I Think Im Still Infected.. Please Help With My Hjt Log, Thanks[RESOLVED]


Recommended Posts

Hey guys - Just had a very weird 2 hours... just checked my internet banking only to discover that at 4:15pm (gmt) somebody got onto my internet banking and wiped out mine and my other halfs savings.

I should mention that I consider myself very computer literate, anti-virus always kept upto date etc...

I am completely baffled as to how they got my details.

I did notice the other day that my anti-virus went off for a few mins, within that time I cought the dreaded vundo virus - I have ran all the correct programs and apparenty I am now "clean"

Please would one of you experts just have a random browse of this log and tell me what you think, please pay attention to the line where it says:

O4 - HKLM\..\Run: [Fbiwijevoheraj] rundll32.exe "C:\WINDOWS\ozutolixa.dll",e When the vundo installed, it made several entrys liek this - all other were deleted witht he anti-virus etc apart from this one...

Many thanks for your help guys.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:47:11, on 30/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\System32\svchost.exe

D:\opera\opera.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

D:\yahoo\Messenger\YahooMessenger.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

c:\PROGRA~1\mcafee\msc\mcshell.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

D:\FREEDO~1\fdm.exe

C:\Documents and Settings\Gary Riggs\Desktop\DAP\RootkitRevealer.exe

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TUMNDGQ.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F3 - REG:win.ini: run=

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: {1ac521d6-2f94-334b-f274-1065674a1106} - {6011a476-5601-472f-b433-49f26d125ca1} - C:\WINDOWS\system32\smuwtr.dll (file missing)

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {83813297-16a7-4f7e-9ee2-895ec9b1736c} - C:\WINDOWS\system32\fuyohudo.dll (file missing)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdm2.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Fbiwijevoheraj] rundll32.exe "C:\WINDOWS\ozutolixa.dll",e

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [nidle] "C:\Documents and Settings\Gary Riggs\Application Data\nidle\nidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.0.6/img/NetCamPlayerWeb11g.ocx

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188423228997

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab

O20 - AppInit_DLLs: pvfwnn.dll smuwtr.dll c:\windows\system32\zamopage.dll

O20 - Winlogon Notify: !SASWinLogon - D:\SASWINLO.dll

O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32aspnet_state (clr_optimization_v2.0.50727_32aspnet_state) - Unknown owner - C:\WINDOWS\TEMP\9C.tmp.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: TUMNDGQ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TUMNDGQ.exe

O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcMcNASvc (WMPNetworkSvcMcNASvc) - Unknown owner - C:\WINDOWS\TEMP\26.tmp.exe (file missing)

--

End of file - 9391 bytes

Link to post
Share on other sites

Ouch did you contact the bank? there has to be something they can do...

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Thanks ever so much for your helping hand.

Luckily I logged onto my internet banking only 1 hour after the money was taken. The type of tranfere that they done only takes 2 hours to complete, although it was taken out of my account, it was actually in a "holding" deposit at my bank waiting to be completed. Just very very lucky I cought it when I did.

Could you confirm if any of the below or anythign you have seen in the log files could enable anybody to gain access to my bank / login details?

I have done as you asked and below is 2 logs - I completed the first scan and it found a few things (now deleted).

I did remember that when I first thought I cought the horrid Vundo virus "spybot seach and destroy" got rid of a few files however everytime windows started I got error messages relating to certain dodgy .dll files - So I went into msconfig and disabled them, the files I disabled were:

Zemogife

Cvolirewa

ozutoliixa

zamopage

zogugune

I did notice that the scan did not pick these up - so I enabled them in msconfig and ran a second scan which I also enclose below.

First scan:

Malwarebytes' Anti-Malware 1.35

Database version: 1925

Windows 5.1.2600 Service Pack 3

31/03/2009 17:56:17

mbam-log-2009-03-31 (17-56-17).txt

Scan type: Quick Scan

Objects scanned: 70034

Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 10

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 1

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6011a476-5601-472f-b433-49f26d125ca1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{6011a476-5601-472f-b433-49f26d125ca1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83813297-16a7-4f7e-9ee2-895ec9b1736c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{83813297-16a7-4f7e-9ee2-895ec9b1736c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fbiwijevoheraj (Trojan.Agent) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nidle (Virus.Virut) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\Gary Riggs\Application Data\nidle (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\smuwtr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\Gary Riggs\Local Settings\Temp\ncmorwxaes.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Gary Riggs\Local Settings\Temp\xonmacewrs.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\ozutolixa.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\initprog32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sqla.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

Second Scan:

Malwarebytes' Anti-Malware 1.35

Database version: 1925

Windows 5.1.2600 Service Pack 3

31/03/2009 18:05:46

mbam-log-2009-03-31 (18-05-46).txt

Scan type: Quick Scan

Objects scanned: 69801

Time elapsed: 4 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 5

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tupozawohi (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm7f0ebdb8 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c3d8e24 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qmuwanawozav (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fbiwijevoheraj (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Edited by rigggary99
Link to post
Share on other sites

Hello again, sorry for delay.

Yes, after the first scan I had to reboot as Mbam told me there was one thing it could not remove.

I done a reboot, then checked msconfig - then realised that I had unticked a few "dodgy" things.

So I actiavated them again, and ran a scan - and it deleted the other entries (the second scan)

I rebooted again, and now the scan picks up nothing, also, the entries have been removed from msconfig and scans no longer pick things up.

Link to post
Share on other sites

You sure can Mr Rock!

Here it is:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:43:37, on 02/04/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Messenger\msmsgs.exe

D:\opera\opera.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F3 - REG:win.ini: run=

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.0.6/img/NetCamPlayerWeb11g.ocx

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188423228997

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab

O20 - AppInit_DLLs: pvfwnn.dll smuwtr.dll c:\windows\system32\zamopage.dll

O20 - Winlogon Notify: !SASWinLogon - D:\SASWINLO.dll

O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32aspnet_state (clr_optimization_v2.0.50727_32aspnet_state) - Unknown owner - C:\WINDOWS\TEMP\9C.tmp.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcMcNASvc (WMPNetworkSvcMcNASvc) - Unknown owner - C:\WINDOWS\TEMP\26.tmp.exe (file missing)

--

End of file - 8382 bytes

Link to post
Share on other sites

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.

Link to post
Share on other sites

My god that second part took aaages!

SDFix: Version 1.240

Run by Gary Riggs on 02/04/2009 at 23:00

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP15.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP17.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP1B.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP1F.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP24.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP2D.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP32.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP36.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP3D.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP40.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP45.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP4E.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP51.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP55.tmp - Deleted

C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\TMP5C.tmp - Deleted

C:\WINDOWS\system32\descript.lnk - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-02 23:28:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060a6bc9b]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060a6bc9b]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"E:\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"="E:\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe:*:Enabled:hl2"

"F:\\fear\\FEAR.exe"="F:\\fear\\FEAR.exe:*:Enabled:FEAR"

"F:\\battlefield2\\BF2.exe"="F:\\battlefield2\\BF2.exe:*:Enabled:Battlefield 2"

"F:\\battlefield 2\\BF2.exe"="F:\\battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"

"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"

"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

"D:\\yahoo\\Messenger\\YahooMessenger.exe"="D:\\yahoo\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"

"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"

"F:\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"="F:\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe:*:Enabled:hl2"

"F:\\farcry2\\Far Cry 2\\bin\\FarCry2.exe"="F:\\farcry2\\Far Cry 2\\bin\\FarCry2.exe:*:Enabled:Far Cry 2"

"F:\\farcry2\\Far Cry 2\\bin\\FC2Launcher.exe"="F:\\farcry2\\Far Cry 2\\bin\\FC2Launcher.exe:*:Enabled:Far Cry 2 Updater"

"F:\\farcry2\\Far Cry 2\\bin\\FC2Editor.exe"="F:\\farcry2\\Far Cry 2\\bin\\FC2Editor.exe:*:Enabled:Editor"

"F:\\Steam\\steamapps\\[email protected]\\garrysmod\\hl2.exe"="F:\\Steam\\steamapps\\[email protected]\\garrysmod\\hl2.exe:*:Enabled:hl2"

"F:\\steam\\Steam.exe"="F:\\steam\\Steam.exe:*:Enabled:Steam"

"F:\\cod4\\iw3mp.exe"="F:\\cod4\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare "

"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

"F:\\cod wow\\CoDWaW.exe"="F:\\cod wow\\CoDWaW.exe:*:Enabled:Call of Duty® - World at War "

"F:\\cod wow\\CoDWaWmp.exe"="F:\\cod wow\\CoDWaWmp.exe:*:Enabled:Call of Duty® - World at War "

"F:\\steam\\steamapps\\common\\left 4 dead\\left4dead.exe"="F:\\steam\\steamapps\\common\\left 4 dead\\left4dead.exe:*:Enabled:Left 4 Dead"

"F:\\steam\\steamapps\\common\\left 4 dead\\srcds.exe"="F:\\steam\\steamapps\\common\\left 4 dead\\srcds.exe:*:Enabled:Left 4 Dead Dedicated Server"

"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\File Scanner Library (Spybot - Search & Destroy)\advcheck.dll"

Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)\Tools.dll"

Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\SDHelper (Spybot - Search & Destroy)\SDHelper.dll"

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"

Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"

Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"

Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"

Sat 27 Oct 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Fri 6 Mar 2009 20,688 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"

Fri 6 Mar 2009 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"

Thu 30 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Tue 21 Oct 2008 390,522 A..H. --- "C:\Documents and Settings\Gary Riggs\Desktop\DAP\CoD4MW-1.6-1.7-PatchSetup.zip"

Fri 13 Feb 2009 522,481,371 A..H. --- "C:\Documents and Settings\Gary Riggs\Desktop\DAP\CoDWaW-1.2-PatchSetup.exe"

Sun 22 Mar 2009 6,043,680 A..H. --- "C:\Documents and Settings\Gary Riggs\Desktop\DAP\SUPERAntiSpyware(1).exe"

Sun 16 Nov 2008 6,112 ...HR --- "C:\Documents and Settings\Gary Riggs\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

Link to post
Share on other sites
Mrbill dont post advice in this forum thanks.

Rig can i see a new Hijackthis log?

I didn't know that asking someone if they rebooted after a MBAM scan (which should be done) was a bad thing to do.

Edited by MrBill
Link to post
Share on other sites

I have re-installed Mcafee - it had a tendancy to randomly say "your not fully protected" for about 30 secs before deciding to say it was, apparently its a bug due to a conflict. Reinstall should fix it - just incase you see anything below thats different.

I have always been picky about my Pc's speed, but to be honest, I have not noticed a difference.

Although its nice to see all those logs above saying "deleted" to certain pesky little buggers.

Amazes me that I pay £19.99 for anti-virus and yet all these free progs do a better job!

Im ever so thankfull for your time....

As requested:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:14:12, on 03/04/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Java\jre6\bin\java.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.0.6/img/NetCamPlayerWeb11g.ocx

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188423228997

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: pvfwnn.dll smuwtr.dll c:\windows\system32\zamopage.dll

O20 - Winlogon Notify: !SASWinLogon - D:\SASWINLO.dll

O23 - Service: McAfee Application Installer Cleanup (0034251238712769) (0034251238712769mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\003425~1.EXE

O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32aspnet_state (clr_optimization_v2.0.50727_32aspnet_state) - Unknown owner - C:\WINDOWS\TEMP\9C.tmp.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcMcNASvc (WMPNetworkSvcMcNASvc) - Unknown owner - C:\WINDOWS\TEMP\26.tmp.exe (file missing)

--

End of file - 8952 bytes

Link to post
Share on other sites

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O20 - AppInit_DLLs: pvfwnn.dll smuwtr.dll c:\windows\system32\zamopage.dll

O23 - Service: McAfee Application Installer Cleanup (0034251238712769) (0034251238712769mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\003425~1.EXE

O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32aspnet_state (clr_optimization_v2.0.50727_32aspnet_state) - Unknown owner - C:\WINDOWS\TEMP\9C.tmp.exe (file missing)

O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcMcNASvc (WMPNetworkSvcMcNASvc) - Unknown owner - C:\WINDOWS\TEMP\26.tmp.exe (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

When you are finished, post a new HijackThis log here in a reply. Also, please let me know of any problems you may have encountered.

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:40:33, on 03/04/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\svchost.exe

D:\FREEDO~1\fdm.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "D:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.0.6/img/NetCamPlayerWeb11g.ocx

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188423228997

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: pvfwnn.dll smuwtr.dll c:\windows\system32\zamopage.dll

O20 - Winlogon Notify: !SASWinLogon - D:\SASWINLO.dll

O23 - Service: McAfee Application Installer Cleanup (0034251238712769) (0034251238712769mcinstcleanup) - Unknown owner - C:\DOCUME~1\GARYRI~1\LOCALS~1\Temp\003425~1.EXE (file missing)

O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32aspnet_state (clr_optimization_v2.0.50727_32aspnet_state) - Unknown owner - C:\WINDOWS\TEMP\9C.tmp.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Windows Media Player Network Sharing Service WMPNetworkSvcMcNASvc (WMPNetworkSvcMcNASvc) - Unknown owner - C:\WINDOWS\TEMP\26.tmp.exe (file missing)

--

End of file - 8944 bytes

Link to post
Share on other sites

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    • c:\windows\system32\zamopage.dll

    [*]Click on the Upload button

    [*]If a pop-up appears saying the file has been scanned already, please select the ReScan button.

    [*]Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.

    [*]Paste the contents of the Clipboard in your next reply.

Link to post
Share on other sites

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Link to post
Share on other sites

GMER 1.0.15.14966 - http://www.gmer.net

Rootkit scan 2009-04-03 08:19:35

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB2D2C44A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB2D2C4E1]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB2D2C3F8]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB2D2C40C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB2D2C4F5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB2D2C521]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB2D2C58F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB2D2C579]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB2D2C48A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB2D2C5BB]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB2D2C4CD]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB2D2C3D0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB2D2C3E4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB2D2C45E]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB2D2C5F7]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB2D2C563]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB2D2C54D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB2D2C50B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB2D2C5E3]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB2D2C5CF]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB2D2C436]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB2D2C422]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB2D2C537]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB2D2C4B9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB2D2C5A5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB2D2C4A0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB2D2C474]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B2D2C478 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B2D2C44E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B2D2C48E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B2D2C4A4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B2D2C462 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B2D2C3D4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B2D2C3E8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B2D2C426 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP B2D2C410 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 1 Byte [E9]

PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP B2D2C3FC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B2D2C43A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B2D2C4BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP B2D2C551 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP B2D2C53B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP B2D2C5A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP B2D2C567 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP B2D2C50F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP B2D2C4E5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP B2D2C4F9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP B2D2C525 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 7 Bytes JMP B2D2C593 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP B2D2C57D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP B2D2C4D1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP B2D2C5FB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP B2D2C5D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP B2D2C5E7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP B2D2C5BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010E0000

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010E0076

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010E0F81

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010E0F9E

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010E005B

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010E004A

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010E00A4

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010E0087

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010E0F15

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010E0F26

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 010E00D3

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 010E0FC3

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 010E0FE5

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 010E0F5C

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateNamedPipeW 7C82F0C5 3 Bytes JMP 010E0FD4

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateNamedPipeW + 4 7C82F0C9 1 Byte [84]

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 010E001B

.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 010E0F37

.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00070FAF

.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00070040

.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00070FC0

.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00070FDB

.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0007002F

.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00070000

.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00070F8D

.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [27, 88]

.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00070F9E

.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F9C

.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060027

.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FD2

.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0006000C

.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FC1

.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FEF

.text C:\WINDOWS\system32\services.exe[720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FE5

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40000

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40047

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40036

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40F5C

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E40F79

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40FA8

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40069

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E40058

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E40EEB

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E40084

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E40EDA

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E40025

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E40FE5

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E40F2D

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E40FB9

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E40FD4

.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E40F06

.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E30036

.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E30087

.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E30025

.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E30FEF

.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E30FC0

.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E30000

.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E30062

.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E30051

.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DD0FAF

.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DD0FCA

.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DD0029

.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DD0FEF

.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DD003A

.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DD0018

.text C:\WINDOWS\system32\lsass.exe[732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DC0FEF

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10000

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B10F48

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B10047

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B10F6D

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10F94

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B10FC0

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10EFF

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B10F26

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B10EDD

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B10EEE

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B10087

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B10FAF

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B10011

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B10F37

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B10022

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B10FD1

.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B10062

.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B0001B

.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B0007D

.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B00000

.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B00FD4

.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B0006C

.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B00FEF

.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B0005B

.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B00036

.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF0FB2

.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0033

.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF0018

.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0FEF

.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0FCD

.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0FDE

.text C:\WINDOWS\system32\svchost.exe[900] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE0FEF

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D20000

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D20F80

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20075

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D20F9B

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D20FB6

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D20047

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D20090

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D20F54

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D20F12

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D20F23

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D200BC

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D20058

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D20FE5

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D20F65

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D2002C

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D2001B

.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D200A1

.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D1002F

.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D10FB2

.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D10FD4

.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D10FE5

.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D1006F

.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D10000

.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D1004A

.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D10FC3

.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00049

.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00038

.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00FE3

.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D0000C

.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00FC8

.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D0001D

.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0FE5

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 032E0FEF

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 032E0F59

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 032E0F7E

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 032E0058

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 032E0FA5

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 032E0036

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 032E0F2D

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 032E0F3E

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 032E0EE6

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 032E0EF7

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 032E0ED5

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 032E0047

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 032E0FCA

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 032E0069

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 032E001B

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 032E0000

.text C:\WINDOWS\System32\svchost.exe[1084] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 032E0F12

.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 032C0FB9

.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 032C0051

.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 032C0FCA

.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 032C0FE5

.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 032C0F94

.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 032C0000

.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 032C0036

.text C:\WINDOWS\System32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 032C0025

.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02DC002C

.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!system 77C293C7 5 Bytes JMP 02DC0011

.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02DC0FAB

.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02DC0FEF

.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02DC0000

.text C:\WINDOWS\System32\svchost.exe[1084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02DC0FC6

.text C:\WINDOWS\System32\svchost.exe[1084] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02DB0000

.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 032D0000

.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 032D0011

.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 032D0FDB

.text C:\WINDOWS\System32\svchost.exe[1084] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 032D0FCA

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00940FEF

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00940F68

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0094005D

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00940F83

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00940F94

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00940036

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0094009F

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00940084

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009400CB

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00940F32

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 009400E6

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00940FAF

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00940FDE

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00940F57

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00940025

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00940014

.text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 009400B0

.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00930040

.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00930098

.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00930FE5

.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00930011

.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00930087

.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00930000

.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0093006C

.text C:\WINDOWS\System32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0093005B

.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920F9C

.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FB7

.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092001D

.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FE3

.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FC8

.text C:\WINDOWS\System32\svchost.exe[1136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0092000C

.text C:\WINDOWS\System32\svchost.exe[1136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E70000

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E7006C

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E7005B

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E70040

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E70F83

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E70F9E

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E700B3

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E70098

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E700D8

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E70F3F

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E70F2E

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E70025

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E70FE5

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E7007D

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E70FB9

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E70FCA

.text C:\WINDOWS\System32\svchost.exe[1288] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E70F50

.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E50FC0

.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E50058

.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E50011

.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E50FE5

.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E50F9B

.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E50000

.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E5003D

.text C:\WINDOWS\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E50022

.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E40F9A

.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E40025

.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E4000A

.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40FE3

.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E40FB5

.text C:\WINDOWS\System32\svchost.exe[1288] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E40FD2

.text C:\WINDOWS\System32\svchost.exe[1288] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30FE5

.text C:\WINDOWS\System32\svchost.exe[1288] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00E60000

.text C:\WINDOWS\System32\svchost.exe[1288] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00E60011

.text C:\WINDOWS\System32\svchost.exe[1288] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00E6002C

.text C:\WINDOWS\System32\svchost.exe[1288] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00E6003D

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015D000A

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 015D0F8A

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 015D0FA5

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015D0073

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 015D0FB6

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 015D0FE5

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015D0F5E

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015D009A

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015D00DC

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015D0F4D

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 015D0F28

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 015D0062

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 015D001B

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 015D0F6F

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 015D0047

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 015D0036

.text C:\WINDOWS\Explorer.EXE[1648] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 015D00CB

.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BF0FB9

.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BF0F94

.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BF0FD4

.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BF0FEF

.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BF005B

.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BF0000

.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00BF0040

.text C:\WINDOWS\Explorer.EXE[1648] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BF0025

.text C:\WINDOWS\Explorer.EXE[1648] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0F9F

.text C:\WINDOWS\Explorer.EXE[1648] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FB0

.text C:\WINDOWS\Explorer.EXE[1648] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FD2

.text C:\WINDOWS\Explorer.EXE[1648] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0000

.text C:\WINDOWS\Explorer.EXE[1648] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FC1

.text C:\WINDOWS\Explorer.EXE[1648] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FE3

.text C:\WINDOWS\Explorer.EXE[1648] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00C0000A

.text C:\WINDOWS\Explorer.EXE[1648] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C00025

.text C:\WINDOWS\Explorer.EXE[1648] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C00036

.text C:\WINDOWS\Explorer.EXE[1648] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00C00FE5

.text C:\WINDOWS\Explorer.EXE[1648] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0FEF

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00880FEF

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00880F83

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00880078

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00880067

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00880FA8

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00880040

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00880F4B

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00880093

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008800C2

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00880F1F

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00880F0E

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00880FB9

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0088000A

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00880F68

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00880FD4

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00880025

.text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00880F30

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0087002C

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00870051

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0087001B

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00870FE5

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00870F8A

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00870000

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00870F9B

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [A7, 88]

.text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00870FC0

.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00860F92

.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!system 77C293C7 5 Bytes JMP 00860FAD

.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0086001D

.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0086000C

.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00860FBE

.text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00860FEF

.text C:\WINDOWS\system32\svchost.exe[1740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00850FEF

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1996] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 004C0000

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 004C0089

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 004C0078

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 004C0F94

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 004C0051

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 004C0FC0

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 004C0F43

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 004C0F5E

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 004C0F0D

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 004C0F28

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 004C0EFC

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 004C0FA5

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 004C0011

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 004C0F79

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 004C0FD1

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 004C0022

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 004C00A6

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 004B0FB9

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 004B0F83

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 004B0FCA

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 004B0FDB

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 004B0040

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 004B0000

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 004B002F

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 004B0F9E

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 004A0049

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] msvcrt.dll!system 77C293C7 5 Bytes JMP 004A0FC8

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 004A0FD9

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 004A0000

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 004A0038

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 004A0011

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01970FE5

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01970000

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01970FC0

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] WININET.dll!InternetOpenUrlW 780BAEB9 3 Bytes JMP 01970FAF

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] WININET.dll!InternetOpenUrlW + 4 780BAEBD 1 Byte [89]

.text C:\Program Files\Internet Explorer\iexplore.exe[2528] ws2_32.dll!socket 71AB4211 5 Bytes JMP 01F1000A

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F9E

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0FAF

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A007D

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FCA

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0051

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00C6

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00B5

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F48

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00E1

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0F37

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A006C

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FEF

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A00A4

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0040

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0025

.text C:\WINDOWS\System32\svchost.exe[3100] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F63

.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290025

.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290054

.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290014

.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FDE

.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290F97

.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FEF

.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FA8

.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [49, 88]

.text C:\WINDOWS\System32\svchost.exe[3100] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FB9

.text C:\WINDOWS\System32\svchost.exe[3100] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E004C

.text C:\WINDOWS\System32\svchost.exe[3100] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E003B

.text C:\WINDOWS\System32\svchost.exe[3100] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FD2

.text C:\WINDOWS\System32\svchost.exe[3100] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FEF

.text C:\WINDOWS\System32\svchost.exe[3100] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FC1

.text C:\WINDOWS\System32\svchost.exe[3100] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E000C

.text C:\WINDOWS\System32\svchost.exe[3100] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FE5

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 02000000-03F5A000 (32874496 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060a6bc9b

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060a6bc9b

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Gary Riggs\Local Settings\Temporary Internet Files\Content.IE5\1KUNEOJV\load[1].htm 1 bytes

File C:\System Volume Information\_restore{28A7C03F-B41F-4A1E-B01B-6C7E3093A7BE}\RP441\A0101416.ini 12401 bytes

File C:\System Volume Information\_restore{28A7C03F-B41F-4A1E-B01B-6C7E3093A7BE}\RP441\A0101417.ini 16713 bytes

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Here you go:

ComboFix 09-04-01.01 - Gary Riggs 2009-04-03 17:54:14.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1601 [GMT 1:00]

Running from: c:\documents and settings\Gary Riggs\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *enabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_CLR_OPTIMIZATION_V2.0.50727_32ASPNET_STATE

-------\Legacy_NPF

-------\Legacy_WMPNETWORKSVCMCNASVC

-------\Service_clr_optimization_v2.0.50727_32aspnet_state

-------\Service_WMPNetworkSvcMcNASvc

((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 )))))))))))))))))))))))))))))))

.

2009-04-02 23:58 . 2009-04-02 23:58 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore

2009-04-02 23:54 . 2009-04-02 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor

2009-04-02 23:54 . 2009-04-03 17:57 6,425 --a------ c:\windows\system32\Config.MPF

2009-04-02 23:52 . 2009-04-02 23:52 <DIR> d-------- c:\program files\McAfee.com

2009-04-02 23:52 . 2009-04-02 23:54 <DIR> d-------- c:\program files\McAfee

2009-04-02 23:52 . 2009-04-02 23:52 <DIR> d-------- c:\program files\Common Files\McAfee

2009-04-02 23:52 . 2008-10-23 13:08 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys

2009-04-02 23:52 . 2009-01-16 20:04 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys

2009-04-02 23:52 . 2009-01-16 20:04 40,552 --a------ c:\windows\system32\drivers\mfesmfk.sys

2009-04-02 23:52 . 2009-01-16 20:04 35,272 --a------ c:\windows\system32\drivers\mfebopk.sys

2009-04-02 23:50 . 2009-01-16 20:03 34,216 --a------ c:\windows\system32\drivers\mferkdk.sys

2009-04-02 23:48 . 2009-04-02 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee

2009-04-02 22:59 . 2009-04-02 22:59 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll

2009-04-02 22:57 . 2009-04-02 22:58 <DIR> d-------- c:\windows\ERUNT

2009-04-02 22:54 . 2009-04-02 23:32 <DIR> d-------- C:\SDFix

2009-03-31 17:48 . 2009-03-31 17:48 <DIR> d-------- c:\documents and settings\Gary Riggs\Application Data\Malwarebytes

2009-03-31 17:48 . 2009-03-31 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-31 17:48 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-31 17:48 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-31 11:49 . 2009-03-31 11:49 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)

2009-03-31 11:49 . 2009-03-31 11:49 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)

2009-03-31 11:49 . 2009-03-31 11:49 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-03-31 11:49 . 2009-03-31 11:49 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2009-03-30 22:47 . 2009-01-09 20:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

2009-03-30 22:35 . 2009-03-30 22:44 <DIR> d-------- c:\windows\SxsCaPendDel

2009-03-30 19:46 . 2009-03-30 19:46 <DIR> d-------- c:\program files\Trend Micro

2009-03-30 19:10 . 2009-03-30 19:10 <DIR> d-------- C:\VundoFix Backups

2009-03-26 23:09 . 2009-03-31 18:26 <DIR> d-------- c:\program files\Mozilla Firefox1

2009-03-23 12:44 . 2009-03-23 12:46 <DIR> d-------- c:\windows\NV21802184.TMP

2009-03-16 19:10 . 2009-04-03 17:46 <DIR> d-------- c:\documents and settings\Gary Riggs\Tracing

2009-03-16 19:09 . 2009-03-16 19:09 <DIR> d-------- c:\program files\Windows Live SkyDrive

2009-03-16 19:09 . 2009-03-16 19:09 <DIR> d-------- c:\program files\Microsoft

2009-03-16 19:07 . 2009-03-16 19:07 <DIR> d-------- c:\program files\Common Files\Windows Live

2009-03-15 22:11 . 2008-04-14 01:12 91,136 --a------ c:\windows\system32\kswdmcap.ax

2009-03-15 22:11 . 2008-04-14 01:12 91,136 --a--c--- c:\windows\system32\dllcache\kswdmcap.ax

2009-03-15 22:11 . 2008-04-14 01:12 61,952 --a------ c:\windows\system32\kstvtune.ax

2009-03-15 22:11 . 2008-04-14 01:12 61,952 --a--c--- c:\windows\system32\dllcache\kstvtune.ax

2009-03-15 22:11 . 2008-04-14 01:12 53,760 --a------ c:\windows\system32\vfwwdm32.dll

2009-03-15 22:11 . 2008-04-14 01:12 53,760 --a--c--- c:\windows\system32\dllcache\vfwwdm32.dll

2009-03-15 22:11 . 2008-04-14 01:12 43,008 --a------ c:\windows\system32\ksxbar.ax

2009-03-15 22:11 . 2008-04-14 01:12 43,008 --a--c--- c:\windows\system32\dllcache\ksxbar.ax

2009-03-15 22:09 . 2007-04-23 20:37 141,582 --------- c:\windows\system32\drivers\NVCAP.SYS

2009-03-15 22:09 . 2007-04-23 20:37 29,696 --------- c:\windows\system32\FILTER.AX

2009-03-15 22:09 . 2007-04-23 20:37 16,496 --------- c:\windows\system32\drivers\NVXBAR.SYS

2009-03-15 22:08 . 2009-03-15 22:08 7,252 --a------ c:\windows\system32\d3d9caps.dat

2009-03-15 22:05 . 2009-03-15 22:10 <DIR> d-------- c:\windows\NV7161104.TMP

2009-03-15 21:09 . 2009-03-15 21:10 <DIR> d-------- c:\windows\NV25242640.TMP

2009-03-06 20:40 . 2009-03-06 20:45 189,496 --a------ c:\windows\system32\PnkBstrB.xtr

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-03 16:55 --------- d-----w c:\documents and settings\Gary Riggs\Application Data\Free Download Manager

2009-04-02 21:14 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-04-02 19:39 --------- d-----w c:\documents and settings\Gary Riggs\Application Data\OpenOffice.org2

2009-03-31 10:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-28 19:05 --------- d-----w c:\program files\Java

2009-03-16 18:09 --------- d-----w c:\program files\Windows Live

2009-03-15 21:09 --------- d--h--w c:\program files\InstallShield Installation Information

2009-03-15 20:09 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-03-15 20:09 --------- d-----w c:\program files\AGEIA Technologies

2009-02-18 14:44 6,308,224 ----a-w c:\windows\system32\drivers\nv4_mini.sys

2008-12-25 12:29 22,328 ----a-w c:\documents and settings\Gary Riggs\Application Data\PnkBstrK.sys

.

------- Sigcheck -------

2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

2008-06-20 11:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

2008-06-20 11:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys

2004-08-04 07:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys

2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys

2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys

2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys

2008-04-13 20:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys

2008-06-20 12:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys

2008-06-20 12:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys

2004-08-04 08:56 111104 4126d27cece4471e00e425411f7306b5 c:\windows\$NtServicePackUninstall$\wuauclt.exe

2008-04-14 01:12 111104 ed7262e52c31cf1625b65039102bc16c c:\windows\ServicePackFiles\i386\wuauclt.exe

2008-10-16 15:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\system32\wuauclt.exe

2008-10-16 15:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\system32\dllcache\wuauclt.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

"CTHelper"="CTHELPER.EXE" [2006-08-17 c:\windows\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 c:\windows\system32\CTXFIHLP.EXE]

"nwiz"="nwiz.exe" [2009-02-18 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 12:05 356352 D:\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-06-27 19:03 152872 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WZCSVC"=3 (0x3)

"ANIWZCSdService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"f:\\fear\\FEAR.exe"=

"f:\\battlefield 2\\BF2.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"d:\\yahoo\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"f:\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"=

"f:\\farcry2\\Far Cry 2\\bin\\FarCry2.exe"=

"f:\\farcry2\\Far Cry 2\\bin\\FC2Launcher.exe"=

"f:\\farcry2\\Far Cry 2\\bin\\FC2Editor.exe"=

"f:\\Steam\\steamapps\\[email protected]\\garrysmod\\hl2.exe"=

"f:\\steam\\Steam.exe"=

"f:\\cod4\\iw3mp.exe"=

"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"f:\\cod wow\\CoDWaW.exe"=

"f:\\cod wow\\CoDWaWmp.exe"=

"f:\\steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

"f:\\steam\\steamapps\\common\\left 4 dead\\srcds.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;D:\SASDIFSV.SYS [2008-12-22 9968]

R1 SASKUTIL;SASKUTIL;D:\SASKUTIL.SYS [2008-12-22 55024]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-04-02 203280]

S2 0034251238712769mcinstcleanup;McAfee Application Installer Cleanup (0034251238712769);c:\docume~1\GARYRI~1\LOCALS~1\Temp\003425~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\GARYRI~1\LOCALS~1\Temp\003425~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S3 SASENUM;SASENUM;D:\SASENUM.SYS [2008-12-22 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\AUTORUN.EXE

.

Contents of the 'Scheduled Tasks' folder

2009-04-03 c:\windows\Tasks\GoogleUpdateTaskUser.job

- c:\documents and settings\Gary Riggs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe []

2009-04-02 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]

2009-04-02 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-NVIDIA nTune - c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: Download all with Free Download Manager - file://d:\free download manager\dlall.htm

IE: Download selected with Free Download Manager - file://d:\free download manager\dlselected.htm

IE: Download video with Free Download Manager - file://d:\free download manager\dlfvideo.htm

IE: Download with Free Download Manager - file://d:\free download manager\dllink.htm

DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.0.6/img/NetCamPlayerWeb11g.ocx

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-03 17:57:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-1202660629-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:de,5c,d3,12,c2,92,76,ee,3a,fe,93,57,82,b3,5e,dd,29,0c,b9,7a,8e,34,e5,

20,6b,cd,50,58,50,f2,af,f3,9d,88,2b,a2,1a,be,84,91,4e,5c,c8,82,5e,43,b9,84,\

"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1085031214-1202660629-839522115-1004\Software\SecuROM\License information*]

"datasecu"=hex:3a,b2,57,12,f6,36,17,22,15,0b,34,66,65,8c,8f,a6,82,91,c7,bf,b1,

ce,71,0f,6c,3e,f7,17,93,03,e7,84,98,d6,c5,d8,d1,d6,79,3a,a4,db,c1,2a,c2,a3,\

"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)

D:\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\MPF\MpfSrv.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\progra~1\MICROS~3\rapimgr.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

.

**************************************************************************

.

Completion time: 2009-04-03 17:59:47 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-03 16:59:18

Pre-Run: 39,866,888,192 bytes free

Post-Run: 40,028,983,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /usepmtimer

254 --- E O F --- 2009-03-11 00:09:57

Link to post
Share on other sites

Hopefully looking abit better!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:06:47, on 04/04/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

D:\yahoo\Messenger\YahooMessenger.exe

D:\opera\opera.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} (NetCamPlayerWeb11g Control) - http://192.168.0.6/img/NetCamPlayerWeb11g.ocx

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188423228997

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - D:\SASWINLO.dll

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--

End of file - 8275 bytes

Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.