rigggary99
-
Content Count
13 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by rigggary99
-
-
Here you go:
ComboFix 09-04-01.01 - Gary Riggs 2009-04-03 17:54:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1601 [GMT 1:00]
Running from: c:\documents and settings\Gary Riggs\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CLR_OPTIMIZATION_V2.0.50727_32ASPNET_STATE
-------\Legacy_NPF
-------\Legacy_WMPNETWORKSVCMCNASVC
-------\Service_clr_optimization_v2.0.50727_32aspnet_state
-------\Service_WMPNetworkSvcMcNASvc
((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 )))))))))))))))))))))))))))))))
.
2009-04-02 23:58 . 2009-04-02 23:58 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-04-02 23:54 . 2009-04-02 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-04-02 23:54 . 2009-04-03 17:57 6,425 --a------ c:\windows\system32\Config.MPF
2009-04-02 23:52 . 2009-04-02 23:52 <DIR> d-------- c:\program files\McAfee.com
2009-04-02 23:52 . 2009-04-02 23:54 <DIR> d-------- c:\program files\McAfee
2009-04-02 23:52 . 2009-04-02 23:52 <DIR> d-------- c:\program files\Common Files\McAfee
2009-04-02 23:52 . 2008-10-23 13:08 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-04-02 23:52 . 2009-01-16 20:04 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-04-02 23:52 . 2009-01-16 20:04 40,552 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-04-02 23:52 . 2009-01-16 20:04 35,272 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-04-02 23:50 . 2009-01-16 20:03 34,216 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-04-02 23:48 . 2009-04-02 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-04-02 22:59 . 2009-04-02 22:59 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-04-02 22:57 . 2009-04-02 22:58 <DIR> d-------- c:\windows\ERUNT
2009-04-02 22:54 . 2009-04-02 23:32 <DIR> d-------- C:\SDFix
2009-03-31 17:48 . 2009-03-31 17:48 <DIR> d-------- c:\documents and settings\Gary Riggs\Application Data\Malwarebytes
2009-03-31 17:48 . 2009-03-31 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-31 17:48 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-31 17:48 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-31 11:49 . 2009-03-31 11:49 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-03-31 11:49 . 2009-03-31 11:49 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-31 11:49 . 2009-03-31 11:49 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-31 11:49 . 2009-03-31 11:49 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-30 22:47 . 2009-01-09 20:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-30 22:35 . 2009-03-30 22:44 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-30 19:46 . 2009-03-30 19:46 <DIR> d-------- c:\program files\Trend Micro
2009-03-30 19:10 . 2009-03-30 19:10 <DIR> d-------- C:\VundoFix Backups
2009-03-26 23:09 . 2009-03-31 18:26 <DIR> d-------- c:\program files\Mozilla Firefox1
2009-03-23 12:44 . 2009-03-23 12:46 <DIR> d-------- c:\windows\NV21802184.TMP
2009-03-16 19:10 . 2009-04-03 17:46 <DIR> d-------- c:\documents and settings\Gary Riggs\Tracing
2009-03-16 19:09 . 2009-03-16 19:09 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-16 19:09 . 2009-03-16 19:09 <DIR> d-------- c:\program files\Microsoft
2009-03-16 19:07 . 2009-03-16 19:07 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-15 22:11 . 2008-04-14 01:12 91,136 --a------ c:\windows\system32\kswdmcap.ax
2009-03-15 22:11 . 2008-04-14 01:12 91,136 --a--c--- c:\windows\system32\dllcache\kswdmcap.ax
2009-03-15 22:11 . 2008-04-14 01:12 61,952 --a------ c:\windows\system32\kstvtune.ax
2009-03-15 22:11 . 2008-04-14 01:12 61,952 --a--c--- c:\windows\system32\dllcache\kstvtune.ax
2009-03-15 22:11 . 2008-04-14 01:12 53,760 --a------ c:\windows\system32\vfwwdm32.dll
2009-03-15 22:11 . 2008-04-14 01:12 53,760 --a--c--- c:\windows\system32\dllcache\vfwwdm32.dll
2009-03-15 22:11 . 2008-04-14 01:12 43,008 --a------ c:\windows\system32\ksxbar.ax
2009-03-15 22:11 . 2008-04-14 01:12 43,008 --a--c--- c:\windows\system32\dllcache\ksxbar.ax
2009-03-15 22:09 . 2007-04-23 20:37 141,582 --------- c:\windows\system32\drivers\NVCAP.SYS
2009-03-15 22:09 . 2007-04-23 20:37 29,696 --------- c:\windows\system32\FILTER.AX
2009-03-15 22:09 . 2007-04-23 20:37 16,496 --------- c:\windows\system32\drivers\NVXBAR.SYS
2009-03-15 22:08 . 2009-03-15 22:08 7,252 --a------ c:\windows\system32\d3d9caps.dat
2009-03-15 22:05 . 2009-03-15 22:10 <DIR> d-------- c:\windows\NV7161104.TMP
2009-03-15 21:09 . 2009-03-15 21:10 <DIR> d-------- c:\windows\NV25242640.TMP
2009-03-06 20:40 . 2009-03-06 20:45 189,496 --a------ c:\windows\system32\PnkBstrB.xtr
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 16:55 --------- d-----w c:\documents and settings\Gary Riggs\Application Data\Free Download Manager
2009-04-02 21:14 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-02 19:39 --------- d-----w c:\documents and settings\Gary Riggs\Application Data\OpenOffice.org2
2009-03-31 10:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-28 19:05 --------- d-----w c:\program files\Java
2009-03-16 18:09 --------- d-----w c:\program files\Windows Live
2009-03-15 21:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 20:09 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-15 20:09 --------- d-----w c:\program files\AGEIA Technologies
2009-02-18 14:44 6,308,224 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-12-25 12:29 22,328 ----a-w c:\documents and settings\Gary Riggs\Application Data\PnkBstrK.sys
.
------- Sigcheck -------
2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 11:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 11:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 07:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 20:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 12:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 12:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys
2004-08-04 08:56 111104 4126d27cece4471e00e425411f7306b5 c:\windows\$NtServicePackUninstall$\wuauclt.exe
2008-04-14 01:12 111104 ed7262e52c31cf1625b65039102bc16c c:\windows\ServicePackFiles\i386\wuauclt.exe
2008-10-16 15:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\system32\wuauclt.exe
2008-10-16 15:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"CTHelper"="CTHELPER.EXE" [2006-08-17 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 c:\windows\system32\CTXFIHLP.EXE]
"nwiz"="nwiz.exe" [2009-02-18 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 D:\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 19:03 152872 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=3 (0x3)
"ANIWZCSdService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\fear\\FEAR.exe"=
"f:\\battlefield 2\\BF2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\yahoo\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"f:\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"=
"f:\\farcry2\\Far Cry 2\\bin\\FarCry2.exe"=
"f:\\farcry2\\Far Cry 2\\bin\\FC2Launcher.exe"=
"f:\\farcry2\\Far Cry 2\\bin\\FC2Editor.exe"=
"f:\\Steam\\steamapps\\[email protected]\\garrysmod\\hl2.exe"=
"f:\\steam\\Steam.exe"=
"f:\\cod4\\iw3mp.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"f:\\cod wow\\CoDWaW.exe"=
"f:\\cod wow\\CoDWaWmp.exe"=
"f:\\steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"f:\\steam\\steamapps\\common\\left 4 dead\\srcds.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 SASDIFSV;SASDIFSV;D:\SASDIFSV.SYS [2008-12-22 9968]
R1 SASKUTIL;SASKUTIL;D:\SASKUTIL.SYS [2008-12-22 55024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-04-02 203280]
S2 0034251238712769mcinstcleanup;McAfee Application Installer Cleanup (0034251238712769);c:\docume~1\GARYRI~1\LOCALS~1\Temp\003425~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\GARYRI~1\LOCALS~1\Temp\003425~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 SASENUM;SASENUM;D:\SASENUM.SYS [2008-12-22 7408]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\AUTORUN.EXE
.
Contents of the 'Scheduled Tasks' folder
2009-04-03 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Gary Riggs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe []
2009-04-02 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]
2009-04-02 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-NVIDIA nTune - c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Download all with Free Download Manager - file://d:\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://d:\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://d:\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://d:\free download manager\dllink.htm
DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.0.6/img/NetCamPlayerWeb11g.ocx
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-03 17:57:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1085031214-1202660629-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:de,5c,d3,12,c2,92,76,ee,3a,fe,93,57,82,b3,5e,dd,29,0c,b9,7a,8e,34,e5,
20,6b,cd,50,58,50,f2,af,f3,9d,88,2b,a2,1a,be,84,91,4e,5c,c8,82,5e,43,b9,84,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
[HKEY_USERS\S-1-5-21-1085031214-1202660629-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:3a,b2,57,12,f6,36,17,22,15,0b,34,66,65,8c,8f,a6,82,91,c7,bf,b1,
ce,71,0f,6c,3e,f7,17,93,03,e7,84,98,d6,c5,d8,d1,d6,79,3a,a4,db,c1,2a,c2,a3,\
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(684)
D:\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-04-03 17:59:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-03 16:59:18
Pre-Run: 39,866,888,192 bytes free
Post-Run: 40,028,983,296 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /usepmtimer
254 --- E O F --- 2009-03-11 00:09:57
-
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-03 08:19:35
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB2D2C44A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB2D2C4E1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB2D2C3F8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB2D2C40C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB2D2C4F5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB2D2C521]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB2D2C58F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB2D2C579]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB2D2C48A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB2D2C5BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB2D2C4CD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB2D2C3D0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB2D2C3E4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB2D2C45E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB2D2C5F7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB2D2C563]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB2D2C54D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB2D2C50B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB2D2C5E3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB2D2C5CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB2D2C436]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB2D2C422]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB2D2C537]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB2D2C4B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB2D2C5A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB2D2C4A0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB2D2C474]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B2D2C478 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B2D2C44E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B2D2C48E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B2D2C4A4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B2D2C462 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B2D2C3D4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B2D2C3E8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B2D2C426 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP B2D2C410 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 1 Byte [E9]
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP B2D2C3FC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B2D2C43A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B2D2C4BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP B2D2C551 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP B2D2C53B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP B2D2C5A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP B2D2C567 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP B2D2C50F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP B2D2C4E5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP B2D2C4F9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP B2D2C525 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 7 Bytes JMP B2D2C593 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP B2D2C57D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP B2D2C4D1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP B2D2C5FB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP B2D2C5D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP B2D2C5E7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP B2D2C5BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010E0076
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010E0F81
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010E0F9E
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010E005B
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010E004A
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010E00A4
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010E0087
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010E0F15
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010E0F26
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 010E00D3
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 010E0FC3
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 010E0FE5
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 010E0F5C
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateNamedPipeW 7C82F0C5 3 Bytes JMP 010E0FD4
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateNamedPipeW + 4 7C82F0C9 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 010E001B
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 010E0F37
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00070FDB
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F9C
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060027
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FC1
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40047
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40036
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40F5C
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E40F79
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40FA8
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40069
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E40058
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E40EEB
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E40084
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E40EDA
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E40025
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E40F2D
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E40FB9
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E40FD4
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E40F06
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E30036
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E30087
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E30025
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E30FC0
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E30062
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E30051
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DD0FAF
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DD0FCA
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DD0029
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DD003A
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DD0018
.text C:\WINDOWS\system32\lsass.exe[732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B10F48
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B10047
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B10F6D
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10F94
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B10FC0
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10EFF
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B10F26
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B10EDD
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B10EEE
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B10087
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B10FAF
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B10011
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B10F37
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B10022
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B10FD1
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B10062
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B0001B
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B0007D
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B00FD4
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B0006C
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B0005B
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B00036
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF0FB2
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0033
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF0018
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0FCD
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0FDE
.text C:\WINDOWS\system32\svchost.exe[900] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D20F80
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20075
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D20F9B
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D20FB6
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D20047
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D20090
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D20F54
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D20F12
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D20F23
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D200BC
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D20058
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D20FE5
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D20F65
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D2002C
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D200A1
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D1002F
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D10FB2
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D10FE5
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D1006F
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D1004A
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D10FC3
.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00049
.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00038
.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00FE3
.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D0000C
.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00FC8
.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D0001D
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 032E0FEF
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 032E0F59
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 032E0F7E
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 032E0058
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 032E0FA5
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 032E0036
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 032E0F2D
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 032E0F3E
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 032E0EE6
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 032E0EF7
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 032E0ED5
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 032E0047
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 032E0FCA
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 032E0069
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 032E001B
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 032E0000
.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 032E0F12
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 032C0FB9
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 032C0051
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 032C0FCA
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 032C0FE5
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 032C0F94
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 032C0000
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 032C0036
.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 032C0025
.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02DC002C
.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!system 77C293C7 5 Bytes JMP 02DC0011
.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02DC0FAB
.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02DC0FEF
.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02DC0000
.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02DC0FC6
.text C:\WINDOWS\System32\svchost.exe[1084] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02DB0000
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 032D0000
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 032D0011
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 032D0FDB
.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 032D0FCA
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00940FEF
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00940F68
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0094005D
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00940F83
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00940F94
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00940036
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0094009F
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00940084
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009400CB
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00940F32
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 009400E6
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00940FAF
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00940FDE
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00940F57
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00940025
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00940014
.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 009400B0
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00930040
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00930098
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00930FE5
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00930011
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00930087
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00930000
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0093006C
.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0093005B
.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F9C
.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FB7
.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092001D
.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FE3
.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FC8
.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0092000C
.text C:\WINDOWS\System32\svchost.exe[1136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E70000
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E7006C
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E7005B
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E70040
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E70F83
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E70F9E
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E700B3
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E70098
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E700D8
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E70F3F
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E70F2E
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E70025
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E70FE5
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E7007D
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E70FB9
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E70FCA
.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E70F50
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E50FC0
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E50058
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E50011
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E50FE5
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E50F9B
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E50000
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E5003D
.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E50022
.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E40F9A
.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E40025
.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E4000A
.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40FE3
.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E40FB5
.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E40FD2
.text C:\WINDOWS\System32\svchost.exe[1288] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30FE5
.text C:\WINDOWS\System32\svchost.exe[1288] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00E60000
.text C:\WINDOWS\System32\svchost.exe[1288] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00E60011
.text C:\WINDOWS\System32\svchost.exe[1288] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00E6002C
.text C:\WINDOWS\System32\svchost.exe[1288] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00E6003D
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015D000A
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 015D0F8A
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 015D0FA5
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015D0073
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 015D0FB6
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 015D0FE5
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015D0F5E
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015D009A
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015D00DC
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015D0F4D
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 015D0F28
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 015D0062
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 015D001B
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 015D0F6F
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 015D0047
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 015D0036
.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 015D00CB
.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BF0F94
.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BF005B
.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BF0000
.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00BF0040
.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BF0025
.text C:\WINDOWS\Explorer.EXE[1648] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0F9F
.text C:\WINDOWS\Explorer.EXE[1648] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FB0
.text C:\WINDOWS\Explorer.EXE[1648] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FD2
.text C:\WINDOWS\Explorer.EXE[1648] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0000
.text C:\WINDOWS\Explorer.EXE[1648] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FC1
.text C:\WINDOWS\Explorer.EXE[1648] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FE3
.text C:\WINDOWS\Explorer.EXE[1648] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1648] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C00025
.text C:\WINDOWS\Explorer.EXE[1648] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C00036
.text C:\WINDOWS\Explorer.EXE[1648] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00C00FE5
.text C:\WINDOWS\Explorer.EXE[1648] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00880FEF
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00880F83
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00880078
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00880067
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00880FA8
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00880040
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00880F4B
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00880093
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008800C2
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00880F1F
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00880F0E
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00880FB9
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0088000A
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00880F68
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00880FD4
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00880025
.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00880F30
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0087002C
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00870051
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0087001B
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00870FE5
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00870F8A
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00870000
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00870F9B
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [A7, 88]
.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00870FC0
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00860F92
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!system 77C293C7 5 Bytes JMP 00860FAD
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0086001D
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0086000C
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00860FBE
.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00860FEF
.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00850FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1996] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 004C0000
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 004C0089
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 004C0078
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 004C0F94
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 004C0051
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 004C0FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 004C0F43
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 004C0F5E
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 004C0F0D
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 004C0F28
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 004C0EFC
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 004C0FA5
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 004C0011
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 004C0F79
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 004C0FD1
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 004C0022
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 004C00A6
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 004B0FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 004B0F83
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 004B0FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 004B0FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 004B0040
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 004B0000
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 004B002F
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 004B0F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 004A0049
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] msvcrt.dll!system 77C293C7 5 Bytes JMP 004A0FC8
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 004A0FD9
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 004A0000
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 004A0038
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 004A0011
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01970FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01970000
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01970FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] WININET.dll!InternetOpenUrlW 780BAEB9 3 Bytes JMP 01970FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] WININET.dll!InternetOpenUrlW + 4 780BAEBD 1 Byte [89]
.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ws2_32.dll!socket 71AB4211 5 Bytes JMP 01F1000A
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A007D
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0051
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00C6
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00B5
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F48
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00E1
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0F37
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A006C
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A00A4
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0040
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0025
.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F63
.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290025
.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290054
.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290014
.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FDE
.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290F97
.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FA8
.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [49, 88]
.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FB9
.text C:\WINDOWS\System32\svchost.exe[3100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E004C
.text C:\WINDOWS\System32\svchost.exe[3100] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E003B
.text C:\WINDOWS\System32\svchost.exe[3100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FD2
.text C:\WINDOWS\System32\svchost.exe[3100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FEF
.text C:\WINDOWS\System32\svchost.exe[3100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FC1
.text C:\WINDOWS\System32\svchost.exe[3100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E000C
.text C:\WINDOWS\System32\svchost.exe[3100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FE5
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Modules - GMER 1.0.15 ----
Module (noname) (*** hidden *** ) 02000000-03F5A000 (32874496 bytes)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060a6bc9b
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060a6bc9b
---- Files - GMER 1.0.15 ----
File C:\Documents and Settings\Gary Riggs\Local Settings\Temporary Internet Files\Content.IE5\1KUNEOJV\load[1].htm 1 bytes
File C:\System Volume Information\_restore{28A7C03F-B41F-4A1E-B01B-6C7E3093A7BE}\RP441\A0101416.ini 12401 bytes
File C:\System Volume Information\_restore{28A7C03F-B41F-4A1E-B01B-6C7E3093A7BE}\RP441\A0101417.ini 16713 bytes
---- EOF - GMER 1.0.15 ----
-
Weird, although the HJT log says:
O20 - AppInit_DLLs: pvfwnn.dll smuwtr.dll c:\windows\system32\zamopage.dll
Zamopage does not actually exist...
When I try to upload, it says "Error, cant upload" as the files does not exist....
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:40:33, on 03/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
D:\FREEDO~1\fdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdm2.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "D:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.0.6/img/NetCamPlayerWeb11g.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188423228997
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: pvfwnn.dll smuwtr.dll c:\windows\system32\zamopage.dll
O20 - Winlogon Notify: !SASWinLogon - D:\SASWINLO.dll
O23 - Service: McAfee Application Installer Cleanup (0034251238712769) (0034251238712769mcinstcleanup) - Unknown owner - C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\003425~1.EXE (file missing)
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32aspnet_state (clr_optimization_v2.0.50727_32aspnet_state) - Unknown owner - C:\WINDOWS\TEMP\9C.tmp.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcMcNASvc (WMPNetworkSvcMcNASvc) - Unknown owner - C:\WINDOWS\TEMP\26.tmp.exe (file missing)
--
End of file - 8944 bytes
-
I have re-installed Mcafee - it had a tendancy to randomly say "your not fully protected" for about 30 secs before deciding to say it was, apparently its a bug due to a conflict. Reinstall should fix it - just incase you see anything below thats different.
I have always been picky about my Pc's speed, but to be honest, I have not noticed a difference.
Although its nice to see all those logs above saying "deleted" to certain pesky little buggers.
Amazes me that I pay £19.99 for anti-virus and yet all these free progs do a better job!
Im ever so thankfull for your time....
As requested:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:14:12, on 03/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdm2.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.0.6/img/NetCamPlayerWeb11g.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188423228997
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: pvfwnn.dll smuwtr.dll c:\windows\system32\zamopage.dll
O20 - Winlogon Notify: !SASWinLogon - D:\SASWINLO.dll
O23 - Service: McAfee Application Installer Cleanup (0034251238712769) (0034251238712769mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\003425~1.EXE
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32aspnet_state (clr_optimization_v2.0.50727_32aspnet_state) - Unknown owner - C:\WINDOWS\TEMP\9C.tmp.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcMcNASvc (WMPNetworkSvcMcNASvc) - Unknown owner - C:\WINDOWS\TEMP\26.tmp.exe (file missing)
--
End of file - 8952 bytes
-
My god that second part took aaages!
SDFix: Version 1.240
Run by Gary Riggs on 02/04/2009 at 23:00
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP15.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP17.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP1B.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP1F.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP24.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP2D.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP32.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP36.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP3D.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP40.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP45.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP4E.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP51.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP55.tmp - Deleted
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP5C.tmp - Deleted
C:\WINDOWS\system32\descript.lnk - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 23:28:43
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060a6bc9b]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060a6bc9b]
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"="E:\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"F:\\fear\\FEAR.exe"="F:\\fear\\FEAR.exe:*:Enabled:FEAR"
"F:\\battlefield2\\BF2.exe"="F:\\battlefield2\\BF2.exe:*:Enabled:Battlefield 2"
"F:\\battlefield 2\\BF2.exe"="F:\\battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"D:\\yahoo\\Messenger\\YahooMessenger.exe"="D:\\yahoo\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"
"F:\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"="F:\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"F:\\farcry2\\Far Cry 2\\bin\\FarCry2.exe"="F:\\farcry2\\Far Cry 2\\bin\\FarCry2.exe:*:Enabled:Far Cry 2"
"F:\\farcry2\\Far Cry 2\\bin\\FC2Launcher.exe"="F:\\farcry2\\Far Cry 2\\bin\\FC2Launcher.exe:*:Enabled:Far Cry 2 Updater"
"F:\\farcry2\\Far Cry 2\\bin\\FC2Editor.exe"="F:\\farcry2\\Far Cry 2\\bin\\FC2Editor.exe:*:Enabled:Editor"
"F:\\Steam\\steamapps\\[email protected]\\garrysmod\\hl2.exe"="F:\\Steam\\steamapps\\[email protected]\\garrysmod\\hl2.exe:*:Enabled:hl2"
"F:\\steam\\Steam.exe"="F:\\steam\\Steam.exe:*:Enabled:Steam"
"F:\\cod4\\iw3mp.exe"="F:\\cod4\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare "
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"F:\\cod wow\\CoDWaW.exe"="F:\\cod wow\\CoDWaW.exe:*:Enabled:Call of Duty® - World at War "
"F:\\cod wow\\CoDWaWmp.exe"="F:\\cod wow\\CoDWaWmp.exe:*:Enabled:Call of Duty® - World at War "
"F:\\steam\\steamapps\\common\\left 4 dead\\left4dead.exe"="F:\\steam\\steamapps\\common\\left 4 dead\\left4dead.exe:*:Enabled:Left 4 Dead"
"F:\\steam\\steamapps\\common\\left 4 dead\\srcds.exe"="F:\\steam\\steamapps\\common\\left 4 dead\\srcds.exe:*:Enabled:Left 4 Dead Dedicated Server"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\File Scanner Library (Spybot - Search & Destroy)\advcheck.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)\Tools.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\SDHelper (Spybot - Search & Destroy)\SDHelper.dll"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"
Sat 27 Oct 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 6 Mar 2009 20,688 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Fri 6 Mar 2009 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Thu 30 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 21 Oct 2008 390,522 A..H. --- "C:\Documents and Settings\Gary Riggs\Desktop\DAP\CoD4MW-1.6-1.7-PatchSetup.zip"
Fri 13 Feb 2009 522,481,371 A..H. --- "C:\Documents and Settings\Gary Riggs\Desktop\DAP\CoDWaW-1.2-PatchSetup.exe"
Sun 22 Mar 2009 6,043,680 A..H. --- "C:\Documents and Settings\Gary Riggs\Desktop\DAP\SUPERAntiSpyware(1).exe"
Sun 16 Nov 2008 6,112 ...HR --- "C:\Documents and Settings\Gary Riggs\Application Data\SecuROM\UserData\securom_v7_01.bak"
Finished!
-
You sure can Mr Rock!
Here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:43:37, on 02/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\opera\opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: run=
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdm2.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.0.6/img/NetCamPlayerWeb11g.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188423228997
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O20 - AppInit_DLLs: pvfwnn.dll smuwtr.dll c:\windows\system32\zamopage.dll
O20 - Winlogon Notify: !SASWinLogon - D:\SASWINLO.dll
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32aspnet_state (clr_optimization_v2.0.50727_32aspnet_state) - Unknown owner - C:\WINDOWS\TEMP\9C.tmp.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcMcNASvc (WMPNetworkSvcMcNASvc) - Unknown owner - C:\WINDOWS\TEMP\26.tmp.exe (file missing)
--
End of file - 8382 bytes
-
Hello again, sorry for delay.
Yes, after the first scan I had to reboot as Mbam told me there was one thing it could not remove.
I done a reboot, then checked msconfig - then realised that I had unticked a few "dodgy" things.
So I actiavated them again, and ran a scan - and it deleted the other entries (the second scan)
I rebooted again, and now the scan picks up nothing, also, the entries have been removed from msconfig and scans no longer pick things up.
-
Thanks ever so much for your helping hand.
Luckily I logged onto my internet banking only 1 hour after the money was taken. The type of tranfere that they done only takes 2 hours to complete, although it was taken out of my account, it was actually in a "holding" deposit at my bank waiting to be completed. Just very very lucky I cought it when I did.
Could you confirm if any of the below or anythign you have seen in the log files could enable anybody to gain access to my bank / login details?
I have done as you asked and below is 2 logs - I completed the first scan and it found a few things (now deleted).
I did remember that when I first thought I cought the horrid Vundo virus "spybot seach and destroy" got rid of a few files however everytime windows started I got error messages relating to certain dodgy .dll files - So I went into msconfig and disabled them, the files I disabled were:
Zemogife
Cvolirewa
ozutoliixa
zamopage
zogugune
I did notice that the scan did not pick these up - so I enabled them in msconfig and ran a second scan which I also enclose below.
First scan:
Malwarebytes' Anti-Malware 1.35
Database version: 1925
Windows 5.1.2600 Service Pack 3
31/03/2009 17:56:17
mbam-log-2009-03-31 (17-56-17).txt
Scan type: Quick Scan
Objects scanned: 70034
Time elapsed: 4 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6011a476-5601-472f-b433-49f26d125ca1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6011a476-5601-472f-b433-49f26d125ca1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83813297-16a7-4f7e-9ee2-895ec9b1736c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83813297-16a7-4f7e-9ee2-895ec9b1736c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fbiwijevoheraj (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nidle (Virus.Virut) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\Gary Riggs\Application Data\nidle (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\smuwtr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gary Riggs\Local Settings\Temp\ncmorwxaes.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gary Riggs\Local Settings\Temp\xonmacewrs.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\ozutolixa.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\initprog32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sqla.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
Second Scan:
Malwarebytes' Anti-Malware 1.35
Database version: 1925
Windows 5.1.2600 Service Pack 3
31/03/2009 18:05:46
mbam-log-2009-03-31 (18-05-46).txt
Scan type: Quick Scan
Objects scanned: 69801
Time elapsed: 4 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tupozawohi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm7f0ebdb8 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c3d8e24 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qmuwanawozav (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fbiwijevoheraj (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Hey guys - Just had a very weird 2 hours... just checked my internet banking only to discover that at 4:15pm (gmt) somebody got onto my internet banking and wiped out mine and my other halfs savings.
I should mention that I consider myself very computer literate, anti-virus always kept upto date etc...
I am completely baffled as to how they got my details.
I did notice the other day that my anti-virus went off for a few mins, within that time I cought the dreaded vundo virus - I have ran all the correct programs and apparenty I am now "clean"
Please would one of you experts just have a random browse of this log and tell me what you think, please pay attention to the line where it says:
O4 - HKLM\..\Run: [Fbiwijevoheraj] rundll32.exe "C:\WINDOWS\ozutolixa.dll",e When the vundo installed, it made several entrys liek this - all other were deleted witht he anti-virus etc apart from this one...
Many thanks for your help guys.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:47:11, on 30/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
D:\opera\opera.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\yahoo\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
D:\FREEDO~1\fdm.exe
C:\Documents and Settings\Gary Riggs\Desktop\DAP\RootkitRevealer.exe
C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TUMNDGQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: run=
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: {1ac521d6-2f94-334b-f274-1065674a1106} - {6011a476-5601-472f-b433-49f26d125ca1} - C:\WINDOWS\system32\smuwtr.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {83813297-16a7-4f7e-9ee2-895ec9b1736c} - C:\WINDOWS\system32\fuyohudo.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Fbiwijevoheraj] rundll32.exe "C:\WINDOWS\ozutolixa.dll",e
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [nidle] "C:\Documents and Settings\Gary Riggs\Application Data\nidle\nidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.0.6/img/NetCamPlayerWeb11g.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188423228997
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O20 - AppInit_DLLs: pvfwnn.dll smuwtr.dll c:\windows\system32\zamopage.dll
O20 - Winlogon Notify: !SASWinLogon - D:\SASWINLO.dll
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32aspnet_state (clr_optimization_v2.0.50727_32aspnet_state) - Unknown owner - C:\WINDOWS\TEMP\9C.tmp.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TUMNDGQ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TUMNDGQ.exe
O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcMcNASvc (WMPNetworkSvcMcNASvc) - Unknown owner - C:\WINDOWS\TEMP\26.tmp.exe (file missing)
--
End of file - 9391 bytes
I Think Im Still Infected.. Please Help With My Hjt Log, Thanks[RESOLVED]
in Malware Removal
Posted
Hopefully looking abit better!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:06:47, on 04/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
D:\yahoo\Messenger\YahooMessenger.exe
D:\opera\opera.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdm2.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.0.6/img/NetCamPlayerWeb11g.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188423228997
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - D:\SASWINLO.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 8275 bytes