View Full Version : Virtumonde Infection
Hi,
Last night, I noticed my browser was acting strange when all of the links on every page were going to the same couple of websites (which just showed ads). I ran Spybot S&D and Malwarebytes and they both identified Virtumonde and claim they deleted it. The problem went away after this.
But, I have noticed, that I am currently unable to do a system restore and I cannot enter safe mode (I get a BSOD when I try to do so). I don't know if these are related to this virus or not, but I suspect that they are.
Any help would be appreciated in trying to figure out if this thing has indeed been beat.
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:47 PM, on 9/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AstSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080620
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080620
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [symPCCheckup] "C:\WINDOWS\system32\Adobe\Shockwave 11\symcheckupstub.exe" /task /reboot
O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - Startup: eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\WINDOWS\system32\AstSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 12053 bytes
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
I will be back as soon as possible with your first instructions!
Thanks for the reply km2357, I appreciate you taking the time to do this.
Looking forward to making sure that everything is gone.
Step # 1: Remove Hijackthis Entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Step # 2 Download and run DDS
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 3: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
In your next post/reply, I need to see the following:
1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log
Step 1:
This entry appears to be gone. It was not shown when I re-ran Hijackthis
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
Step 2:
DDS
DDS (Ver_09-07-30.01) - NTFSx86
Run by Bradley at 14:20:55.21 on Tue 09/15/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2551 [GMT -4:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AstSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bradley\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [NVIDIA nTune] c:\program files\nvidia corporation\ntune\nTuneCmd.exe resetprofile
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\bradley\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
StartupFolder: c:\docume~1\bradley\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\documents and settings\bradley\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\bradley\applic~1\mozilla\firefox\profiles\wa2vaw0y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
============= SERVICES / DRIVERS ===============
R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-6-19 128000]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-9-13 28544]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-19 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-4 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-6-26 353672]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-19 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-19 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-27 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-19 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-19 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-19 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-19 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-19 34248]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 7408]
=============== Created Last 30 ================
2009-09-15 08:56 229,888 a------- c:\windows\PEV.exe
2009-09-15 08:56 161,792 a------- c:\windows\SWREG.exe
2009-09-15 08:56 98,816 a------- c:\windows\sed.exe
2009-09-15 08:56 <DIR> --d----- C:\ComboFix
2009-09-15 08:54 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-09-14 16:28 <DIR> --d----- C:\VundoFix Backups
2009-09-14 14:58 <DIR> --d----- C:\$AVG8.VAULT$
2009-09-14 14:50 <DIR> --d----- c:\program files\AVG
2009-09-14 14:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-14 14:44 <DIR> --d----- c:\docume~1\bradley\applic~1\AVG8
2009-09-13 19:13 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-09-13 19:13 <DIR> --d----- c:\program files\Panda Security
2009-09-13 18:00 <DIR> a-dshr-- C:\cmdcons
2009-09-13 18:00 <DIR> --d----- c:\windows\setup.pss
2009-09-13 18:00 <DIR> --d----- c:\windows\setupupd
2009-09-13 16:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-13 16:40 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-13 16:40 <DIR> --d----- c:\docume~1\bradley\applic~1\SUPERAntiSpyware.com
2009-09-13 16:22 31,744 a------- c:\windows\system32\dllcache\wceusbsh.sys
2009-09-13 16:21 50,688 a------- c:\windows\system32\dllcache\umaxscan.dll
2009-09-13 16:20 36,640 a------- c:\windows\system32\dllcache\t2r4mini.sys
2009-09-13 16:19 35,913 a------- c:\windows\system32\dllcache\smcirda.sys
2009-09-13 16:18 17,280 a------- c:\windows\system32\dllcache\scr111.sys
2009-09-13 16:17 899,146 a------- c:\windows\system32\dllcache\r2mdkxga.sys
2009-09-13 16:16 25,216 a------- c:\windows\system32\dllcache\ovsound2.sys
2009-09-13 16:15 59,104 a------- c:\windows\system32\dllcache\n9i128v2.dll
2009-09-13 16:14 65,536 a------- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-09-13 16:13 13,056 a------- c:\windows\system32\dllcache\inport.sys
2009-09-13 16:12 13,312 a------- c:\windows\system32\dllcache\hpsjmcro.dll
2009-09-13 16:11 45,568 a------- c:\windows\system32\dllcache\esunib.dll
2009-09-13 16:10 229,462 a------- c:\windows\system32\dllcache\digifwrk.dll
2009-09-13 16:09 187,938 a------- c:\windows\system32\dllcache\c_20005.nls
2009-09-13 16:08 169,984 a------- c:\windows\system32\dllcache\iisui.dll
2009-09-13 16:08 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
2009-09-13 16:08 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
2009-09-13 16:08 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
2009-09-13 16:08 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
2009-09-13 16:08 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
2009-09-13 16:08 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
2009-09-13 14:23 <DIR> --d----- c:\program files\Trend Micro
2009-09-13 09:14 161 a------- c:\windows\wininit.ini
2009-09-13 09:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-13 09:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-13 02:11 <DIR> --d----- c:\documents and settings\bradley\.housecall6.6
2009-09-13 01:51 <DIR> --d----- c:\docume~1\bradley\applic~1\Malwarebytes
2009-09-13 01:51 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 01:51 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-13 01:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 01:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-13 00:58 <DIR> --d----- c:\windows\pss
==================== Find3M ====================
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\dllcache\atl.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:27 1,315,328 a------- c:\windows\system32\dllcache\msoe.dll
2009-07-10 08:45 103,509 a------- c:\windows\hpoins04.dat
2009-07-03 13:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-22 02:44 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-06-21 17:44 153,088 a------- c:\windows\system32\dllcache\triedit.dll
2008-08-28 03:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat
============= FINISH: 14:21:13.95 ===============
Attach
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 6/26/2008 1:40:30 PM
System Uptime: 9/15/2009 12:43:55 PM (2 hours ago)
Motherboard: Dell Inc | | 0PP150
Processor: Intel Pentium III Xeon processor | Socket 775 | 3166/1333mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 462 GiB total, 430.914 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1: 9/15/2009 1:11:49 PM - System Checkpoint
==== Installed Programs ======================
2007 Microsoft Office Suite Service Pack 1 (SP1)
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.1.3
Adobe Shockwave Player 11.5
Advanced Find and Replace v4.2
AIM 6
AiO_Scan
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
BCL easyPDF Printer Driver 5.1
Bonjour
Browser Address Error Redirector
Call of Duty
Call of Duty - United Offensive
CCleaner (remove only)
Copy
CreativeProjects
Critical Update for Windows Media Player 11 (KB959772)
CuteFTP 5.0 XP
Dell DataSafe Online
Dell System Restore
Director
DocProc
Documentation & Support Launcher
eFax Messenger
Games, Music, & Photos Launcher
Google Desktop
Google Talk (remove only)
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HP Unload DLL Patch
hpmdtab
HPSystemDiagnostics
InstantShare
Internet Service Offers Launcher
iTunes
Java(TM) 6 Update 5
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft FrontPage 2002
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (3.0.13)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Musicmatch for Windows Media Player
NVIDIA Drivers
NVIDIA Performance
NVIDIA System Monitor
oggcodecs 0.71.0946
overland
Paint Shop Pro 6.0 (CD-ROM)
Panda ActiveScan 2.0
PhotoGallery
PowerDVD
QFolder
QuickProjects
QuickTime
Realtek High Definition Audio Driver
RiskŪ
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Scan
SearchAssist
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SkinsHP1
SkinsHP2
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
TrayApp
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wmiiper
TurboTax 2008 wnciper
TurboTax 2008 wrapper
TurboTax Deluxe 2007
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
VC 9.0 Runtime
Viewpoint Media Player
WebEx
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
WinZip 12.1
ZoneAlarm
==== Event Viewer Messages From Past Week ========
9/15/2009 9:04:29 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.
9/15/2009 8:59:23 AM, error: Service Control Manager [7034] - The McAfee Anti-Spam Service service terminated unexpectedly. It has done this 1 time(s).
9/15/2009 8:57:14 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
9/14/2009 12:13:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/14/2009 12:07:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
9/14/2009 12:05:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
9/14/2009 12:04:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/14/2009 12:04:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
9/14/2009 12:04:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT pavboot RasAcd Rdbss SASDIFSV SASKUTIL Tcpip vsdatant
9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/14/2009 12:04:36 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/13/2009 4:23:53 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
9/13/2009 4:08:45 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
9/13/2009 11:44:08 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001EC93798BB has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
Step 3:
I will run GMER now.
==== End Of File ===========================
By the way, I previously mentioned that I was unable to boot up in SAFE mode. I am now able to do this.
GMER is running and I will post the log when it has completed.
Ok, post the GMER Log when its ready. :)
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B
Having two firewalls running at the same time can cause conflicts and possible crashes. Please remove/disable one of them.
Looking over your DDS Log, I see you recently downloaded/ran ComboFix. ComboFix should not be run unless specifically instructed to do so by a trained malware remover. If you did run ComboFix before I started helping, please post the ComboFix Log. You can find it at C:\ComboFix.txt
Do you have any thoughts on whether McAfee or ZoneAlarm would be a better firewall? Let me know and I will disable one of them.
I did run ComboFix earlier today and will post that log as well once GMER is done running. I'm all yours now, however, and promise not to run anything else without your instruction. :)
ComboFix 09-09-14.02 - Bradley 09/15/2009 8:57.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2753 [GMT -4:00]
Running from: c:\documents and settings\Bradley\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\0.mdd
c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\1.mdd
c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\2.mdd
c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\3.mdd
c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\4.mdd
c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\5.mdd
c:\docume~1\Bradley\LOCALS~1\Temp\wrd70774.~lk\6.mdd
c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\0.mdd
c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\1.mdd
c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\2.mdd
c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\3.mdd
c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\4.mdd
c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\5.mdd
c:\documents and settings\Bradley\Local Settings\Temp\wrd70774.~lk\6.mdd
c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\Installer\28200b1.msi
.
((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.
2009-09-15 12:54 . 2009-09-15 12:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-15 12:54 . 2009-09-15 12:54 -------- d-----w- c:\program files\Norton PC Checkup
2009-09-14 20:28 . 2009-09-14 20:28 -------- d-----w- C:\VundoFix Backups
2009-09-14 18:58 . 2009-09-14 18:58 -------- d-----w- C:\$AVG8.VAULT$
2009-09-14 18:50 . 2009-09-14 18:50 -------- d-----w- c:\program files\AVG
2009-09-14 18:50 . 2009-09-14 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-14 18:44 . 2009-09-14 18:44 -------- d-----w- c:\documents and settings\Bradley\Application Data\AVG8
2009-09-14 17:19 . 2009-09-14 17:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-09-14 17:18 . 2009-09-14 17:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-14 17:18 . 2009-09-14 17:18 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-14 16:20 . 2009-09-14 16:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-14 15:19 . 2009-09-14 15:38 -------- d-----w- c:\windows\BDOSCAN8
2009-09-13 23:13 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-09-13 23:13 . 2009-09-13 23:13 -------- d-----w- c:\program files\Panda Security
2009-09-13 20:40 . 2009-09-13 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-13 20:40 . 2009-09-13 20:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-13 20:40 . 2009-09-13 20:40 -------- d-----w- c:\documents and settings\Bradley\Application Data\SUPERAntiSpyware.com
2009-09-13 20:22 . 2008-04-13 18:45 31744 ----a-w- c:\windows\system32\dllcache\wceusbsh.sys
2009-09-13 20:21 . 2001-08-18 02:36 50688 ----a-w- c:\windows\system32\dllcache\umaxscan.dll
2009-09-13 20:20 . 2001-08-17 16:50 36640 ----a-w- c:\windows\system32\dllcache\t2r4mini.sys
2009-09-13 20:19 . 2001-08-17 16:10 35913 ----a-w- c:\windows\system32\dllcache\smcirda.sys
2009-09-13 20:18 . 2001-08-17 17:51 17280 ----a-w- c:\windows\system32\dllcache\scr111.sys
2009-09-13 20:17 . 2001-08-17 17:28 899146 ----a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2009-09-13 20:16 . 2001-08-17 18:05 25216 ----a-w- c:\windows\system32\dllcache\ovsound2.sys
2009-09-13 20:15 . 2001-08-18 02:36 59104 ----a-w- c:\windows\system32\dllcache\n9i128v2.dll
2009-09-13 20:14 . 2001-08-18 02:36 65536 ----a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-09-13 20:13 . 2004-08-04 10:00 8704 ----a-w- c:\windows\system32\dllcache\infoctrs.dll
2009-09-13 20:12 . 2001-08-18 02:36 13312 ----a-w- c:\windows\system32\dllcache\hpsjmcro.dll
2009-09-13 20:11 . 2001-08-18 02:36 45568 ----a-w- c:\windows\system32\dllcache\esunib.dll
2009-09-13 20:10 . 2001-08-18 02:36 229462 ----a-w- c:\windows\system32\dllcache\digifwrk.dll
2009-09-13 20:09 . 2001-08-17 17:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-09-13 20:08 . 2004-08-04 10:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-09-13 20:08 . 2004-08-04 10:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-09-13 20:08 . 2004-08-04 10:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2009-09-13 20:08 . 2004-08-04 10:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-09-13 20:08 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-09-13 20:08 . 2004-08-04 10:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2009-09-13 20:02 . 2009-09-13 20:02 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-13 18:23 . 2009-09-13 18:23 -------- d-----w- c:\program files\Trend Micro
2009-09-13 13:02 . 2009-09-13 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-13 13:02 . 2009-09-13 13:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-13 06:32 . 2009-09-13 06:34 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-13 06:11 . 2009-09-13 23:07 -------- d-----w- c:\documents and settings\Bradley\.housecall6.6
2009-09-13 05:51 . 2009-09-13 05:51 -------- d-----w- c:\documents and settings\Bradley\Application Data\Malwarebytes
2009-09-13 05:51 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 05:51 . 2009-09-13 05:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 05:51 . 2009-09-13 05:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-13 05:51 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 20:39 . 2008-06-26 23:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-12 16:25 . 2008-06-27 02:39 -------- d-----w- c:\program files\Paint Shop Pro 6
2009-09-10 13:55 . 2009-08-09 01:33 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-03 11:14 . 2008-06-19 23:39 -------- d-----w- c:\program files\McAfee
2009-08-09 17:01 . 2008-06-19 23:46 30872 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 04:48 . 2009-08-09 04:48 -------- d-----w- c:\program files\MSBuild
2009-08-09 04:48 . 2009-08-09 04:48 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-30 03:53 . 2009-04-08 21:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-21 15:15 . 2008-06-19 23:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-17 19:01 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 16:32 . 2008-06-19 23:39 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-14 03:43 . 2004-08-11 22:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 12:45 . 2009-07-10 12:34 103509 ----a-w- c:\windows\hpoins04.dat
2009-07-08 17:44 . 2008-06-19 23:39 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 17:44 . 2008-06-19 23:39 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 17:44 . 2008-06-19 23:39 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 17:44 . 2008-06-19 23:39 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 17:43 . 2008-06-19 23:39 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-07-03 17:09 . 2004-08-11 22:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-04-02 17:52 . 2009-04-02 17:52 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-04-02 17:52 . 2009-04-02 17:52 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-15 106496]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-19 68856]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-10-26 184352]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-19 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-01-15 16855552]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]
c:\documents and settings\Jen\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
c:\documents and settings\Bradley\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
OneNote Table Of Contents.onetoc2 [2009-6-22 3656]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-10 525640]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/13/2009 7:13 PM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/27/2008 1:40 AM 24652]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-19 01:26]
2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-06-19 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Bradley\Application Data\Mozilla\Firefox\Profiles\wa2vaw0y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-DXDllRegExe - dxdllreg.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 09:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(1372)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\AstSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-15 9:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 13:06
Pre-Run: 462,665,732,096 bytes free
Post-Run: 462,646,091,776 bytes free
256 --- E O F --- 2009-09-10 04:42
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-15 17:29:20
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Bradley\LOCALS~1\Temp\pxtdqpob.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xAB215FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xAB212C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xAB22D170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xAB216580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xAB22A900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xAB22AB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xAB22EB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xAB216670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xAB213210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xAB22D9F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xAB22D7A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xAB22A280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xAB22DF10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xAB22DF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xAB213070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xAB22C180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xAB22BF40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xAB22E6F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xAB22E150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xAB215BE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xAB22E540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xAB216190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xAB213440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xAB22D4E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xAB22B200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xAB22B080]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAB0F8625]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAB0F860F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAB0F8528]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAB0F8651]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAB0F856B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAB0F84FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAB0F868D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAB0F85F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAB0F85E3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAB0F84D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAB0F84C0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAB0F863B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAB0F853E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAB0F8512]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [80, 65, 21, AB, 00, A9, 22, ...]
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP AB0F8516 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP AB0F852C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP AB0F8542 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP AB0F8500 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP AB0F84C4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP AB0F84D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219E8 7 Bytes JMP AB0F85E7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622060 7 Bytes JMP AB0F863F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228FE 7 Bytes JMP AB0F85FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 7 Bytes JMP AB0F8629 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425A 7 Bytes JMP AB0F8613 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP AB0F856F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EA8 7 Bytes JMP AB0F8691 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625976 5 Bytes JMP AB0F8655 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? srescan.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90F79
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E9006E
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90047
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90036
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90FAF
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E90F41
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F68
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E90F15
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E900AE
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E900BF
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90F94
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E9001B
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90093
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90FDB
.text C:\WINDOWS\system32\svchost.exe[136] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90F26
.text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E80036
.text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E8008E
.text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E8001B
.text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E80FE5
.text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E80073
.text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E80062
.text C:\WINDOWS\system32\svchost.exe[136] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E80047
.text C:\WINDOWS\system32\svchost.exe[136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E70FA3
.text C:\WINDOWS\system32\svchost.exe[136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E70FBE
.text C:\WINDOWS\system32\svchost.exe[136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E7001D
.text C:\WINDOWS\system32\svchost.exe[136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\svchost.exe[136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E7002E
.text C:\WINDOWS\system32\svchost.exe[136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E7000C
.text C:\WINDOWS\system32\svchost.exe[136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE00B6
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE009B
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0080
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0054
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00FF
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE00E4
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F7A
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F8B
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F69
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE006F
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE00C7
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0039
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0014
.text C:\WINDOWS\system32\svchost.exe[444] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F9C
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930F9E
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093002F
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FAF
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930F68
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930F8D
.text C:\WINDOWS\system32\svchost.exe[444] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920FA6
.text C:\WINDOWS\system32\svchost.exe[444] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920031
.text C:\WINDOWS\system32\svchost.exe[444] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FC8
.text C:\WINDOWS\system32\svchost.exe[444] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[444] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FB7
.text C:\WINDOWS\system32\svchost.exe[444] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FE3
.text C:\WINDOWS\system32\svchost.exe[444] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[444] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[444] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[444] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00900025
.text C:\WINDOWS\system32\svchost.exe[444] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F77
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F35
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F50
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700C4
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700B3
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700DF
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0007007D
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700A2
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F61
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F7C
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0006001E
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060F97
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050027
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050F9C
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FC1
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F8D
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80082
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F8005B
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F8004A
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F80F9E
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F800B8
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F800A7
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F800E4
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F800C9
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800F5
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80025
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F80F7C
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F80014
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80FC3
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F80F55
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F70036
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F70F91
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70058
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F7000A
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F70FC0
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [17, 89]
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70047
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F60F99
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F6002E
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F6000C
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F60FE3
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F6001D
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F60FD2
.text C:\WINDOWS\system32\lsass.exe[800] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AD0F37
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AD002C
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AD0F5E
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AD001B
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AD000A
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AD006E
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AD0053
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AD0EFA
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AD0F0B
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AD00AE
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AD0F83
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AD0FD4
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AD0F1C
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AD0F9E
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AD0FB9
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AD0089
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AC0FB9
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AC0F5E
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AC0FCA
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AC0F79
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AC001B
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AC0F94
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AB0061
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AB0050
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AB002E
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AB003F
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AB001D
.text C:\WINDOWS\system32\svchost.exe[960] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C8009D
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C8008C
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80FA8
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80FB9
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80051
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C800CE
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C80F7C
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C80F5A
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80F6B
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C80F49
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C80014
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C80F97
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80040
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C800DF
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70040
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70F97
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C7002F
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70014
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C70FB2
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C70FC3
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E7, 88] {OUT 0x88, EAX}
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C70FDE
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60055
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60FCA
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C6003A
.text C:\WINDOWS\system32\svchost.exe[1020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C6001D
.text C:\WINDOWS\system32\svchost.exe[1020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50000
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 038D0FEF
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 038D0062
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 038D0F77
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 038D0F88
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 038D0051
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 038D002C
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 038D008E
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 038D0F46
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 038D00A9
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 038D0F06
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 038D0EF5
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 038D0FAF
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 038D0000
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 038D007D
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 038D001B
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 038D0FCA
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 038D0F2B
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 038C000A
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 038C0F57
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 038C0FB9
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 038C0FD4
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 038C0F72
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 038C0FE5
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 038C0F83
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AC, 8B]
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 038C0FA8
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 038B0FC3
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!system 77C293C7 5 Bytes JMP 038B0058
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 038B0033
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 038B000C
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 038B0FDE
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 038B0FEF
.text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!socket 71AB4211 5 Bytes JMP 038A0000
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 03890000
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 03890FEF
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 0389002F
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 03890040
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800073
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800058
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800F8A
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800F9B
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800047
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008000BC
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0080009F
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00800F34
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008000CD
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008000E8
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00800FC0
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00800011
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00800084
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00800FDB
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0080002C
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00800F59
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F0036
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F0F8A
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F001B
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F000A
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007F0051
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007F0FAF
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9F, 88]
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007F0FCA
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E0049
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0038
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E001D
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E0FBE
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0FE3
.text C:\WINDOWS\system32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD009A
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD007D
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0FC0
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0047
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD00C6
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD00B5
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD00EB
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD0F52
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0F37
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0058
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F8A
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F63
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC002F
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC005B
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0014
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0F9E
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BC0040
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0F7A
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0F8B
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0FC1
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FA6
.text C:\WINDOWS\system32\svchost.exe[1312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FD2
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BA000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0080
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A006F
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0054
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F6B
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00A7
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00D8
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F3F
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00E9
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FCD
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F7C
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A002F
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0014
.text C:\WINDOWS\Explorer.EXE[2352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F5A
.text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FB9
.text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0029005B
.text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FCA
.text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FEF
.text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290F9E
.text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290036
.text C:\WINDOWS\Explorer.EXE[2352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290025
.text C:\WINDOWS\Explorer.EXE[2352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0036
.text C:\WINDOWS\Explorer.EXE[2352] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FAB
.text C:\WINDOWS\Explorer.EXE[2352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FD7
.text C:\WINDOWS\Explorer.EXE[2352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[2352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FBC
.text C:\WINDOWS\Explorer.EXE[2352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0011
.text C:\WINDOWS\Explorer.EXE[2352] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[2352] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 002C0FDE
.text C:\WINDOWS\Explorer.EXE[2352] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 002C0FCD
.text C:\WINDOWS\Explorer.EXE[2352] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 002C0FB2
.text C:\WINDOWS\Explorer.EXE[2352] WS2_32.dll!socket 71AB4211
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A008C
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0071
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A002F
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00AE
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F66
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F41
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00E4
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00F5
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0040
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A009D
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00C9
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FD4
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290FA8
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290025
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FE5
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290065
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0029004A
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FC3
.text C:\WINDOWS\System32\svchost.exe[3420] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E006B
.text C:\WINDOWS\System32\svchost.exe[3420] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0050
.text C:\WINDOWS\System32\svchost.exe[3420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E002E
.text C:\WINDOWS\System32\svchost.exe[3420] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[3420] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E003F
.text C:\WINDOWS\System32\svchost.exe[3420] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E001D
.text C:\WINDOWS\System32\svchost.exe[3420] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0076
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0065
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F8B
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B004A
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00AE
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F66
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F3A
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F55
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F29
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0087
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00C9
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0049
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FC8
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A002E
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FD9
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A001D
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F61
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0F7C
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FA8
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [AB218E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [AB218E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [AB218E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [AB218E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [AB218E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [AB218E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\Fastfat \Fat A8AA6D20
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- EOF - GMER 1.0.15 ----
I thought I already posted the second part of the GMER results, but I don't see them here, so here they are again:
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A008C
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0071
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A002F
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00AE
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F66
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F41
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00E4
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00F5
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0040
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A009D
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[3420] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00C9
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FD4
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290FA8
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290025
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FE5
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290065
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0029004A
.text C:\WINDOWS\System32\svchost.exe[3420] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FC3
.text C:\WINDOWS\System32\svchost.exe[3420] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E006B
.text C:\WINDOWS\System32\svchost.exe[3420] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0050
.text C:\WINDOWS\System32\svchost.exe[3420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E002E
.text C:\WINDOWS\System32\svchost.exe[3420] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[3420] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E003F
.text C:\WINDOWS\System32\svchost.exe[3420] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E001D
.text C:\WINDOWS\System32\svchost.exe[3420] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0076
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0065
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F8B
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B004A
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00AE
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F66
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F3A
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F55
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F29
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0087
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00C9
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0049
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FC8
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A002E
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FD9
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A001D
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F61
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0F7C
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FA8
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [AB218E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [AB218E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [AB218E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [AB218E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [AB218E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [AB21AB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [AB218E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [AB21B260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [AB21A930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\Fastfat \Fat A8AA6D20
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- EOF - GMER 1.0.15 ----
Do you have any thoughts on whether McAfee or ZoneAlarm would be a better firewall? Let me know and I will disable one of them.
I would go ahead and keep ZoneAlarm as your main firewall and go ahead and disable McAfee. I don't think you can uninstall the McAfee Firewall outright as it looks like it is part of McAfee SecurityCenter. And I don't you think you can uninstall McAfee's Firewall without uninstalling the AV part of McAfee as well.
I thought I already posted the second part of the GMER results, but I don't see them here, so here they are again:
You did get the end of the GMER log in Post #11 (http://forums.spybot.info/showpost.php?p=336487&postcount=11). No worries about posting it again. :)
Step # 1 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u16 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
Java(TM) 6 Update 5
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 2 Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section
Clean all entries in the Advanced section
Clean any others that you choose
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it
Clean all in the Opera section if you use it
Clean Sun Java in the Internet Section
Clean any others that you choose
Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO
Step # 3 Run Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.
Post the MalwareBytes' Log in your next post/reply.
I think that I have successfully disabled the McAfee Firewall so now Zone Alarm is the only firewall running. I left McAfee to be on for the virus scanning and other capabilities.
Step #1: I updated Java to 6u16.
Step #2: I ran CCleaner
Step #3: I ran Malwarebytes Quick Scan after updating the software and nothing was found. Log file is below:
Malwarebytes' Anti-Malware 1.41
Database version: 2809
Windows 5.1.2600 Service Pack 3
9/16/2009 6:50:54 AM
mbam-log-2009-09-16 (06-50-54).txt
Scan type: Quick Scan
Objects scanned: 109028
Time elapsed: 4 minute(s), 13 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Step # 1: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. A fresh DDS Log
3. How is your computer doing, any problems?
The computer appears to be running normally. I do not currently see any issues with it.
Below are the reports you requested.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, September 16, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, September 16, 2009 19:58:02
Records in database: 2836027
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Objects scanned: 99644
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:18:31
No threats found. Scanned area is clean.
Selected area has been scanned.
DDS (Ver_09-07-30.01) - NTFSx86
Run by Bradley at 15:42:20.03 on Wed 09/16/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2327 [GMT -4:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AstSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Bradley\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [NVIDIA nTune] c:\program files\nvidia corporation\ntune\nTuneCmd.exe resetprofile
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\bradley\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
StartupFolder: c:\docume~1\bradley\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\documents and settings\bradley\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\docume~1\bradley\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\bradley\applic~1\mozilla\firefox\profiles\wa2vaw0y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-6-19 128000]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-9-13 28544]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-19 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-4 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-6-26 353672]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-19 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-19 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-27 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-19 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-19 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-19 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-19 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-19 34248]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 7408]
=============== Created Last 30 ================
2009-09-16 07:28 <DIR> --d----- c:\program files\SpywareGuard
2009-09-16 07:19 <DIR> --d----- c:\program files\SpywareBlaster
2009-09-16 06:36 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-16 06:36 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-15 08:56 229,888 a------- c:\windows\PEV.exe
2009-09-15 08:56 161,792 a------- c:\windows\SWREG.exe
2009-09-15 08:56 98,816 a------- c:\windows\sed.exe
2009-09-15 08:56 <DIR> --d----- C:\ComboFix
2009-09-15 08:54 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-09-14 16:28 <DIR> --d----- C:\VundoFix Backups
2009-09-14 14:58 <DIR> --d----- C:\$AVG8.VAULT$
2009-09-14 14:50 <DIR> --d----- c:\program files\AVG
2009-09-14 14:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-14 14:44 <DIR> --d----- c:\docume~1\bradley\applic~1\AVG8
2009-09-13 19:13 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-09-13 19:13 <DIR> --d----- c:\program files\Panda Security
2009-09-13 18:00 <DIR> a-dshr-- C:\cmdcons
2009-09-13 18:00 <DIR> --d----- c:\windows\setup.pss
2009-09-13 18:00 <DIR> --d----- c:\windows\setupupd
2009-09-13 16:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-13 16:40 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-13 16:40 <DIR> --d----- c:\docume~1\bradley\applic~1\SUPERAntiSpyware.com
2009-09-13 16:22 31,744 a------- c:\windows\system32\dllcache\wceusbsh.sys
2009-09-13 16:21 50,688 a------- c:\windows\system32\dllcache\umaxscan.dll
2009-09-13 16:20 36,640 a------- c:\windows\system32\dllcache\t2r4mini.sys
2009-09-13 16:19 35,913 a------- c:\windows\system32\dllcache\smcirda.sys
2009-09-13 16:18 17,280 a------- c:\windows\system32\dllcache\scr111.sys
2009-09-13 16:17 899,146 a------- c:\windows\system32\dllcache\r2mdkxga.sys
2009-09-13 16:16 25,216 a------- c:\windows\system32\dllcache\ovsound2.sys
2009-09-13 16:15 59,104 a------- c:\windows\system32\dllcache\n9i128v2.dll
2009-09-13 16:14 65,536 a------- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-09-13 16:13 13,056 a------- c:\windows\system32\dllcache\inport.sys
2009-09-13 16:12 13,312 a------- c:\windows\system32\dllcache\hpsjmcro.dll
2009-09-13 16:11 45,568 a------- c:\windows\system32\dllcache\esunib.dll
2009-09-13 16:10 229,462 a------- c:\windows\system32\dllcache\digifwrk.dll
2009-09-13 16:09 187,938 a------- c:\windows\system32\dllcache\c_20005.nls
2009-09-13 16:08 169,984 a------- c:\windows\system32\dllcache\iisui.dll
2009-09-13 16:08 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
2009-09-13 16:08 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
2009-09-13 16:08 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
2009-09-13 16:08 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
2009-09-13 16:08 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
2009-09-13 16:08 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
2009-09-13 14:23 <DIR> --d----- c:\program files\Trend Micro
2009-09-13 09:14 161 a------- c:\windows\wininit.ini
2009-09-13 09:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-13 09:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-13 02:11 <DIR> --d----- c:\documents and settings\bradley\.housecall6.6
2009-09-13 01:51 <DIR> --d----- c:\docume~1\bradley\applic~1\Malwarebytes
2009-09-13 01:51 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 01:51 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-13 01:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 01:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-13 00:58 <DIR> --d----- c:\windows\pss
==================== Find3M ====================
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\dllcache\atl.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:27 1,315,328 a------- c:\windows\system32\dllcache\msoe.dll
2009-07-10 08:45 103,509 a------- c:\windows\hpoins04.dat
2009-07-03 13:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-22 02:44 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-06-21 17:44 153,088 a------- c:\windows\system32\dllcache\triedit.dll
2008-08-28 03:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat
============= FINISH: 15:42:42.46 ===============
I did have another question for you. Prior to working with you, I had run a number of scans on the computer. It did pick up a couple of things.
1. It found virtumonde in my system restore points. Presumably, this was when the computer took a snapshot of the system when the it was on the system. I turned off system restore and then turned it back on, rescanned and they didn't show up again.
2. The scans also picked up a bredolab virus in my Outlook Express "deleted items.dbx" file. I did some research and it looked like it could have been from an email that had it and was deleted. I deleted this file, rescanned and it was gone.
Any cause for concern with either of these?
Both Kaspersky and DDS Logs look good. :bigthumb:
1. It found virtumonde in my system restore points. Presumably, this was when the computer took a snapshot of the system when the it was on the system. I turned off system restore and then turned it back on, rescanned and they didn't show up again.
What you did when you turned off the System Restore and turned back on was flushing the bad/infected System Restore points out of the computer and when you turned SysRestore back on, you put a new, clean one in. Hence why it didn't show up in the scan again.
2. The scans also picked up a bredolab virus in my Outlook Express "deleted items.dbx" file. I did some research and it looked like it could have been from an email that had it and was deleted. I deleted this file, rescanned and it was gone.
Any cause for concern with either of these?
No cause for concern with this one as you deleted the e-mail/file that was causing the scans to pick up the virus. If there were more viruses in your e-mail, more than likely Kaspersky would have picked them up during its scan. It didn't, so you're good there.
Since you report no more problems, you are good to go. :)
You can delete the following files off of your computer:
DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /u & click OK
Empty your Recycle Bin.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
Sounds great.
km2357, I really appreciate you taking the time to assist me through this process. It's good to know that there are good people out there standing up for the good guys.
You're welcome. I'm glad I was able to help you out. :)
Good luck and safe surfing!