PDA

View Full Version : Plz help WIN32.TDSS.rtk


memojoey
2009-05-05, 17:31
I have scanned and scanned and the problems keep reappearing. They affect my internet by redirecting me on google searches. I have tried Spybot and Malwarebytes and McAfee and they all can not help. The things that keep appearing on spybot scans are DNSFlush.cws Microsoft.Windows.Explorer Micorsoft.WindowsSecurityCenter.RegistryTools and Win32.TDSS.rtk
Please help me get rid of them.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:56 AM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\NETGEAR\WN121T\wn121t.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\afnoinkdsfe.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe"
O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [SpybotDeletingA237] command /c del "C:\WINDOWS\system32\ovfsthcniqjngjbgeemhdtqnphdvsukjdtoqnp.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC989] cmd /c del "C:\WINDOWS\system32\ovfsthcniqjngjbgeemhdtqnphdvsukjdtoqnp.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3097] command /c del "C:\WINDOWS\system32\ovfsthcrhrbacmpqnwhocujenowyckpomutblu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1435] cmd /c del "C:\WINDOWS\system32\ovfsthcrhrbacmpqnwhocujenowyckpomutblu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3419] command /c del "C:\WINDOWS\system32\ovfsthcniqjngjbgeemhdtqnphdvsukjdtoqnp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1989] cmd /c del "C:\WINDOWS\system32\ovfsthcniqjngjbgeemhdtqnphdvsukjdtoqnp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2642] command /c del "C:\WINDOWS\system32\ovfsthcrhrbacmpqnwhocujenowyckpomutblu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9423] cmd /c del "C:\WINDOWS\system32\ovfsthcrhrbacmpqnwhocujenowyckpomutblu.dll_old"
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: NETGEAR WN121T Smart Wizard.lnk = C:\Program Files\NETGEAR\WN121T\wn121t.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227038454296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - (no file)
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c98d39594f9f94) (gupdate1c98d39594f9f94) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe
O23 - Service: Roxio Upnp Server 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe
O23 - Service: LiveShare P2P Server 11 (RoxLiveShare11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe
O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe
O23 - Service: Roxio Hard Drive Watcher 11 (RoxWatch11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 12593 bytes
ken545
2009-05-05, 19:59
Hi

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


You have a Rootkit Infection.

Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.



Reboot your system and run GMER

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.


Post the Malwarebytes log, the GMER log and a new HJT log please
memojoey
2009-05-06, 03:20
Here are the three things you asked for. The GMER was too big so I had to attach it in two replies

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:30 PM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\NETGEAR\WN121T\wn121t.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Joel\Desktop\Clean Up\gmer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe"
O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: NETGEAR WN121T Smart Wizard.lnk = C:\Program Files\NETGEAR\WN121T\wn121t.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227038454296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c98d39594f9f94) (gupdate1c98d39594f9f94) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe
O23 - Service: Roxio Upnp Server 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe
O23 - Service: LiveShare P2P Server 11 (RoxLiveShare11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe
O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe
O23 - Service: Roxio Hard Drive Watcher 11 (RoxWatch11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 11233 bytes




Malwarebytes' Anti-Malware 1.36
Database version: 2079
Windows 5.1.2600 Service Pack 3

5/5/2009 3:50:35 PM
mbam-log-2009-05-05 (15-50-35).txt

Scan type: Quick Scan
Objects scanned: 90799
Time elapsed: 3 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\afnoinkdsfe.dll (Trojan.Ertfor) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\afnoinkdsfe.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joel\Local Settings\Temp\3931127796.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ak1.exe (Virus.Virut) -> Quarantined and deleted successfully.
memojoey
2009-05-06, 03:21
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-05 18:14:10
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x63 ? 8A15AF00
INT 0x73 ? 8A15AF00
INT 0x73 ? 8A15AF00
INT 0x82 ? 8A369BF8
INT 0x83 ? 8A369BF8
INT 0x83 ? 8A369BF8
INT 0x83 ? 8A15AF00
INT 0x83 ? 8A369BF8
INT 0xB4 ? 8A15AF00

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA975E4EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA975E581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA975E498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA975E4AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA975E595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA975E5C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA975E634]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA975E619]
Code 8A14B708 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA975E52A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA975E65E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA975E56D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA975E470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA975E484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA975E4FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA975E69A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA975E603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA975E5ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA975E5AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA975E686]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA975E672]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA975E4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA975E4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA975E5D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA975E559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA975E648]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA975E540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA975E514]
Code 8A14B676 IofCallDriver
Code 8A14B62E IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 8A14B67B
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 8A14B633
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP A975E518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP A975E571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP A975E5F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP A975E4EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP A975E4C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP A975E585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP A975E69E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP A975E638 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP A975E474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP A975E502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP A975E5DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP A975E544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP A975E52E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 8A14B70C
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP A975E4B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP A975E55D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP A975E488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP A975E662 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP A975E61D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP A975E5C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP A975E599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP A975E49C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD17 5 Bytes JMP A975E4DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064D9DA 7 Bytes JMP A975E64C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E300 7 Bytes JMP A975E607 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E77C 7 Bytes JMP A975E5AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064EC71 5 Bytes JMP A975E676 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F0DC 5 Bytes JMP A975E68A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? sphe.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B9D748AC 5 Bytes JMP 8A15A4E0

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0118000A
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01180F77
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01180F88
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01180062
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01180FA5
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01180FC0
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011800A2
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01180091
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011800C4
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011800B3
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01180F10
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01180047
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0118001B
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01180F66
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01180FD1
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0118002C
.text C:\WINDOWS\system32\services.exe[680] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01180F35
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01170FEF
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01170FBC
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01170036
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0117001B
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01170FCD
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01170000
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01170FDE
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [37, 89]
.text C:\WINDOWS\system32\services.exe[680] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01170065
.text C:\WINDOWS\system32\services.exe[680] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0116008B
.text C:\WINDOWS\system32\services.exe[680] msvcrt.dll!system 77C293C7 5 Bytes JMP 01160070
.text C:\WINDOWS\system32\services.exe[680] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0116003A
.text C:\WINDOWS\system32\services.exe[680] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01160000
.text C:\WINDOWS\system32\services.exe[680] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0116004B
.text C:\WINDOWS\system32\services.exe[680] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0116001D
.text C:\WINDOWS\system32\services.exe[680] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40F68
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40F83
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F4005D
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40F94
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F4002C
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F28
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F43
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F400AD
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F4009C
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F40EF9
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40FA5
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40FE5
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F4006E
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\system32\lsass.exe[692] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F4008B
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30025
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F30F9E
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F30014
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F3005B
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F3004A
.text C:\WINDOWS\system32\lsass.exe[692] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30FB9
.text C:\WINDOWS\system32\lsass.exe[692] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F2003D
.text C:\WINDOWS\system32\lsass.exe[692] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F2002C
.text C:\WINDOWS\system32\lsass.exe[692] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F2001B
.text C:\WINDOWS\system32\lsass.exe[692] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20FE3
.text C:\WINDOWS\system32\lsass.exe[692] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F20FC6
.text C:\WINDOWS\system32\lsass.exe[692] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\lsass.exe[692] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F1000A
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F10F7C
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F10FA1
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F1006F
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F10FB2
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F10FD4
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F100C4
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F1009D
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F10101
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F100F0
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F10112
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F10FC3
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F1001B
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F1008C
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F10040
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F10FE5
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F100D5
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0FBC
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF0065
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF0FCD
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0FDE
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0054
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EF0039
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0028
.text C:\WINDOWS\system32\svchost.exe[864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE0031
.text C:\WINDOWS\system32\svchost.exe[864] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE0020
.text C:\WINDOWS\system32\svchost.exe[864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE0FC1
.text C:\WINDOWS\system32\svchost.exe[864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\svchost.exe[864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0FA6
.text C:\WINDOWS\system32\svchost.exe[864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE0FD2
.text C:\WINDOWS\system32\svchost.exe[864] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\svchost.exe[864] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[864] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00F0001B
.text C:\WINDOWS\system32\svchost.exe[864] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\system32\svchost.exe[864] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00F00FC0
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40F6F
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40064
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40F8A
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40047
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F4002C
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F400B7
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F4009C
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40F39
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40F4A
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F400F7
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40FA5
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40011
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F4007F
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F40FC0
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F40FD1
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F400C8
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F20FCA
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20040
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F2001B
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F20F83
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F20F94
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [12, 89]
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F20FA5
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F1005D
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F10FD2
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10FE3
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F1000C
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10038
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F1001D
.text C:\WINDOWS\system32\svchost.exe[964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00F30011
.text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00F30022
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 021E0000
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 021E00B1
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 021E00A0
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 021E0079
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 021E005E
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 021E0039
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 021E00F8
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 021E00DD
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 021E011D
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 021E0F84
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 021E012E
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 021E0FBC
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 021E0FEF
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 021E00CC
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 021E0FCD
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 021E0FDE
.text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 021E0F95
.text C:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02000047
.text C:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02000FB6
.text C:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02000036
.text C:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0200001B
.text C:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02000073
.text C:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02000000
.text C:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02000FD1
.text C:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [20, 8A]
.text C:\WINDOWS\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02000058
.text C:\WINDOWS\System32\svchost.exe[1032] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01FF0051
.text C:\WINDOWS\System32\svchost.exe[1032] msvcrt.dll!system 77C293C7 5 Bytes JMP 01FF0FBC
.text C:\WINDOWS\System32\svchost.exe[1032] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01FF0022
.text C:\WINDOWS\System32\svchost.exe[1032] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01FF0000
.text C:\WINDOWS\System32\svchost.exe[1032] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01FF0FD7
.text C:\WINDOWS\System32\svchost.exe[1032] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01FF0011
.text C:\WINDOWS\System32\svchost.exe[1032] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01FE0FEF
.text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02010FE5
.text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02010FD4
.text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02010FB9
.text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 0201000A
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10F66
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A1005B
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A1004A
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A10F8D
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A1001E
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A1008E
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A1007D
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A10F06
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A100A9
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A100C4
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10039
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A1006C
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10FA8
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10FC3
.text C:\WINDOWS\System32\svchost.exe[1164] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A10F2B
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0014
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F004D
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0FC3
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0FDE
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0F86
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009F0F97
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 88]
.text C:\WINDOWS\System32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0FA8
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E003B
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0FA6
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FD2
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0000
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0FC1
.text C:\WINDOWS\System32\svchost.exe[1164] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0FE3
.text C:\WINDOWS\System32\svchost.exe[1164] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00660000
.text C:\WINDOWS\System32\svchost.exe[1164] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\System32\svchost.exe[1164] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\System32\svchost.exe[1164] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\System32\svchost.exe[1164] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00A00014
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60082
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C6005D
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60F83
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60F94
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60036
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C600BF
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C600AE
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60F37
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C600DA
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C60F1C
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60FAF
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C6000A
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60093
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60FCA
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C6001B
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C60F5C
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C4002F
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C40062
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C40FDE
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C40014
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40FAF
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C40051
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C40040
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30F8B
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30F9C
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C30FC8
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30FAD
.text C:\WINDOWS\System32\svchost.exe[1220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C3000C
.text C:\WINDOWS\System32\svchost.exe[1220] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00660FEF
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C50014
.text C:\WINDOWS\System32\svchost.exe[1220] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00C50FC3
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009F0089
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009F0F9E
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009F0078
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009F005B
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009F002F
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009F0F6D
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009F00B5
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009F00F2
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009F00E1
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009F0103
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009F004A
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009F000A
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009F009A
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009F0FC3
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009F0FD4
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009F00C6
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00900FE5
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00900098
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00900036
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0090001B
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0090007D
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00900000
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0090006C
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0090005B
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008F0036
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!system 77C293C7 5 Bytes JMP 008F0FA1
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008F0FC6
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008F0FEF
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008F0011
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008F0000
.text C:\WINDOWS\System32\svchost.exe[1480] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008E0FEF
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00910000
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00910FE5
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 0091001B
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00910FD4
memojoey
2009-05-06, 03:22
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01690000
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01690F55
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01690F70
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01690F81
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0169004A
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01690FC3
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01690071
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01690F29
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01690EFD
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01690096
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01690ED8
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01690FA8
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0169001B
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01690F44
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01690FD4
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01690FE5
.text C:\WINDOWS\Explorer.EXE[2104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01690F0E
.text C:\WINDOWS\Explorer.EXE[2104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01670025
.text C:\WINDOWS\Explorer.EXE[2104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01670062
.text C:\WINDOWS\Explorer.EXE[2104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01670FCA
.text C:\WINDOWS\Explorer.EXE[2104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0167000A
.text C:\WINDOWS\Explorer.EXE[2104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01670051
.text C:\WINDOWS\Explorer.EXE[2104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01670FEF
.text C:\WINDOWS\Explorer.EXE[2104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01670036
.text C:\WINDOWS\Explorer.EXE[2104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01670FAF
.text C:\WINDOWS\Explorer.EXE[2104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01660FA1
.text C:\WINDOWS\Explorer.EXE[2104] msvcrt.dll!system 77C293C7 5 Bytes JMP 0166002C
.text C:\WINDOWS\Explorer.EXE[2104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01660011
.text C:\WINDOWS\Explorer.EXE[2104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01660000
.text C:\WINDOWS\Explorer.EXE[2104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01660FBC
.text C:\WINDOWS\Explorer.EXE[2104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01660FD7
.text C:\WINDOWS\Explorer.EXE[2104] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01680FEF
.text C:\WINDOWS\Explorer.EXE[2104] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01680000
.text C:\WINDOWS\Explorer.EXE[2104] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01680011
.text C:\WINDOWS\Explorer.EXE[2104] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 01680FC0
.text C:\WINDOWS\Explorer.EXE[2104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02910FE5
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0087
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B006C
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B005B
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B004A
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B001E
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F5A
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00A2
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F2E
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F3F
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00E2
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B002F
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F77
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FBC
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FCD
.text C:\WINDOWS\System32\svchost.exe[2820] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00BD
.text C:\WINDOWS\System32\svchost.exe[2820] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\System32\svchost.exe[2820] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0076
.text C:\WINDOWS\System32\svchost.exe[2820] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\System32\svchost.exe[2820] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A001B
.text C:\WINDOWS\System32\svchost.exe[2820] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0FB9
.text C:\WINDOWS\System32\svchost.exe[2820] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\System32\svchost.exe[2820] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0051
.text C:\WINDOWS\System32\svchost.exe[2820] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0040
.text C:\WINDOWS\System32\svchost.exe[2820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003F0F9C
.text C:\WINDOWS\System32\svchost.exe[2820] msvcrt.dll!system 77C293C7 5 Bytes JMP 003F0FAD
.text C:\WINDOWS\System32\svchost.exe[2820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003F0FD2
.text C:\WINDOWS\System32\svchost.exe[2820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003F0000
.text C:\WINDOWS\System32\svchost.exe[2820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003F0027
.text C:\WINDOWS\System32\svchost.exe[2820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003F0FE3
.text C:\WINDOWS\System32\svchost.exe[2820] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00670FEF
.text C:\WINDOWS\System32\svchost.exe[2820] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[2820] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\System32\svchost.exe[2820] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 006C0FD4
.text C:\WINDOWS\System32\svchost.exe[2820] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 006C0FC3
.text C:\WINDOWS\system32\SearchIndexer.exe[3004] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[3496] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F3D
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0028
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F4E
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F6B
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FA1
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F11
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F22
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F00
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B008F
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0EEF
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0F90
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B004D
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FBC
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FCD
.text C:\WINDOWS\system32\wuauclt.exe[4052] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0074
.text C:\WINDOWS\system32\wuauclt.exe[4052] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FAB
.text C:\WINDOWS\system32\wuauclt.exe[4052] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A002C
.text C:\WINDOWS\system32\wuauclt.exe[4052] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FD7
.text C:\WINDOWS\system32\wuauclt.exe[4052] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[4052] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FBC
.text C:\WINDOWS\system32\wuauclt.exe[4052] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0011
.text C:\WINDOWS\system32\wuauclt.exe[4052] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[4052] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[4052] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B002C
.text C:\WINDOWS\system32\wuauclt.exe[4052] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\wuauclt.exe[4052] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[4052] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[4052] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0051
.text C:\WINDOWS\system32\wuauclt.exe[4052] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[4052] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0FEF

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A36B2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7508C4C] sphe.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7508CA0] sphe.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D8040] sphe.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D813C] sphe.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D80BE] sphe.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D87FC] sphe.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D86D2] sphe.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A15A5E0

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A3681F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \FatCdrom 894951F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{57F88C5C-270D-4E7E-B4E0-7369158A6505} 898FC1F8

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8A111500
Device \Driver\usbuhci \Device\USBPDO-1 8A111500
Device \Driver\usbuhci \Device\USBPDO-2 8A111500
Device \Driver\usbuhci \Device\USBPDO-3 8A111500
Device \Driver\usbehci \Device\USBPDO-4 8A1F91F8

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A3D81F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\Ftdisk \Device\HarddiskVolume2 8A3D81F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\Cdrom \Device\CdRom0 8A0DC500
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A3D81F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

Device \Driver\Cdrom \Device\CdRom1 8A0DC500
Device \Driver\Cdrom \Device\CdRom2 8A0DC500
Device \Driver\USBSTOR \Device\00000069 898E31F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 898FC1F8
Device \Driver\NetBT \Device\NetbiosSmb 898FC1F8

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 8A111500
Device \Driver\USBSTOR \Device\0000006c 898E31F8
Device \Driver\USBSTOR \Device\0000006d 898E31F8
Device \Driver\usbuhci \Device\USBFDO-1 8A111500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 898F41F8
Device \Driver\usbuhci \Device\USBFDO-2 8A111500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 898F41F8
Device \Driver\usbuhci \Device\USBFDO-3 8A111500
Device \Driver\usbehci \Device\USBFDO-4 8A1F91F8
Device \Driver\Ftdisk \Device\FtControl 8A3D81F8
Device \FileSystem\Fastfat \Fat 894951F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 898E7500

---- EOF - GMER 1.0.15 ----
ken545
2009-05-06, 04:07
Hello,

C:\WINDOWS\system32\ak1.exe (Virus.Virut) -> Quarantined and deleted successfully.
This is troubling , you can possibly be infected with Virut, we need to dig deeper to see.


Do this first...Important

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect

Please do not proceed until the TeaTimer is disabled




Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
memojoey
2009-05-06, 09:27
ComboFix 09-05-05.03 - Joel 05/06/2009 0:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1048 [GMT -7:00]
Running from: c:\documents and settings\Joel\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joel\Application Data\inst.exe
c:\windows\system32\drivers\ovfsthnelfyxrhsyqmyxivrcbtpxrdufikdnfn.sys
c:\windows\system32\ovfsthcniqjngjbgeemhdtqnphdvsukjdtoqnp.dll
c:\windows\system32\ovfsthcrhrbacmpqnwhocujenowyckpomutblu.dll
c:\windows\system32\ovfsthibovyhcqduaqtyagrdltonbawlkmrlha.dll
c:\windows\system32\ovfsthklfwyhvqiqsiodltwdlqpqiawbkxobqo.dat
c:\windows\system32\ovfsthntovolpmvikcwybdstbytrjqwxjwnxro.dat
I:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthfwesubebrsqdfklbcqukhuuivumsojfc
-------\Legacy_WINDRIVER
-------\Service_WinDriver


((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-05 06:01 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-05 06:01 . 2009-05-05 06:01 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-05 06:01 . 2009-05-05 06:01 -------- d-----w c:\program files\Avira
2009-04-26 04:31 . 2009-04-26 04:31 -------- d-----w c:\documents and settings\All Users\Application Data\U3
2009-04-26 02:38 . 2009-04-26 02:38 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-24 01:46 . 2009-04-24 01:46 -------- d-----w c:\documents and settings\Joel\Application Data\Logitech
2009-04-24 01:41 . 2007-11-15 17:06 301656 ----a-w c:\windows\system32\BtCoreIf.dll
2009-04-24 01:41 . 2007-11-15 17:07 170512 ----a-w c:\windows\system32\kemutb.dll
2009-04-24 01:41 . 2007-11-15 17:07 76304 ----a-w c:\windows\system32\KemXML.dll
2009-04-24 01:41 . 2007-11-15 17:07 117264 ----a-w c:\windows\system32\KemWnd.dll
2009-04-24 01:41 . 2007-11-15 17:07 141840 ----a-w c:\windows\system32\KemUtil.dll
2009-04-24 01:41 . 2009-04-24 01:46 -------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2009-04-24 01:41 . 2009-04-24 01:46 -------- d-----w c:\program files\Common Files\Logishrd
2009-04-24 01:40 . 2009-04-24 01:40 -------- d-----w c:\program files\Logitech
2009-04-24 01:40 . 2009-04-24 01:40 -------- d-----w c:\documents and settings\Joel\Application Data\InstallShield
2009-04-24 01:40 . 2009-04-24 01:40 -------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd
2009-04-18 16:01 . 2009-04-18 16:04 -------- d-----w c:\documents and settings\Joel\Application Data\VTExtra
2009-04-18 15:58 . 2009-04-18 16:03 -------- d-----w c:\documents and settings\Joel\Local Settings\Application Data\VTShared
2009-04-18 15:58 . 2009-04-18 17:02 -------- d-----w c:\documents and settings\Joel\Local Settings\Application Data\GoldenCasino
2009-04-18 00:53 . 2009-04-18 17:01 -------- d-----w c:\documents and settings\Joel\Application Data\USBlackjack
2009-04-15 14:59 . 2009-04-15 14:59 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-15 01:50 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 01:50 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 01:50 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 01:50 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 01:50 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 01:50 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 01:50 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 01:50 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 01:50 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 01:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 01:45 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 17:25 . 2009-04-10 17:25 -------- d-----w c:\program files\iPod
2009-04-10 17:25 . 2009-04-10 17:26 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-10 17:25 . 2009-04-10 17:26 -------- d-----w c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 21:58 . 2008-11-22 10:07 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 15:03 . 2008-11-22 18:06 -------- d-----w c:\program files\CCleaner
2009-04-24 01:42 . 2009-04-24 01:42 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-04-24 01:41 . 2008-11-18 18:54 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-22 00:48 . 2008-11-20 00:52 -------- d-----w c:\program files\PokerStars.NET
2009-04-20 17:06 . 2008-11-18 19:09 -------- d-----w c:\program files\McAfee
2009-04-16 16:29 . 2009-03-18 17:38 5 ----a-w c:\windows\sbacknt.bin
2009-04-16 16:25 . 2009-03-18 17:37 152904 ----a-w c:\windows\system32\vghd.scr
2009-04-16 15:28 . 2008-11-22 10:15 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 05:05 . 2008-11-20 00:00 -------- d-----w c:\program files\DVDFab Platinum 3
2009-04-10 17:25 . 2008-11-19 02:58 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 22:32 . 2008-11-22 10:07 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-11-22 10:08 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 16:34 . 2008-12-11 02:58 -------- d-----w c:\program files\Java
2009-04-02 07:28 . 2008-11-19 03:19 247632 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 17:37 . 2008-11-24 07:46 -------- d-----w c:\program files\Google
2009-03-25 18:06 . 2008-11-18 19:10 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2008-11-18 19:10 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2008-11-18 19:10 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2008-11-18 19:10 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2008-11-18 19:10 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-24 07:11 . 2009-03-24 07:11 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-19 23:32 . 2008-11-19 03:07 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 07:57 . 2008-11-19 08:36 -------- d-----w c:\program files\Common Files\Adobe
2009-03-18 17:32 . 2009-03-18 17:31 -------- d-----w c:\program files\QuickTime
2009-03-13 22:13 . 2009-03-13 22:13 -------- d-----w c:\program files\Bonjour
2009-03-09 12:19 . 2008-12-11 02:59 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2003-07-16 20:41 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-06-23 19:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 20:33 . 2008-11-18 19:05 247632 ----a-w c:\documents and settings\Joel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2003-07-16 20:32 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-07-16 20:39 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-07-16 20:23 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-07-16 20:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2002-08-29 01:04 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2003-07-16 20:44 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2003-07-16 20:39 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-07-16 20:43 35328 ----a-w c:\windows\system32\sc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2004-12-01 69709]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-08-27 200704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-02-02 32768]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe" [2008-08-10 80368]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-02-02 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-2-1 32768]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
NETGEAR WN121T Smart Wizard.lnk - c:\program files\NETGEAR\WN121T\wn121t.exe [2007-9-14 1343488]
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2008-11-19 98304]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 17:10 72208 ----a-w c:\program files\common files\logishrd\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Palm\\Hotsync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [11/23/2008 3:35 AM 20464]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [11/23/2008 3:35 AM 15856]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [11/23/2008 3:35 AM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [8/1/2008 12:59 PM 125424]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/4/2009 11:01 PM 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/19/2008 12:14 PM 210216]
S2 gupdate1c98d39594f9f94;Google Update Service (gupdate1c98d39594f9f94);c:\program files\Google\Update\GoogleUpdate.exe [2/12/2009 10:42 AM 133104]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe [8/14/2008 1:25 AM 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [8/14/2008 1:24 AM 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [8/14/2008 1:24 AM 170480]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [8/14/2008 1:25 AM 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [8/14/2008 1:23 AM 1124848]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60f45ff8-b5a4-11dd-9365-e49c373c3195}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-12 07:39]

2009-05-06 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 17:42]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-11-18 17:53]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-11-18 17:53]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ATI Launchpad - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netflix.com/MemberHome
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
FF - ProfilePath - c:\documents and settings\Joel\Application Data\Mozilla\Firefox\Profiles\5ngymx4e.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Joel\Application Data\Mozilla\Firefox\Profiles\5ngymx4e.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 00:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(1620)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-05-06 0:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-06 07:19

Pre-Run: 56,061,341,696 bytes free
Post-Run: 56,165,232,640 bytes free

267 --- E O F --- 2009-04-29 10:03











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:01 AM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\NETGEAR\WN121T\wn121t.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe"
O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: NETGEAR WN121T Smart Wizard.lnk = C:\Program Files\NETGEAR\WN121T\wn121t.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227038454296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c98d39594f9f94) (gupdate1c98d39594f9f94) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe
O23 - Service: Roxio Upnp Server 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe
O23 - Service: LiveShare P2P Server 11 (RoxLiveShare11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe
O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe
O23 - Service: Roxio Hard Drive Watcher 11 (RoxWatch11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 11329 bytes
ken545
2009-05-06, 10:55
Good Morning,

Looks like Combofix removed some nasty stuff.

You have TWO ANTIVIRUS PROGAMS INSTALLED
McAfee / Avira, this is not recommended as they both use a huge amount of system resources, sometimes fight each other and can really slow down your system, your call but you need to uninstall one via the Add Remove Programs in the Control Panel.

I am still concerned about Malwarebytes finding one entry for Virut, run this free online virus scanner, if its present it will show up on the log. You have to update your Java first to have it run correctly, have to warn you that this scan can take over an hour so turn off your screensaver so it can run uninterrupted.


Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.

Java SE Runtime Environment (JRE) JRE 6 Update 13 <--This is what you need,the wording on the site is misleading but this is the one you want


Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version

You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)





Run this free online scan using Internet Explorer:
Kaspersky Online Virus Scanner (http://www.kaspersky.com/virusscanner)

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.
memojoey
2009-05-06, 22:00
I think we are getting closer, but there is still that one item found by kaspersky. Thank you for your help so far.

KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, May 6, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, May 06, 2009 20:06:02
Records in database: 2138404
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
G:\
I:\
Scan statistics
Files scanned 163977
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:50:53

File name Threat name Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ovfsthnelfyxrhsyqmyxivrcbtpxrdufikdnfn_.sys.zip Infected: Trojan.Win32.Tdss.zks 1
The selected area was scanned.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:23 PM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\NETGEAR\WN121T\wn121t.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe"
O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: NETGEAR WN121T Smart Wizard.lnk = C:\Program Files\NETGEAR\WN121T\wn121t.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227038454296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c98d39594f9f94) (gupdate1c98d39594f9f94) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe
O23 - Service: Roxio Upnp Server 11 - Sonic Solutions - C:\Program Files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe
O23 - Service: LiveShare P2P Server 11 (RoxLiveShare11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe
O23 - Service: RoxMediaDB11 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe
O23 - Service: Roxio Hard Drive Watcher 11 (RoxWatch11) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 11001 bytes
ken545
2009-05-06, 22:33
memojoey,

Looking good. :bigthumb: I was concerned about Virut but its not present :bigthumb:

The only thing Kaspersky found was the Rootkit Combofix removed and its sitting in the Quarantine folder and we will empty that out in a bit.

How are things running now??
memojoey
2009-05-07, 00:18
Things are much better! Thank you Ken. You saved me from having to reformat my hard drive. Should I leave TeaTimer inactive because I am only using McAfee now?
ken545
2009-05-07, 01:50
Hi,

This is what I would do, its the way I have my systems setup.

Keep Mcafee as your Anti Virus Program. Keep Spybot Search and Destroy but keep the TeaTimer disabled because I am going to link you to free programs to install to help keep you more secure and two of them basically does the same as the TeaTimer and they will conflict .

GMER <--Drag it to the trash

ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system


Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken
ken545
2009-05-11, 02:36
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.