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 010A0011
.text C:\WINDOWS\system32\lsass.exe[788] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 010A0FC0
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00F57
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F00F68
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00F79
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00036
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00FAF
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00078
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F00067
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F000AE
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00F15
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F00EFA
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00F9E
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F00F3C
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F00FC0
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F0001B
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F00089
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0FCA
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF006C
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF001B
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0051
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EF0FAF
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0F, 89]
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF002C
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE0F97
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE002C
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE0FBC
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0011
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE0FE3
.text C:\WINDOWS\system32\svchost.exe[980] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[980] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EC0FDE
.text C:\WINDOWS\system32\svchost.exe[980] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EC0FCD
.text C:\WINDOWS\system32\svchost.exe[980] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00EC0FBC
.text C:\WINDOWS\system32\svchost.exe[980] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00ED0FE5
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011C0000
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011C0089
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011C0F8A
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011C0064
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011C0F9B
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011C003D
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011C00BC
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011C00AB
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011C0F48
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011C00E1
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011C0F37
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011C0FAC
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011C0011
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011C009A
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011C0FDB
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011C002C
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011C0F59
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011B0011
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011B0036
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011B0000
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011B0FD4
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011B0F79
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011B0FEF
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 011B0F8A
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [3B, 89]
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011B0FAF
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011A0F9A
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!system 77C293C7 5 Bytes JMP 011A0025
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011A0FB5
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011A0FE3
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011A000A
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011A0FD2
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0FAF
.text C:\WINDOWS\system32\svchost.exe[1064] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1064] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01190000
.text C:\WINDOWS\System32\svchost.exe[1160] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E3000A
.text C:\WINDOWS\System32\svchost.exe[1160] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E4000A
.text C:\WINDOWS\System32\svchost.exe[1160] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E2000C
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02E2000A
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02E2004C
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02E20F57
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02E20F72
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02E20F83
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02E20FB9
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02E20F1F
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02E20F3C
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02E20EDF
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02E20082
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02E20EC4
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02E20F9E
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02E2001B
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02E20067
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02E20FD4
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02E20FE5
.text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02E20EFA
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02E1002C
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02E10F83
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02E10011
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02E10FE5
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02E10F9E
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02E10000
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02E10FAF
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [01, 8B]
.text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02E10FC0
.text C:\WINDOWS\System32\svchost.exe[1160] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01A3000A
.text C:\WINDOWS\System32\svchost.exe[1160] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 01A4000A
.text C:\WINDOWS\System32\svchost.exe[1160] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 01A5000A
.text C:\WINDOWS\System32\svchost.exe[1160] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 01A2000A
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02E00042
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!system 77C293C7 5 Bytes JMP 02E00FB7
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02E0000C
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02E00FEF
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02E00031
.text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02E00FD2
.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02DE000A
.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02DE0FE5
.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02DE001B
.text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 02DE0FCA
.text C:\WINDOWS\System32\svchost.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02DF000A
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D1006F
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10F7A
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10054
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10039
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10F97
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D100AC
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D1009B
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10F3F
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D100D8
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D100F3
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D1001E
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D1008A
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D10FB2
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10FC3
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D100C7
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D00FAF
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D0003D
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D00F8A
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D00022
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00011
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0FAD
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0038
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF0FD2
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF0027
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF000C
.text C:\WINDOWS\system32\svchost.exe[1276] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\svchost.exe[1276] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CD0FD4
.text C:\WINDOWS\system32\svchost.exe[1276] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CD0FC3
.text C:\WINDOWS\system32\svchost.exe[1276] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00CD0014
.text C:\WINDOWS\system32\svchost.exe[1276] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E60071
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E60060
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E60F86
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E60039
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E60FB2
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E60F50
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E6008C
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E60F1A
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E600B3
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E60EF5
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E60FA1
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E60FDE
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E60F61
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E60FC3
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E60014
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E60F35
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E50FCA
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E50054
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E50FE5
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E50011
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E50F8D
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E50FA8
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [05, 89]
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E50FB9
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E40053
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E40042
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E40FE3
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E40FD2
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E40011
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E20FDE
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00E20025
.text C:\WINDOWS\system32\svchost.exe[1340] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40051
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40F5C
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40F79
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E40036
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40F37
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E4007D
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E400C6
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E400AB
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E400E1
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E40F9E
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E4006C
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E40FC0
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E4001B
.text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E4009A
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E3002C
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E30F8A
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E30FDB
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E30011
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E30F9B
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E30FAC
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [03, 89]
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E3003D
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E20F84
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E20F9F
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E20FC1
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E20FB0
.text C:\WINDOWS\system32\svchost.exe[1872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E20FDE
.text C:\WINDOWS\system32\svchost.exe[1872] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\svchost.exe[1872] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E00FDE
.text C:\WINDOWS\system32\svchost.exe[1872] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E0001E
.text C:\WINDOWS\system32\svchost.exe[1872] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00E0002F
.text C:\WINDOWS\system32\svchost.exe[1872] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E10FEF
.text C:\WINDOWS\Explorer.EXE[2044] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[2044] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\Explorer.EXE[2044] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011D0FEF
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011D005B
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011D0F66
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011D0F77
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011D0F94
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011D0025
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011D00A2
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011D0091
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011D0F24
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011D00BD
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011D00CE
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011D0036
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011D000A
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011D0080
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011D0FB9
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011D0FD4
.text C:\WINDOWS\Explorer.EXE[2044] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011D0F3F
.text C:\WINDOWS\Explorer.EXE[2044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011C0FB9
.text C:\WINDOWS\Explorer.EXE[2044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011C0F8D
.text C:\WINDOWS\Explorer.EXE[2044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011C0FCA
.text C:\WINDOWS\Explorer.EXE[2044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011C000A
.text C:\WINDOWS\Explorer.EXE[2044] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011C004A
.text C:\WINDOWS\Explorer.EXE[2044] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011C0FEF
.text C:\WINDOWS\Explorer.EXE[2044] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 011C0039
.text C:\WINDOWS\Explorer.EXE[2044] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011C0FA8
.text C:\WINDOWS\Explorer.EXE[2044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011B0FA3
.text C:\WINDOWS\Explorer.EXE[2044] msvcrt.dll!system 77C293C7 5 Bytes JMP 011B002E
.text C:\WINDOWS\Explorer.EXE[2044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011B0FD2
.text C:\WINDOWS\Explorer.EXE[2044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011B0FEF
.text C:\WINDOWS\Explorer.EXE[2044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011B001D
.text C:\WINDOWS\Explorer.EXE[2044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011B000C
.text C:\WINDOWS\Explorer.EXE[2044] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01190000
.text C:\WINDOWS\Explorer.EXE[2044] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0119001B
.text C:\WINDOWS\Explorer.EXE[2044] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0119002C
.text C:\WINDOWS\Explorer.EXE[2044] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 0119003D
.text C:\WINDOWS\Explorer.EXE[2044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011A0000
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E30F70
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E30065
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E30F8D
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E30F9E
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E30036
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E30F3F
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E30091
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E30F13
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E300AC
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E30EF8
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E30FB9
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E3000A
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E30080
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E30FD4
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E30025
.text C:\WINDOWS\system32\svchost.exe[2264] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E30F2E
.text C:\WINDOWS\system32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E2001B
.text C:\WINDOWS\system32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E20062
.text C:\WINDOWS\system32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E20FCA
.text C:\WINDOWS\system32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E20047
.text C:\WINDOWS\system32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E20FE5
.text C:\WINDOWS\system32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E20FAF
.text C:\WINDOWS\system32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [02, 89]
.text C:\WINDOWS\system32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E2002C
.text C:\WINDOWS\system32\svchost.exe[2264] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E10FC1
.text C:\WINDOWS\system32\svchost.exe[2264] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E1004C
.text C:\WINDOWS\system32\svchost.exe[2264] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E10016
.text C:\WINDOWS\system32\svchost.exe[2264] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E10FEF
.text C:\WINDOWS\system32\svchost.exe[2264] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E10031
.text C:\WINDOWS\system32\svchost.exe[2264] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E10FD2
.text C:\WINDOWS\system32\svchost.exe[2264] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E00000
.text C:\WINDOWS\system32\svchost.exe[2264] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E00025
.text C:\WINDOWS\system32\svchost.exe[2264] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\svchost.exe[2264] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00E00036
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01F80FEF
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01F80069
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01F80058
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01F80047
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01F80036
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01F8000A
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01F80084
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01F80F48
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01F80F06
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01F80F17
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01F80EF5
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01F80025
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01F80FD4
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01F80F59
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01F80F9E
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01F80FB9
.text C:\Program Files\Messenger\msmsgs.exe[2720] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01F80095
.text C:\Program Files\Messenger\msmsgs.exe[2720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01F60FA4
.text C:\Program Files\Messenger\msmsgs.exe[2720] msvcrt.dll!system 77C293C7 5 Bytes JMP 01F60FB5
.text C:\Program Files\Messenger\msmsgs.exe[2720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01F60FC6
.text C:\Program Files\Messenger\msmsgs.exe[2720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01F60FEF
.text C:\Program Files\Messenger\msmsgs.exe[2720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01F60025
.text C:\Program Files\Messenger\msmsgs.exe[2720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01F60000
.text C:\Program Files\Messenger\msmsgs.exe[2720] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01F7002C
.text C:\Program Files\Messenger\msmsgs.exe[2720] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01F70F94
.text C:\Program Files\Messenger\msmsgs.exe[2720] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01F70011
.text C:\Program Files\Messenger\msmsgs.exe[2720] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01F70000
.text C:\Program Files\Messenger\msmsgs.exe[2720] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01F70051
.text C:\Program Files\Messenger\msmsgs.exe[2720] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01F70FEF
.text C:\Program Files\Messenger\msmsgs.exe[2720] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01F70FA5
.text C:\Program Files\Messenger\msmsgs.exe[2720] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [17, 8A]
.text C:\Program Files\Messenger\msmsgs.exe[2720] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01F70FC0
.text C:\Program Files\Messenger\msmsgs.exe[2720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01F50FEF
.text C:\Program Files\Messenger\msmsgs.exe[2720] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0FEF
.text C:\Program Files\Messenger\msmsgs.exe[2720] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF0FD4
.text C:\Program Files\Messenger\msmsgs.exe[2720] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0FC3
.text C:\Program Files\Messenger\msmsgs.exe[2720] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00FF0014
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2840] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 10698DD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2840] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 10698D6B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2840] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104C7187 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2840] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104C7781 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01E0000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01E1000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 01DF000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip NEOFLTR_630_13881.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp NEOFLTR_630_13881.SYS (NetBIOS Redirector/Juniper Networks)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A15631B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A15631B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8A15631B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A15631B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-17 8A15631B

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp NEOFLTR_630_13881.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp NEOFLTR_630_13881.SYS (NetBIOS Redirector/Juniper Networks)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt 976 bytes
File C:\Documents and Settings\NetworkService\Cookies\[email protected][3].txt 115 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5OVK4HYI\imp[1].txt 0 bytes

---- EOF - GMER 1.0.15 ----
lilbrat0326 is offline  
Sponsored Links
Advertisement
 
Old 06-26-2011, 05:55 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello lilbrat0326.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

You will have to uninstall AVG in order to run ComboFix, as AVG targets ComboFix's embedded files and prevents ComboFix from running.

Uninstall AVG via Add or Remove Programs in your Control Panel, then reboot.

If ComboFix still detects AVG after uninstalling AVG and rebooting, try removing AVG remnants with AppRemover:

Please download AppRemover and Save it to your Desktop.
  • Double-click AppRemover.exe and follow the prompt to run it then click 'Next'.
  • Vista/Win7 users, right-click and choose 'Run as administrator'.
  • Under 'Select Removal Type' select 'Cleanup a Failed Uninstall' then click 'Next'.
  • Once the scan is complete, follow the on-screen instructions to remove remnants of AVG.
  • Reboot your computer if not prompted already.
------------------------------------------------------

If ComboFix still detects AVG, stop and let me know.

------------------------------------------------------

If necessary, download ComboFix and the Microsoft file to a USB drive on another computer and transfer the files to your desktop.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. Also, ComboFix will not address certain types of malware unless the RC is installed. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

Download Details - Microsoft Download Center - Windows XP Home Edition with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

Do not be concerned that this file is for SP2 if you have SP3. It will work just fine on your system.

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here



Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



Please continue as follows:
  • Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-27-2011, 06:04 PM   #5
Registered Member
 
Join Date: Jun 2011
Posts: 8
OS: xp



In the middle of the scanning, ComboFix told me that McAfee was still running and it may interfere with the scan but I was not able to turn it off. Also, it told me that the following file was not able to be scanned/opened C:\32788R22FWJFW/NirCmd.cfxxe.

ComboFix 11-06-27.01 - user 06/27/2011 20:22:58.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.841 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\sysReserve.ini
c:\documents and settings\user\Application Data\0FD8F87742ED621DCF79B08E1F2CF860
c:\documents and settings\user\Application Data\0FD8F87742ED621DCF79B08E1F2CF860\enemies-names.txt
c:\documents and settings\user\Application Data\0FD8F87742ED621DCF79B08E1F2CF860\lsrslt.ini
c:\documents and settings\user\Application Data\PriceGong
c:\documents and settings\user\Application Data\PriceGong\Data\1.xml
c:\documents and settings\user\Application Data\PriceGong\Data\a.xml
c:\documents and settings\user\Application Data\PriceGong\Data\b.xml
c:\documents and settings\user\Application Data\PriceGong\Data\c.xml
c:\documents and settings\user\Application Data\PriceGong\Data\d.xml
c:\documents and settings\user\Application Data\PriceGong\Data\e.xml
c:\documents and settings\user\Application Data\PriceGong\Data\f.xml
c:\documents and settings\user\Application Data\PriceGong\Data\g.xml
c:\documents and settings\user\Application Data\PriceGong\Data\h.xml
c:\documents and settings\user\Application Data\PriceGong\Data\i.xml
c:\documents and settings\user\Application Data\PriceGong\Data\J.xml
c:\documents and settings\user\Application Data\PriceGong\Data\k.xml
c:\documents and settings\user\Application Data\PriceGong\Data\l.xml
c:\documents and settings\user\Application Data\PriceGong\Data\m.xml
c:\documents and settings\user\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\user\Application Data\PriceGong\Data\n.xml
c:\documents and settings\user\Application Data\PriceGong\Data\o.xml
c:\documents and settings\user\Application Data\PriceGong\Data\p.xml
c:\documents and settings\user\Application Data\PriceGong\Data\q.xml
c:\documents and settings\user\Application Data\PriceGong\Data\r.xml
c:\documents and settings\user\Application Data\PriceGong\Data\s.xml
c:\documents and settings\user\Application Data\PriceGong\Data\t.xml
c:\documents and settings\user\Application Data\PriceGong\Data\u.xml
c:\documents and settings\user\Application Data\PriceGong\Data\v.xml
c:\documents and settings\user\Application Data\PriceGong\Data\w.xml
c:\documents and settings\user\Application Data\PriceGong\Data\x.xml
c:\documents and settings\user\Application Data\PriceGong\Data\y.xml
c:\documents and settings\user\Application Data\PriceGong\Data\z.xml
c:\documents and settings\user\WINDOWS
C:\drvrtmp
.
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-28 )))))))))))))))))))))))))))))))
.
.
2011-06-28 00:36 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2011-06-28 00:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2011-06-28 00:10 . 2011-06-28 00:10 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-06-28 00:10 . 2011-06-28 00:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-06-28 00:09 . 2011-06-28 00:09 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-06-28 00:03 . 2011-06-28 00:09 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-06-21 17:36 . 2011-06-22 20:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-06-21 02:16 . 2011-06-21 02:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-06-21 01:28 . 2011-06-21 01:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-06-21 01:16 . 2011-06-21 01:16 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-21 01:13 . 2011-06-21 01:13 0 ----a-w- c:\windows\Fquwodoruvozera.bin
2011-06-21 01:13 . 2011-06-21 16:21 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\{F4F09E96-D934-4356-970A-102457012334}
2011-06-17 12:51 . 2011-06-17 13:24 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 14:16 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-14 14:19 . 2011-05-24 14:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31 . 2007-08-23 22:35 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-12 14:09 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-12 13:59 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-12 13:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-12 13:57 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-12 14:01 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-05-07 16:04 . 2011-05-07 16:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 17:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 17:51 3911776 ----a-w- c:\program files\uTorrentBar\tbuTor.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 17:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-31 68856]
"Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 270336]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-31 68856]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2010-11-7 189952]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\FrostWire On Startup.lnk
backup=c:\windows\pss\FrostWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 19:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-11-23 13:43 2001648 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
.
R1 NEOFLTR_630_13881;Juniper Networks TDI Filter Driver (NEOFLTR_630_13881);c:\windows\system32\drivers\NEOFLTR_630_13881.sys [1/23/2009 3:51 AM 64480]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 9:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/26/2008 2:47 AM 88176]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/7/2007 1:58 AM 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2009 1:54 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2009 1:54 PM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 7408]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 17:34]
.
2011-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 17:54]
.
2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-08-27 16:22]
.
2011-06-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-08-27 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: gamecolony.com
Trusted Zone: gamecolony.com\secure
Trusted Zone: gamecolony.com\secure2
Trusted Zone: gamecolony.com\www
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\3chxq8dc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6dc5f&v=7.005.030.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-SetupName - c:\docume~1\user\APPLIC~1\JUGSCH~1\deleteaxis.exe
HKLM-Run-cleanddm - c:\documents and settings\user\Application Data\cleanddm.exe
AddRemove-Illustrated Study Guide for the NCLEX-RN® Exam, 7th edition - c:\windows\Illustrated Study Guide for the NCLEX-RN® Exam
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-06-27 20:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: WDC_WD1600JS-08NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A15231B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\WININET.dll
.
Completion time: 2011-06-27 20:53:42
ComboFix-quarantined-files.txt 2011-06-28 00:53
.
Pre-Run: 123,166,810,112 bytes free
Post-Run: 123,493,904,384 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - DA6037771E745A553E1CA2F26A8031B5
lilbrat0326 is offline  
Old 06-27-2011, 06:35 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, lilbrat0326. How is the machine behaving?

------------------------------------------------------

Download TDSSKiller.exe and Save it to your Desktop.

Double-click TDSSKiller.exe then click 'Start scan'.

If no infection is found, click 'Close' twice and let me know.

If an infection is found, click 'Continue' to Cure the infection.

**Note: If you do not see the 'Cure' option, you MUST select 'Skip'.

**Note: If asked to re-write standard MS boot code, please choose 'Yes'.

Once the system scan is completed, click 'Reboot now'.

It will produce a log here > C:\TDSSKiller.2.5.5.0_date_time_log.txt

Please navigate to the file, double-click to open it, and copy/paste the contents in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-28-2011, 07:21 AM   #7
Registered Member
 
Join Date: Jun 2011
Posts: 8
OS: xp



The XP Internet Security 2012 Firewall Alert window stopped popping up but as of yesterday the computer was still running significantly slower. Although, it does seem to be better this morning. Also, sometimes there is a new tab that opens up by itself with random websites. TDSSKiller.exe found an infection and this was the log it produced:

2011/06/28 10:08:48.0203 3808 TDSS rootkit removing tool 2.5.7.0 Jun 28 2011 13:21:55
2011/06/28 10:08:50.0203 3808 ================================================================================
2011/06/28 10:08:50.0203 3808 SystemInfo:
2011/06/28 10:08:50.0203 3808
2011/06/28 10:08:50.0203 3808 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/28 10:08:50.0203 3808 Product type: Workstation
2011/06/28 10:08:50.0203 3808 ComputerName: USER-20877A7DDE
2011/06/28 10:08:50.0203 3808 UserName: user
2011/06/28 10:08:50.0203 3808 Windows directory: C:\WINDOWS
2011/06/28 10:08:50.0203 3808 System windows directory: C:\WINDOWS
2011/06/28 10:08:50.0203 3808 Processor architecture: Intel x86
2011/06/28 10:08:50.0203 3808 Number of processors: 2
2011/06/28 10:08:50.0203 3808 Page size: 0x1000
2011/06/28 10:08:50.0203 3808 Boot type: Normal boot
2011/06/28 10:08:50.0203 3808 ================================================================================
2011/06/28 10:08:51.0421 3808 Initialize success
2011/06/28 10:09:07.0718 3152 ================================================================================
2011/06/28 10:09:07.0718 3152 Scan started
2011/06/28 10:09:07.0718 3152 Mode: Manual;
2011/06/28 10:09:07.0718 3152 ================================================================================
2011/06/28 10:09:08.0828 3152 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/28 10:09:08.0875 3152 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/06/28 10:09:08.0953 3152 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/28 10:09:09.0031 3152 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/06/28 10:09:09.0265 3152 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/28 10:09:09.0328 3152 atapi (f3a63c8899876708ee322278f8d210c4) C:\WINDOWS\system32\Drivers\tsk_atapi.sys
2011/06/28 10:09:09.0468 3152 ati2mtag (a7dd7088e2c987dbcb3f4d6d56f723bd) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/06/28 10:09:09.0546 3152 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/28 10:09:09.0593 3152 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/28 10:09:09.0656 3152 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/28 10:09:09.0828 3152 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/28 10:09:09.0875 3152 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/28 10:09:09.0937 3152 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/28 10:09:09.0984 3152 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/28 10:09:10.0140 3152 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/28 10:09:10.0171 3152 DM9102 (51ef6ca3d57055fed6ab99021d562443) C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS
2011/06/28 10:09:10.0234 3152 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/28 10:09:10.0296 3152 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/28 10:09:10.0312 3152 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/28 10:09:10.0359 3152 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/28 10:09:10.0406 3152 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/28 10:09:10.0468 3152 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/06/28 10:09:10.0531 3152 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/28 10:09:10.0562 3152 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/06/28 10:09:10.0625 3152 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/28 10:09:10.0656 3152 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/06/28 10:09:10.0734 3152 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/06/28 10:09:10.0750 3152 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/28 10:09:10.0812 3152 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/28 10:09:10.0859 3152 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/06/28 10:09:10.0953 3152 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/28 10:09:11.0015 3152 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/28 10:09:11.0093 3152 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/28 10:09:11.0187 3152 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/28 10:09:11.0218 3152 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/28 10:09:11.0328 3152 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/06/28 10:09:11.0453 3152 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/06/28 10:09:11.0531 3152 IntelC53 (de2686c0e012e6ae24acd6e79eb7ff5d) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/06/28 10:09:11.0609 3152 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/28 10:09:11.0656 3152 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/28 10:09:11.0687 3152 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/06/28 10:09:11.0718 3152 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/06/28 10:09:11.0765 3152 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/28 10:09:11.0812 3152 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/28 10:09:11.0875 3152 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/28 10:09:11.0906 3152 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/28 10:09:11.0937 3152 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/28 10:09:11.0968 3152 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/28 10:09:12.0000 3152 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/06/28 10:09:12.0031 3152 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/28 10:09:12.0109 3152 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/28 10:09:12.0250 3152 mfeavfk (452321943976f1ec781e738ecc4c20c6) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/06/28 10:09:12.0343 3152 mfebopk (3e9886c65cc655044babb6869b69e8a3) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/06/28 10:09:12.0421 3152 mfehidk (bb5a435cece63033f7c92158433bda01) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/06/28 10:09:12.0484 3152 mferkdk (4472cc5a38fb106751cb81883ae714d3) C:\WINDOWS\system32\drivers\mferkdk.sys
2011/06/28 10:09:12.0546 3152 mfesmfk (465e114b2d2dd7c79951f4a8e9fd9cd2) C:\WINDOWS\system32\drivers\mfesmfk.sys
2011/06/28 10:09:12.0640 3152 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/28 10:09:12.0671 3152 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/28 10:09:12.0718 3152 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/06/28 10:09:12.0765 3152 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/06/28 10:09:12.0796 3152 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/28 10:09:12.0843 3152 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/28 10:09:12.0875 3152 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/28 10:09:12.0921 3152 MPFP (b53a1134237a49a10352d5dd54bb2a54) C:\WINDOWS\system32\Drivers\Mpfp.sys
2011/06/28 10:09:12.0984 3152 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/28 10:09:13.0062 3152 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/28 10:09:13.0140 3152 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/28 10:09:13.0187 3152 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/28 10:09:13.0218 3152 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/28 10:09:13.0250 3152 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/28 10:09:13.0281 3152 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/28 10:09:13.0343 3152 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/28 10:09:13.0406 3152 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/28 10:09:13.0437 3152 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/28 10:09:13.0468 3152 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/28 10:09:13.0484 3152 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/28 10:09:13.0515 3152 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/28 10:09:13.0562 3152 NEOFLTR_630_13881 (a22aa82f9ffc11cf716857ca855a0b9f) C:\WINDOWS\system32\Drivers\NEOFLTR_630_13881.SYS
2011/06/28 10:09:13.0640 3152 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/28 10:09:13.0718 3152 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/28 10:09:13.0796 3152 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/28 10:09:13.0859 3152 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/28 10:09:13.0906 3152 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/28 10:09:13.0953 3152 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/28 10:09:13.0968 3152 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/28 10:09:14.0015 3152 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/28 10:09:14.0062 3152 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/28 10:09:14.0093 3152 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/28 10:09:14.0125 3152 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/28 10:09:14.0187 3152 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/06/28 10:09:14.0218 3152 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/06/28 10:09:14.0390 3152 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/28 10:09:14.0421 3152 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/28 10:09:14.0437 3152 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/28 10:09:14.0578 3152 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/28 10:09:14.0640 3152 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/28 10:09:14.0656 3152 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/28 10:09:14.0671 3152 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/28 10:09:14.0734 3152 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/28 10:09:14.0781 3152 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/28 10:09:14.0812 3152 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/28 10:09:14.0875 3152 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/28 10:09:14.0953 3152 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/06/28 10:09:15.0000 3152 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2011/06/28 10:09:15.0031 3152 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2011/06/28 10:09:15.0109 3152 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/28 10:09:15.0234 3152 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/06/28 10:09:15.0328 3152 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/28 10:09:15.0390 3152 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/28 10:09:15.0421 3152 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/28 10:09:15.0500 3152 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/06/28 10:09:15.0640 3152 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/28 10:09:15.0703 3152 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/28 10:09:15.0765 3152 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/28 10:09:15.0828 3152 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/28 10:09:15.0875 3152 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/28 10:09:16.0000 3152 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/28 10:09:16.0093 3152 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/28 10:09:16.0125 3152 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/28 10:09:16.0156 3152 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/28 10:09:16.0187 3152 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/28 10:09:16.0250 3152 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/28 10:09:16.0328 3152 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/28 10:09:16.0390 3152 usbbus (9419faac6552a51542dbba02971c841c) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
2011/06/28 10:09:16.0484 3152 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/06/28 10:09:16.0531 3152 UsbDiag (c0a466fa4ffec464320e159bc1bbdc0c) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
2011/06/28 10:09:16.0640 3152 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/28 10:09:16.0656 3152 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/28 10:09:16.0703 3152 USBModem (f74a54774a9b0afeb3c40adec68aa600) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
2011/06/28 10:09:16.0812 3152 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/06/28 10:09:16.0828 3152 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/06/28 10:09:16.0859 3152 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/28 10:09:16.0875 3152 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/28 10:09:16.0937 3152 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/28 10:09:17.0000 3152 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/28 10:09:17.0062 3152 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/28 10:09:17.0093 3152 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/28 10:09:17.0171 3152 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/06/28 10:09:17.0265 3152 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/06/28 10:09:17.0359 3152 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/06/28 10:09:17.0359 3152 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/06/28 10:09:17.0375 3152 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR2
2011/06/28 10:09:17.0390 3152 Boot (0x1200) (63269a094741f5c9a766bbeb836c9d9e) \Device\Harddisk0\DR0\Partition0
2011/06/28 10:09:17.0406 3152 Boot (0x1200) (3e35a4c57fdea4e9d97db80e86c075ca) \Device\Harddisk1\DR2\Partition0
2011/06/28 10:09:17.0421 3152 ================================================================================
2011/06/28 10:09:17.0421 3152 Scan finished
2011/06/28 10:09:17.0421 3152 ================================================================================
2011/06/28 10:09:17.0421 1320 Detected object count: 1
2011/06/28 10:09:17.0421 1320 Actual detected object count: 1
2011/06/28 10:09:54.0625 1320 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/06/28 10:09:54.0625 1320 \Device\Harddisk0\DR0 - ok
2011/06/28 10:09:54.0625 1320 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/06/28 10:10:09.0156 3972 Deinitialize success
lilbrat0326 is offline  
Old 06-28-2011, 01:19 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, lilbrat0326. How is the machine behaving since running TDSSKiller? Any remaining problems?

------------------------------------------------------

I noticed you have Ask Toolbar installed.

Please read this and decide if you want to keep it >> Current Practices of IAC/Ask Toolbars

You can uninstall it via Add or Remove Programs in your Control Panel.

If you decide to uninstall it, please delete the following Folder if it still exists:

C:\Program Files\Ask.com

------------------------------------------------------

I see you have P2P software ( uTorrent, FrostWire, and uTorrentBar Toolbar ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here and here.

I would strongly recommend that you uninstall them. You can do so via Control Panel >> Add or Remove Programs.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Under the Scanner tab, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Your Java is out of date.

Java(TM) 6 Update 21 can be updated from the Java Control Panel. Go Start > Control Panel(Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish, then click 'Finish'.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-29-2011, 06:18 PM   #9
Registered Member
 
Join Date: Jun 2011
Posts: 8
OS: xp



The computer seems to be working well. I removed the ask.com toolbar with Add/Remove Programs but it did not disappear from Mozilla Firefox for some reason. Here are the logs:

[email protected] as downloader log:
all ok
[email protected] as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
[email protected] as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=c90aa6c96059f0438d6fb4afec40c073
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-29 11:32:05
# local_time=2011-06-29 07:32:05 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776537 100 85 95494274 140329574 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=423
# found=0
# cleaned=0
# scan_time=24
[email protected] as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=c90aa6c96059f0438d6fb4afec40c073
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-06-30 0156
# local_time=2011-06-29 0956 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776533 100 85 95494337 140329637 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=83006
# found=9
# cleaned=0
# scan_time=5651
C:\Documents and Settings\user\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.6.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\user\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.7.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{753C383F-B29E-4B0E-8191-BE76EE486088} Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{93C9C96E-47C5-4B50-A551-EBEC1C9DBAFF} Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{AF444ACE-43BC-45BE-AEC4-8C022AF71909} Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C4C080C1-F310-45A1-90CD-E656A72A0B29} Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\user\My Documents\Downloads\frostwire-4.21.5.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\user\Application Data\0FD8F87742ED621DCF79B08E1F2CF860\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Temp\dhlgeq\setup.exe a variant of Win32/Injector.HFD trojan (unable to clean) 00000000000000000000000000000000 I


Malwarebytes' Anti-Malware 1.50.1.1100
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 6980

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/29/2011 5:21:03 PM
mbam-log-2011-06-29 (17-21-03).txt

Scan type: Quick scan
Objects scanned: 192134
Time elapsed: 15 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\pma.exe" -a "") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\pma.exe" -a "") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\pma.exe" -a "") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\anna\my documents\downloads\myfuncards.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\documents and settings\user\my documents\downloads\VLCSetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\ecfhgr\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
lilbrat0326 is offline  
Old 06-29-2011, 06:33 PM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, lilbrat0326. Qoobox is ComboFix's quarantine folder. It will get deleted when we uninstall ComboFix.

------------------------------------------------------

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
File::
c:\windows\Fquwodoruvozera.bin
C:\Documents and Settings\user\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.6.windows.exe
C:\Documents and Settings\user\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.7.windows.exe
C:\Documents and Settings\user\My Documents\Downloads\frostwire-4.21.5.windows.exe

DelDomains::

Firefox::
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\3chxq8dc.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6dc5f&v=7.005.030.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=

Folder::
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{753C383F-B29E-4B0E-8191-BE76EE486088}
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{93C9C96E-47C5-4B50-A551-EBEC1C9DBAFF}
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{AF444ACE-43BC-45BE-AEC4-8C022AF71909}
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C4C080C1-F310-45A1-90CD-E656A72A0B29}
C:\WINDOWS\Temp\dhlgeq
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix.

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-30-2011, 07:02 AM   #11
Registered Member
 
Join Date: Jun 2011
Posts: 8
OS: xp



I got a pop up message while running combofix saying that my web server is temporarily inaccessible. It created a submission folder *C:\CF-submit.htm so I can manually upload it later. My internet was working the entire time though.

ComboFix 11-06-29.06 - user 06/30/2011 9:27.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.647 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
FILE ::
"c:\documents and settings\user\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.6.windows.exe"
"c:\documents and settings\user\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.7.windows.exe"
"c:\documents and settings\user\My Documents\Downloads\frostwire-4.21.5.windows.exe"
"c:\windows\Fquwodoruvozera.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.6.windows.exe
c:\documents and settings\user\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.7.windows.exe
c:\documents and settings\user\Application Data\PriceGong
c:\documents and settings\user\Application Data\PriceGong\Data\1.xml
c:\documents and settings\user\Application Data\PriceGong\Data\a.xml
c:\documents and settings\user\Application Data\PriceGong\Data\b.xml
c:\documents and settings\user\Application Data\PriceGong\Data\c.xml
c:\documents and settings\user\Application Data\PriceGong\Data\d.xml
c:\documents and settings\user\Application Data\PriceGong\Data\e.xml
c:\documents and settings\user\Application Data\PriceGong\Data\f.xml
c:\documents and settings\user\Application Data\PriceGong\Data\g.xml
c:\documents and settings\user\Application Data\PriceGong\Data\h.xml
c:\documents and settings\user\Application Data\PriceGong\Data\i.xml
c:\documents and settings\user\Application Data\PriceGong\Data\j.xml
c:\documents and settings\user\Application Data\PriceGong\Data\k.xml
c:\documents and settings\user\Application Data\PriceGong\Data\l.xml
c:\documents and settings\user\Application Data\PriceGong\Data\m.xml
c:\documents and settings\user\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\user\Application Data\PriceGong\Data\n.xml
c:\documents and settings\user\Application Data\PriceGong\Data\o.xml
c:\documents and settings\user\Application Data\PriceGong\Data\p.xml
c:\documents and settings\user\Application Data\PriceGong\Data\q.xml
c:\documents and settings\user\Application Data\PriceGong\Data\r.xml
c:\documents and settings\user\Application Data\PriceGong\Data\s.xml
c:\documents and settings\user\Application Data\PriceGong\Data\t.xml
c:\documents and settings\user\Application Data\PriceGong\Data\u.xml
c:\documents and settings\user\Application Data\PriceGong\Data\v.xml
c:\documents and settings\user\Application Data\PriceGong\Data\w.xml
c:\documents and settings\user\Application Data\PriceGong\Data\x.xml
c:\documents and settings\user\Application Data\PriceGong\Data\y.xml
c:\documents and settings\user\Application Data\PriceGong\Data\z.xml
c:\documents and settings\user\My Documents\Downloads\frostwire-4.21.5.windows.exe
c:\windows\Fquwodoruvozera.bin
c:\windows\Temp\dhlgeq
c:\windows\Temp\dhlgeq\setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-30 )))))))))))))))))))))))))))))))
.
.
2011-06-29 20:59 . 2011-06-29 20:59 -------- d-----w- c:\program files\ESET
2011-06-29 20:53 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-29 20:52 . 2011-06-29 20:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-29 20:52 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-28 14:09 . 2011-06-28 14:09 34816 ----a-w- c:\windows\system32\btwdiw32.dll
2011-06-28 14:09 . 2011-06-28 14:09 215552 ----a-w- c:\windows\system32\bthsvw32.dll
2011-06-28 00:36 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2011-06-28 00:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2011-06-28 00:10 . 2011-06-28 00:10 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-06-28 00:10 . 2011-06-28 00:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-06-28 00:09 . 2011-06-28 00:09 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-06-28 00:03 . 2011-06-28 00:09 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-06-21 17:36 . 2011-06-22 20:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-06-21 02:16 . 2011-06-21 02:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-06-21 01:28 . 2011-06-21 01:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-06-21 01:16 . 2011-06-21 01:16 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-21 01:13 . 2011-06-21 16:21 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\{F4F09E96-D934-4356-970A-102457012334}
2011-06-17 12:51 . 2011-06-17 13:24 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 14:16 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-14 14:19 . 2011-05-24 14:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-04 08:52 . 2010-09-23 15:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2009-12-18 18:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2007-08-23 22:35 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-12 14:04 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-12 14:09 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-12 13:59 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-12 13:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-12 13:57 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-12 14:01 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-05-07 16:04 . 2011-05-07 16:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( [email protected]_00.40.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-30 13:38 . 2011-06-30 13:38 40960 c:\windows\Temp\rtdrvmon.exe
+ 2011-06-30 13:38 . 2011-06-30 13:38 16384 c:\windows\Temp\Perflib_Perfdata_c4.dat
- 2004-08-12 14:03 . 2011-06-23 16:45 53608 c:\windows\system32\perfc009.dat
+ 2004-08-12 14:03 . 2011-06-28 03:45 53608 c:\windows\system32\perfc009.dat
- 2007-08-23 22:41 . 2011-06-28 00:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-08-23 22:41 . 2011-06-30 13:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-06-28 03:46 . 2011-06-30 13:23 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-12 14:03 . 2011-06-28 03:45 383254 c:\windows\system32\perfh009.dat
- 2004-08-12 14:03 . 2011-06-23 16:45 383254 c:\windows\system32\perfh009.dat
+ 2011-06-29 20:57 . 2011-05-04 08:52 157472 c:\windows\system32\javaws.exe
+ 2011-06-29 20:57 . 2011-05-04 08:52 145184 c:\windows\system32\javaw.exe
- 2010-09-23 15:00 . 2010-07-17 09:00 145184 c:\windows\system32\javaw.exe
+ 2011-06-29 20:57 . 2011-05-04 08:52 145184 c:\windows\system32\java.exe
- 2010-09-23 15:00 . 2010-07-17 09:00 145184 c:\windows\system32\java.exe
+ 2008-12-05 06:54 . 2011-04-29 17:25 151552 c:\windows\system32\dllcache\schannel.dll
+ 2011-06-29 20:57 . 2011-06-29 20:57 203776 c:\windows\Installer\5aedd.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 17:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 17:51 3911776 ----a-w- c:\program files\uTorrentBar\tbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-31 68856]
"Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 270336]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-31 68856]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2010-11-7 189952]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\btwdiw32]
2011-06-28 14:09 34816 ----a-w- c:\windows\system32\btwdiw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\btwdlns]
2011-06-28 14:09 34816 ----a-w- c:\windows\system32\btwdiw32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\FrostWire On Startup.lnk
backup=c:\windows\pss\FrostWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 19:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-11-23 13:43 2001648 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
.
R1 NEOFLTR_630_13881;Juniper Networks TDI Filter Driver (NEOFLTR_630_13881);c:\windows\system32\drivers\NEOFLTR_630_13881.sys [1/23/2009 3:51 AM 64480]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 9:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 74480]
R2 btwdlns;Bluetooth Services;c:\windows\System32\svchost.exe -k bthsvc [8/12/2004 10:06 AM 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/26/2008 2:47 AM 88176]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/7/2007 1:58 AM 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2009 1:54 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2009 1:54 PM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 7408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
bthsvc REG_MULTI_SZ btwdlns
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 17:34]
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 17:54]
.
2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-08-27 16:22]
.
2011-06-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-08-27 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 167.206.254.2 167.206.254.1
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\3chxq8dc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-06-30 09:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\btwdiw32.dll
.
- - - - - - - > 'explorer.exe'(996)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\McAfee\VIRUSS~1\mcods.exe
c:\progra~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\rundll32.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2011-06-30 09:46:05 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-30 13:45
ComboFix2.txt 2011-06-28 00:53
.
Pre-Run: 123,397,537,792 bytes free
Post-Run: 123,472,433,152 bytes free
.
- - End Of File - - 2717555E0592268F32FB36116A2C709C
lilbrat0326 is offline  
Old 06-30-2011, 10:39 AM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, lilbrat0326. Navigate to and double-click C:\CF-submit.htm and follow the instructions for submitting the file. Let me know if successful.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{753C383F-B29E-4B0E-8191-BE76EE486088}"
"C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{93C9C96E-47C5-4B50-A551-EBEC1C9DBAFF}"
"C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{AF444ACE-43BC-45BE-AEC4-8C022AF71909}"
"C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C4C080C1-F310-45A1-90CD-E656A72A0B29}"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-02-2011, 02:01 PM   #13
Registered Member
 
Join Date: Jun 2011
Posts: 8
OS: xp



When trying to submit the file to C:\CF-submit.htm, it said there is an error with the submission. "Your file is either 0 bytes or has exceeded the maximum file size of 5MB that we allow to be uploaded". fix.bat said it was successful.
lilbrat0326 is offline  
Old 07-02-2011, 02:13 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, lilbrat0326. Don't worry about the C:\CF-submit.htm, you can delete it.

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

As far as those infected objects listed in the ESET report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Please disable McAfee before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Also, support is ending for some versions of Windows > Windows End of Support Information - Windows Help & How-to

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for both Firefox and IE.
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 07-03-2011, 06:11 PM   #15
Registered Member
 
Join Date: Jun 2011
Posts: 8
OS: xp



Done. Thank you so much for all your help!
lilbrat0326 is offline  
Old 07-03-2011, 06:49 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're very welcome, lilbrat0326! Glad to have helped.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
.exe problems, and possible Malware issues
Aloha, Need help... not sure what to do, hopefully I posted this correctly this time! Mahalo, Red Eye . DDS (Ver_2011-06-03.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24 Run by Jennifer at 14:07:36 on 2011-06-09
RED EYE TRUKIN Resolved HJT Threads 10 06-28-2011 06:27 AM
new issues with an old XP machine. Is it a virus McAfee can't find and clean?
For the past 2 months something is not right with our home computer, and I don’t know what. I run McAfee, but the scan does not seem to run, takes days to finish and sometimes only says 1200 files scanned with no virus detected. When I run task manager says CPU usage is 100%. IE hangs up or...
tony_g Virus/Trojan/Spyware Help 20 05-26-2011 08:01 AM
Aggravating Google Redirect Virus on Wife's Computer
my wife's laptop suddenly is getting the redirect on google searches. i know this is one of your common problems to fix. i had the same problem on my computer about a year ago and your help was the only way i got rid of it on my computer. this computer runs updated version of webroot securities....
scott1nc Inactive Malware Help Topics 36 04-20-2011 04:27 AM
Help with XP Anti Spyware 2011 removal
Good evening A neighbours PC has fallen foul of XP Anti Spyware 2011. I've tried dealing with it through Malwarebytes in Safe Mode but this appears to have been disabled. Could someone have a look at the DDS and GMER logs for me and advise on the best way forward. Thanks Dave . DDS...
riffraff99 Resolved HJT Threads 16 04-19-2011 02:45 AM
Fake Windows Security Program has infected my computer! Please help me remove it!
i was simply browsing the web, and when I hit a link this Windows Security scanner program popped up with several different pop ups and tried telling me my computer was infected with all these particular files. I didn't subscribe to it or anything I just clicked out of it. Now, my computer...
flip25 Inactive Malware Help Topics 4 04-12-2011 11:23 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 10:39 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts