View Full Version : Browser Hijacked
eighteyedspy
2009-11-20, 04:26
I am pretty much having the same problem as everyone else that has posted. I keep getting redirected to whitepages, asklots, and a whole host of other useless junk sites. I have run spybot, spyware blaster, adaware, IObit, and a whole bunch of other stuff to no avail. This is my first time trying the forums so if I screw up, kindly slap me and I will try again. I have disabled my tea-timer, backed up with ERUNT and am now posting my HJT. Any help, I mean any, will be greatly appreciated.
Thanks.
9:24 PM 11/19/2009Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:18 PM, on 11/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\VeXpLite\MONLITE.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe
C:\VeXpLite\viritsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\hp\kbd\kbd.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VeXpLite\MONLITE.EXE
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; FBSMTWB; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.nickjr.com/playtime/shows/dora/games/dora_pyramid.jhtml"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Update Service (gupdate1c9e122120b6107) (gupdate1c9e122120b6107) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VirIT eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VeXpLite\viritsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 14228 bytes
Hi,
Please see this (http://www.besttechie.net/2009/11/02/iobit-caught-stealing-the-malwarebytes-anti-malware-database/#more-2384) regarding Iobit.
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
eighteyedspy
2009-11-24, 01:38
Hey,
Thanks for the response. Ran both apps, but did not see a file called attach.txt. Does dds cause the computer to reboot? Didn't know if that was normal or an error. I disabled scripting through McAfee so I hope it produces the info you need. I am posting the dds.txt log and the gmer log. I have to do two posts, one for each log because they contain too many characters. I know the holidays are coming up so I am in no hurry for a response. I am just grateful to be receiving help at all. Let me know if the logs I'm posting are no good or if you need any further info. Thanks again and Happy Holidays.
DDS (Ver_09-11-23.01) - NTFSx86
Run by The Coppola's at 15:49:25.54 on Mon 11/23/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.116 [GMT -5:00]
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\VeXpLite\MONLITE.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\VeXpLite\viritsvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\The Coppola's\Desktop\dds.scr
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
eighteyedspy
2009-11-24, 01:44
And the GMER(pt. 1)
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-23 18:32:07
Windows 6.0.6001 Service Pack 1
Running: jkgs2plg.exe; Driver: C:\Users\THECOP~1\AppData\Local\Temp\awlyrkow.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8BBA779E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8BBA7738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8BBA774C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8BBA77DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8BBA7710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8BBA7724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8BBA77B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8BBA778A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8BBA7776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8BBA780B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8BBA77F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8BBA77C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8BBA7762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 81E69190 5 Bytes JMP 8BBA77CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 8200ADD5 5 Bytes JMP 8BBA7766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82024F8A 5 Bytes JMP 8BBA780F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 820441D4 5 Bytes JMP 8BBA7728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 82053B10 1 Byte [E9]
PAGE ntkrnlpa.exe!NtOpenProcess 82053B10 5 Bytes JMP 8BBA7714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8206674E 7 Bytes JMP 8BBA77E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82066DA5 5 Bytes JMP 8BBA77F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 82068FB6 5 Bytes JMP 8BBA77A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82076674 5 Bytes JMP 8BBA777A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 820788CE 7 Bytes JMP 8BBA77B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 820D61AF 5 Bytes JMP 8BBA773C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 820D61FA 7 Bytes JMP 8BBA7750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 820D6CB7 5 Bytes JMP 8BBA778E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x82ACB02C]
.text ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\taskeng.exe[12] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[12] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\taskeng.exe[12] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[12] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\taskeng.exe[12] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\taskeng.exe[12] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\taskeng.exe[12] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\taskeng.exe[12] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\taskeng.exe[12] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\taskeng.exe[12] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\system32\taskeng.exe[12] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\Explorer.EXE[272] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 03820087
.text C:\Windows\Explorer.EXE[272] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 03820076
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 03820F12
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 038200B4
.text C:\Windows\Explorer.EXE[272] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 03820F82
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 03820036
.text C:\Windows\Explorer.EXE[272] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 0382005B
.text C:\Windows\Explorer.EXE[272] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 03820FAF
.text C:\Windows\Explorer.EXE[272] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 03820F67
.text C:\Windows\Explorer.EXE[272] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 03820F9E
.text C:\Windows\Explorer.EXE[272] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 03820FCA
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 03820F4C
.text C:\Windows\Explorer.EXE[272] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 03820EF7
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 0382001B
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 03820000
.text C:\Windows\Explorer.EXE[272] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 03820FE5
.text C:\Windows\Explorer.EXE[272] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 03820098
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 037D0FA1
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 037D0FC3
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 037D0000
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 037D0FB2
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 037D0F86
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 037D0025
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 037D0FEF
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 037D0FD4
.text C:\Windows\Explorer.EXE[272] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\Explorer.EXE[272] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 037C004C
.text C:\Windows\Explorer.EXE[272] msvcrt.dll!system 77518B63 5 Bytes JMP 037C0FB7
.text C:\Windows\Explorer.EXE[272] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 037C0FD2
.text C:\Windows\Explorer.EXE[272] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 037C000C
.text C:\Windows\Explorer.EXE[272] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 037C0027
.text C:\Windows\Explorer.EXE[272] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 037C0FEF
.text C:\Windows\Explorer.EXE[272] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 024F0FEF
.text C:\Windows\Explorer.EXE[272] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 024F000A
.text C:\Windows\Explorer.EXE[272] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 024F0025
.text C:\Windows\Explorer.EXE[272] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 024F0036
.text C:\Windows\Explorer.EXE[272] WS2_32.dll!socket 77B936D1 5 Bytes JMP 03830FEF
.text C:\Windows\system32\services.exe[704] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 006A0F6A
.text C:\Windows\system32\services.exe[704] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 006A00A6
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 006A0F3E
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 006A00D5
.text C:\Windows\system32\services.exe[704] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 006A005F
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 006A0FC0
.text C:\Windows\system32\services.exe[704] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 006A0F91
.text C:\Windows\system32\services.exe[704] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 006A0033
.text C:\Windows\system32\services.exe[704] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 006A007A
.text C:\Windows\system32\services.exe[704] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 006A0044
.text C:\Windows\system32\services.exe[704] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 006A0022
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 006A008B
.text C:\Windows\system32\services.exe[704] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 006A00F0
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 006A0011
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 006A0000
.text C:\Windows\system32\services.exe[704] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 006A0FDB
.text C:\Windows\system32\services.exe[704] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 006A0F59
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 005D0051
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 005D0FB9
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 005D0FEF
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 005D0040
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 005D0F9E
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 005D0FD4
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 005D000A
.text C:\Windows\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 005D0025
.text C:\Windows\system32\services.exe[704] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 005C0055
.text C:\Windows\system32\services.exe[704] msvcrt.dll!system 77518B63 5 Bytes JMP 005C0044
.text C:\Windows\system32\services.exe[704] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 005C0029
.text C:\Windows\system32\services.exe[704] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 005C0FEF
.text C:\Windows\system32\services.exe[704] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 005C0FD4
.text C:\Windows\system32\services.exe[704] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 005C000C
.text C:\Windows\system32\services.exe[704] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00570000
.text C:\Windows\system32\services.exe[704] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00570FE5
.text C:\Windows\system32\services.exe[704] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00570FD4
.text C:\Windows\system32\services.exe[704] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 0057001B
.text C:\Windows\system32\services.exe[704] WS2_32.dll!socket 77B936D1 5 Bytes JMP 006B000A
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 008B006C
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 008B0F30
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 008B0ED5
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 008B0EE6
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 008B0F5C
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 008B0FAF
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 008B0F79
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 008B0F94
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 008B0F41
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 008B0036
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 008B001B
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 008B0051
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!GetProcAddress 7795B8B6 2 Bytes JMP 008B0EB0
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!GetProcAddress + 3 7795B8B9 2 Bytes [F5, 88]
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 008B0FD4
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 008B0FEF
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 008B0000
.text C:\Windows\system32\lsass.exe[732] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 008B0F0B
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 0015005B
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00150040
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00150FEF
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00150FB9
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00150076
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00150025
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 0015000A
.text C:\Windows\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00150FD4
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00140F9F
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!system 77518B63 5 Bytes JMP 00140FB0
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00140FC1
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00140FEF
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00140016
.text C:\Windows\system32\lsass.exe[732] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00140FD2
.text C:\Windows\system32\lsass.exe[732] WS2_32.dll!socket 77B936D1 5 Bytes JMP 008C0FEF
.text C:\Windows\system32\lsass.exe[732] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00130FEF
.text C:\Windows\system32\lsass.exe[732] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 0013000A
.text C:\Windows\system32\lsass.exe[732] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 0013001B
.text C:\Windows\system32\lsass.exe[732] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00130FCA
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[808] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 000700BD
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00070098
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 000700E9
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 000700D8
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00070062
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00070036
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00070F88
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00070FC0
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00070073
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00070FAF
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00070047
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00070F6D
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00070104
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00070FEF
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 0007000A
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00070025
.text C:\Windows\System32\svchost.exe[812] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00070F52
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00090F90
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!system 77518B63 5 Bytes JMP 00090FAB
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00090011
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00090000
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00090FC6
.text C:\Windows\System32\svchost.exe[812] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00090FE3
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 000A0065
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 000A0FC3
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 000A0FEF
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 000A0054
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 000A008A
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 000A0014
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 000A0FDE
.text C:\Windows\System32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 000A0025
.text C:\Windows\System32\svchost.exe[812] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 0020000A
.text C:\Windows\System32\svchost.exe[812] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00200025
.text C:\Windows\System32\svchost.exe[812] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00200FEF
.text C:\Windows\System32\svchost.exe[812] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00200FCA
.text C:\Windows\System32\svchost.exe[812] WS2_32.dll!socket 77B936D1 5 Bytes JMP 00C9000A
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 009E0087
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 009E0F4B
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 009E00B3
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 009E0F1C
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 009E0F66
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 009E0025
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 009E0F81
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 009E0FB9
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 009E0065
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 009E0F9E
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 009E0040
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 009E0076
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 009E00C4
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 009E0FD4
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 009E0FEF
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 009E000A
.text C:\Windows\system32\svchost.exe[908] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 009E0098
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 009C002E
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!system 77518B63 5 Bytes JMP 009C001D
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 009C000C
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 009C0FE3
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 009C0FB7
.text C:\Windows\system32\svchost.exe[908] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 009C0FD2
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 009D005B
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 009D0040
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 009D0FEF
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 009D0FB9
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 009D0F94
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 009D0025
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 009D000A
.text C:\Windows\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 009D0FD4
.text C:\Windows\system32\svchost.exe[908] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 009B0000
.text C:\Windows\system32\svchost.exe[908] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 009B0011
.text C:\Windows\system32\svchost.exe[908] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 009B0FE5
.text C:\Windows\system32\svchost.exe[908] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 009B002C
.text C:\Windows\system32\svchost.exe[908] WS2_32.dll!socket 77B936D1 5 Bytes JMP 009F0FEF
.text C:\Windows\System32\igfxpers.exe[968] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[968] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\igfxpers.exe[968] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\igfxpers.exe[968] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\igfxpers.exe[968] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\System32\igfxpers.exe[968] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\System32\igfxpers.exe[968] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\igfxpers.exe[968] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\System32\igfxpers.exe[968] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\System32\igfxpers.exe[968] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\System32\igfxpers.exe[968] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 00D00F32
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00D00F43
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00D0009A
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00D00F03
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00D00F6F
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00D00FAF
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00D00053
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00D00025
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00D00F5E
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00D00036
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00D00F9E
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00D00078
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00D000B5
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00D00FD4
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00D00FEF
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00D0000A
.text C:\Windows\system32\svchost.exe[984] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00D00089
.text C:\Windows\system32\svchost.exe[984] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00CE0FBC
.text C:\Windows\system32\svchost.exe[984] msvcrt.dll!system 77518B63 5 Bytes JMP 00CE003D
.text C:\Windows\system32\svchost.exe[984] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00CE0FD7
.text C:\Windows\system32\svchost.exe[984] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00CE0000
.text C:\Windows\system32\svchost.exe[984] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00CE002C
.text C:\Windows\system32\svchost.exe[984] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00CE0011
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00CF0F7C
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00CF0FA8
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00CF0FEF
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00CF0F8D
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00CF0F61
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00CF0FB9
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00CF0FCA
.text C:\Windows\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00CF0014
.text C:\Windows\system32\svchost.exe[984] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00CD0FEF
.text C:\Windows\system32\svchost.exe[984] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00CD000A
.text C:\Windows\system32\svchost.exe[984] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00CD0FDE
.text C:\Windows\system32\svchost.exe[984] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00CD0FC3
.text C:\Windows\system32\svchost.exe[984] WS2_32.dll!socket 77B936D1 5 Bytes JMP 00D50FEF
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 00DF0F0B
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00DF0F1C
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00DF00A2
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00DF0091
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00DF0040
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00DF0014
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00DF002F
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00DF0F8D
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00DF0F41
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00DF0F72
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00DF0FA8
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00DF0051
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00DF0EFA
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00DF0FD4
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00DF0FEF
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00DF0FC3
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00DF0076
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00D40042
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!system 77518B63 5 Bytes JMP 00D40FC1
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00D40027
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00D40000
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00D40FD2
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00D40FE3
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00D50FAF
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00D50040
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00D50000
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00D50051
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00D50F9E
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00D50025
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00D50FEF
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00D50FCA
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00930000
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 0093001B
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00930036
.text C:\Windows\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 0093005B
.text C:\Windows\System32\svchost.exe[1128] WS2_32.dll!socket 77B936D1 5 Bytes JMP 01000FEF
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 00C1009C
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00C1008B
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00C100ED
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00C100D2
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00C10070
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00C10033
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00C10055
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00C10FBD
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00C10F7B
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00C10F98
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00C10044
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00C10F60
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00C10F3B
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00C10011
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00C10000
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00C10022
.text C:\Windows\System32\svchost.exe[1192] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00C100B7
.text C:\Windows\System32\svchost.exe[1192] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 009F0FB7
.text C:\Windows\System32\svchost.exe[1192] msvcrt.dll!system 77518B63 5 Bytes JMP 009F0042
.text C:\Windows\System32\svchost.exe[1192] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 009F001D
.text C:\Windows\System32\svchost.exe[1192] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 009F0000
.text C:\Windows\System32\svchost.exe[1192] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 009F0FD2
.text C:\Windows\System32\svchost.exe[1192] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 009F0FE3
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00C00065
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00C00043
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00C00FEF
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00C00054
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00C00FA8
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00C00FDE
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00C0000A
.text C:\Windows\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00C00FCD
.text C:\Windows\System32\svchost.exe[1192] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00990FE5
.text C:\Windows\System32\svchost.exe[1192] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00990FCA
.text C:\Windows\System32\svchost.exe[1192] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00990FB9
.text C:\Windows\System32\svchost.exe[1192] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 0099000A
.text C:\Windows\System32\svchost.exe[1192] WS2_32.dll!socket 77B936D1 5 Bytes JMP 00C20FE5
eighteyedspy
2009-11-24, 01:48
Pt. 2
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 00DF0F36
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00DF0F47
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00DF00B9
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00DF009E
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00DF0F7D
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00DF0FC0
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00DF0055
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00DF0033
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00DF0F6C
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00DF0044
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00DF0022
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00DF0072
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00DF0F07
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00DF0011
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00DF0000
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00DF0FD1
.text C:\Windows\system32\svchost.exe[1212] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00DF008D
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wsystem 77518A47 3 Bytes JMP 00DD004E
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wsystem + 4 77518A4B 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!system 77518B63 3 Bytes JMP 00DD0FCD
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!system + 4 77518B67 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_creat 7751C6F1 3 Bytes JMP 00DD0022
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_creat + 4 7751C6F5 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00DD0000
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wcreat 7751DC9E 3 Bytes JMP 00DD003D
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wcreat + 4 7751DCA2 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00DD0011
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00DE004A
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00DE0FB9
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00DE0FEF
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00DE0FA8
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00DE005B
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00DE0FDE
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00DE000A
.text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00DE002F
.text C:\Windows\system32\svchost.exe[1212] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00D50FEF
.text C:\Windows\system32\svchost.exe[1212] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00D5000A
.text C:\Windows\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00D50FD4
.text C:\Windows\system32\svchost.exe[1212] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00D50025
.text C:\Windows\system32\svchost.exe[1212] WS2_32.dll!socket 77B936D1 5 Bytes JMP 01000FEF
.text C:\Windows\RtHDVCpl.exe[1264] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\RtHDVCpl.exe[1264] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\RtHDVCpl.exe[1264] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\RtHDVCpl.exe[1264] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\RtHDVCpl.exe[1264] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\RtHDVCpl.exe[1264] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\RtHDVCpl.exe[1264] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\RtHDVCpl.exe[1264] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\RtHDVCpl.exe[1264] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\RtHDVCpl.exe[1264] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\RtHDVCpl.exe[1264] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1284] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 0092007D
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00920062
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 009200B3
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 0092008E
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00920F41
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00920F9E
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00920F5E
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00920000
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00920036
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 0092001B
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00920F79
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00920047
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 009200C4
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00920FCA
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00920FE5
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00920FB9
.text C:\Windows\system32\svchost.exe[1312] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00920F12
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 008C0038
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!system 77518B63 5 Bytes JMP 008C0027
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 008C0FD2
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 008C0000
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 008C0FB7
.text C:\Windows\system32\svchost.exe[1312] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 008C0FE3
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00910F97
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00910FC3
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00910FEF
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00910FB2
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00910F86
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00910014
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00910FDE
.text C:\Windows\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 0091002F
.text C:\Windows\system32\svchost.exe[1312] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00870000
.text C:\Windows\system32\svchost.exe[1312] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00870FEF
.text C:\Windows\system32\svchost.exe[1312] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00870FDE
.text C:\Windows\system32\svchost.exe[1312] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00870FCD
.text C:\Windows\system32\svchost.exe[1312] WS2_32.dll!socket 77B936D1 5 Bytes JMP 00930000
.text C:\Windows\System32\hkcmd.exe[1344] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[1344] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\hkcmd.exe[1344] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\hkcmd.exe[1344] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\hkcmd.exe[1344] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\System32\hkcmd.exe[1344] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\System32\hkcmd.exe[1344] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\hkcmd.exe[1344] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\System32\hkcmd.exe[1344] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\System32\hkcmd.exe[1344] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\System32\hkcmd.exe[1344] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1396] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\hp\support\hpsysdrv.exe[1404] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\hp\support\hpsysdrv.exe[1404] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\hp\support\hpsysdrv.exe[1404] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\hp\support\hpsysdrv.exe[1404] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\hp\support\hpsysdrv.exe[1404] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\hp\support\hpsysdrv.exe[1404] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\hp\support\hpsysdrv.exe[1404] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\hp\support\hpsysdrv.exe[1404] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\hp\support\hpsysdrv.exe[1404] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\hp\support\hpsysdrv.exe[1404] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\hp\support\hpsysdrv.exe[1404] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 01090F52
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 01090F6D
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 010900BD
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 01090F30
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 0109007D
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 01090022
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 01090062
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 01090FA5
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 01090F88
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 01090051
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 01090FB6
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 01090098
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 01090F15
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 01090000
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 01090FEF
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 01090011
.text C:\Windows\system32\svchost.exe[1432] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 01090F41
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 01030067
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!system 77518B63 5 Bytes JMP 01030FD2
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 0103001D
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 01030FE3
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 01030038
.text C:\Windows\system32\svchost.exe[1432] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 01030000
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 01080F83
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 01080025
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 01080FEF
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 01080F9E
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 01080040
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 0108000A
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 01080FD4
.text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 01080FB9
.text C:\Windows\system32\svchost.exe[1432] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 0102000A
.text C:\Windows\system32\svchost.exe[1432] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 01020FEF
.text C:\Windows\system32\svchost.exe[1432] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 01020FDE
.text C:\Windows\system32\svchost.exe[1432] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 0102002F
.text C:\Windows\system32\svchost.exe[1432] WS2_32.dll!socket 77B936D1 5 Bytes JMP 010E0000
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1460] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 00D20F49
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00D2008F
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00D200AA
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00D20F13
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00D20F6B
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00D20FA8
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00D20F7C
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00D2001E
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00D20F5A
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00D20039
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00D20F97
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00D2006A
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00D200C5
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00D20FD4
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00D20FEF
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00D20FC3
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00D20F38
.text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00CC0F97
.text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!system 77518B63 5 Bytes JMP 00CC002C
.text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00CC0FD7
.text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00CC0000
.text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00CC0FBC
.text C:\Windows\system32\svchost.exe[1548] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00CC0011
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00D10036
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00D10FAF
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00D10FE5
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00D10F9E
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00D10F83
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00D1000A
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00D10FCA
.text C:\Windows\system32\svchost.exe[1548] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00D10025
.text C:\Windows\system32\svchost.exe[1548] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00C70000
.text C:\Windows\system32\svchost.exe[1548] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00C7001B
.text C:\Windows\system32\svchost.exe[1548] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00C70FE5
.text C:\Windows\system32\svchost.exe[1548] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00C70036
.text C:\Windows\system32\svchost.exe[1548] WS2_32.dll!socket 77B936D1 5 Bytes JMP 00D30FEF
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1676] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 01820F63
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 018200A9
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 018200E9
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 018200CE
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 01820062
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 01820014
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 01820051
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 01820025
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 0182007D
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 01820040
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 01820F9E
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 01820098
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 018200FA
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 01820FDE
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 01820FEF
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 01820FC3
.text C:\Windows\system32\svchost.exe[1896] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 01820F52
.text C:\Windows\system32\svchost.exe[1896] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 017F0027
.text C:\Windows\system32\svchost.exe[1896] msvcrt.dll!system 77518B63 5 Bytes JMP 017F000C
.text C:\Windows\system32\svchost.exe[1896] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 017F0FB7
.text C:\Windows\system32\svchost.exe[1896] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 017F0FE3
.text C:\Windows\system32\svchost.exe[1896] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 017F0F9C
.text C:\Windows\system32\svchost.exe[1896] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 017F0FD2
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 01800F9E
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 01800FB9
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 01800000
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 01800040
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 0180005B
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 01800FD4
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 01800FE5
.text C:\Windows\system32\svchost.exe[1896] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 01800025
.text C:\Windows\system32\svchost.exe[1896] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 011E0000
.text C:\Windows\system32\svchost.exe[1896] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 011E0FEF
.text C:\Windows\system32\svchost.exe[1896] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 011E001B
.text C:\Windows\system32\svchost.exe[1896] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 011E0FD4
.text C:\Windows\system32\svchost.exe[1896] WS2_32.dll!socket 77B936D1 5 Bytes JMP 01830FE5
.text C:\Windows\system32\Dwm.exe[1972] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1972] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\Dwm.exe[1972] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1972] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\Dwm.exe[1972] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\Dwm.exe[1972] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\Dwm.exe[1972] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\Dwm.exe[1972] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\Dwm.exe[1972] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\Dwm.exe[1972] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\system32\Dwm.exe[1972] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe[2056] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
eighteyedspy
2009-11-24, 01:49
And Pt. 3 Is it supposed to be this long, or did I screw up?
.text C:\VeXpLite\MONLITE.EXE[2064] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\VeXpLite\MONLITE.EXE[2064] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\VeXpLite\MONLITE.EXE[2064] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\VeXpLite\MONLITE.EXE[2064] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\VeXpLite\MONLITE.EXE[2064] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\VeXpLite\MONLITE.EXE[2064] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\VeXpLite\MONLITE.EXE[2064] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\VeXpLite\MONLITE.EXE[2064] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\VeXpLite\MONLITE.EXE[2064] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\VeXpLite\MONLITE.EXE[2064] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\VeXpLite\MONLITE.EXE[2064] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\ehome\ehtray.exe[2080] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehtray.exe[2080] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\ehome\ehtray.exe[2080] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehtray.exe[2080] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\ehome\ehtray.exe[2080] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\ehome\ehtray.exe[2080] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\ehome\ehtray.exe[2080] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\ehome\ehtray.exe[2080] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\ehome\ehtray.exe[2080] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\ehome\ehtray.exe[2080] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\ehome\ehtray.exe[2080] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 00070F4D
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00070F5E
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00070F21
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00070F3C
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 0007007F
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 0007003D
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00070FA5
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00070058
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00070F80
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00070FB6
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00070FD1
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00070F6F
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 000700D3
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 0007001B
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 0007002C
.text C:\Windows\system32\svchost.exe[2224] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 000700AE
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00090F9C
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!system 77518B63 5 Bytes JMP 00090FB7
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00090FD2
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00090FEF
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00090027
.text C:\Windows\system32\svchost.exe[2224] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 0009000C
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 000A0080
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 000A0FEF
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 000A0000
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 000A0FDE
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 000A0FC3
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 000A0040
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 000A0025
.text C:\Windows\system32\svchost.exe[2224] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 000A005B
.text C:\Windows\system32\svchost.exe[2224] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 002D0000
.text C:\Windows\system32\svchost.exe[2224] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 002D0011
.text C:\Windows\system32\svchost.exe[2224] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 002D0FE5
.text C:\Windows\system32\svchost.exe[2224] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 002D002C
.text C:\Windows\system32\svchost.exe[2224] WS2_32.dll!socket 77B936D1 5 Bytes JMP 00340000
.text C:\Windows\system32\igfxsrvc.exe[2952] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[2952] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\igfxsrvc.exe[2952] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\igfxsrvc.exe[2952] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\igfxsrvc.exe[2952] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\igfxsrvc.exe[2952] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\igfxsrvc.exe[2952] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\igfxsrvc.exe[2952] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\igfxsrvc.exe[2952] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\igfxsrvc.exe[2952] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Windows\system32\igfxsrvc.exe[2952] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3204] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3204] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 000700EE
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 000700D3
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00070110
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 00070F83
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 000700AE
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 0007004A
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00070091
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00070FDE
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00070FAF
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00070080
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 0007005B
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00070F9E
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00070F68
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 0007000A
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00070FEF
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00070025
.text C:\Windows\system32\svchost.exe[3632] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 000700FF
.text C:\Windows\system32\svchost.exe[3632] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 0009004C
.text C:\Windows\system32\svchost.exe[3632] msvcrt.dll!system 77518B63 5 Bytes JMP 00090031
.text C:\Windows\system32\svchost.exe[3632] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00090FC1
.text C:\Windows\system32\svchost.exe[3632] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00090FEF
.text C:\Windows\system32\svchost.exe[3632] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00090020
.text C:\Windows\system32\svchost.exe[3632] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00090FDE
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 000A0065
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 000A0040
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 000A0FE5
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 000A0FB9
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 000A0076
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 000A001B
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 000A0000
.text C:\Windows\system32\svchost.exe[3632] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 000A0FD4
.text C:\Windows\system32\svchost.exe[3632] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00210FEF
.text C:\Windows\system32\svchost.exe[3632] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00210000
.text C:\Windows\system32\svchost.exe[3632] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00210FCA
.text C:\Windows\system32\svchost.exe[3632] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 0021001B
.text C:\Windows\system32\svchost.exe[3632] WS2_32.dll!socket 77B936D1 5 Bytes JMP 003B0000
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3892] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 000400B4
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 00040F6E
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00040F38
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 000400C5
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00040F9A
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 0004001E
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00040068
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00040FBC
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 0004008F
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00040FAB
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 00040039
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00040F7F
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 000400F4
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00040FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00040FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 00040FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00040F53
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 0006007D
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00060047
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00060FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00060062
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00060098
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 0006001B
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00060000
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 0006002C
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!SetWindowsHookExW 760F7B69 5 Bytes JMP 712E97F5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!CallNextHookEx 760F8C33 5 Bytes JMP 712DCE79 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamW 760FBD25 5 Bytes JMP 713E418F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!CreateWindowExW 76103D67 5 Bytes JMP 712ED67C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamW 76111FD5 5 Bytes JMP 71215435 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!UnhookWindowsHookEx 761208BE 5 Bytes JMP 7125466C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamA 761380B2 5 Bytes JMP 713E412C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamA 761383DD 5 Bytes JMP 713E41F2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectA 7614D471 5 Bytes JMP 713E40C1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectW 7614D56B 5 Bytes JMP 713E4056 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExA 7614D5D1 5 Bytes JMP 713E3FF4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExW 7614D5F5 5 Bytes JMP 713E3F92 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00070FAD
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] msvcrt.dll!system 77518B63 5 Bytes JMP 00070038
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 0007001D
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 00070000
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00070FC8
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00070FE3
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ole32.dll!OleLoadFromStream 76289726 5 Bytes JMP 713E44F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ole32.dll!CoCreateInstance 762BE188 5 Bytes JMP 712ED6D8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 00120000
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 00120FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 00120011
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 00120022
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WS2_32.dll!closesocket 77B9330C 5 Bytes JMP 678FEEE9 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WS2_32.dll!recv 77B9343A 5 Bytes JMP 678FF1C3 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WS2_32.dll!socket 77B936D1 5 Bytes JMP 678FE59E C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WS2_32.dll!connect 77B940D9 5 Bytes JMP 678FE62A C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WS2_32.dll!getaddrinfo 77B9418A 5 Bytes JMP 678FE71D C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] WS2_32.dll!send 77B9659B 5 Bytes JMP 678FE9ED C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!GetStartupInfoW 77911929 5 Bytes JMP 000400CE
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!GetStartupInfoA 779119C9 5 Bytes JMP 000400B3
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreateProcessW 77911C01 5 Bytes JMP 00040F52
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreateProcessA 77911C36 5 Bytes JMP 000400E9
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!VirtualProtect 77911DD1 5 Bytes JMP 00040F99
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreateNamedPipeW 77915C44 5 Bytes JMP 00040FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!LoadLibraryExW 779330C3 5 Bytes JMP 00040073
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!LoadLibraryW 7793361F 5 Bytes JMP 00040FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!VirtualProtectEx 77938D7E 5 Bytes JMP 00040F88
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!LoadLibraryExA 77939469 5 Bytes JMP 00040062
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!LoadLibraryA 77939491 5 Bytes JMP 0004003D
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreatePipe 77940284 5 Bytes JMP 00040098
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!GetProcAddress 7795B8B6 5 Bytes JMP 00040F37
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreateFileW 7795CC4E 5 Bytes JMP 00040011
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreateFileA 7795CF71 5 Bytes JMP 00040000
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!CreateNamedPipeA 779A430E 5 Bytes JMP 0004002C
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] kernel32.dll!WinExec 779A54FF 5 Bytes JMP 00040F6D
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegCreateKeyExA 7785B5E7 5 Bytes JMP 00060F6B
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegCreateKeyA 7785B8AE 5 Bytes JMP 00060F97
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegOpenKeyA 77860BF5 5 Bytes JMP 00060FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegCreateKeyW 7786B83D 5 Bytes JMP 00060F86
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegCreateKeyExW 7786BCE1 5 Bytes JMP 00060028
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegOpenKeyExA 7786D4E8 5 Bytes JMP 00060FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegOpenKeyW 77873CB0 5 Bytes JMP 00060FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] ADVAPI32.dll!RegOpenKeyExW 7787F09D 5 Bytes JMP 00060FB2
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!DialogBoxIndirectParamW 760FBD25 5 Bytes JMP 713E418F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!CreateWindowExW 76103D67 5 Bytes JMP 712ED67C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!DialogBoxParamW 76111FD5 5 Bytes JMP 71215435 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!DialogBoxParamA 761380B2 5 Bytes JMP 713E412C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!DialogBoxIndirectParamA 761383DD 5 Bytes JMP 713E41F2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!MessageBoxIndirectA 7614D471 5 Bytes JMP 713E40C1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!MessageBoxIndirectW 7614D56B 5 Bytes JMP 713E4056 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!MessageBoxExA 7614D5D1 5 Bytes JMP 713E3FF4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] USER32.dll!MessageBoxExW 7614D5F5 5 Bytes JMP 713E3F92 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] msvcrt.dll!_wsystem 77518A47 5 Bytes JMP 00070044
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] msvcrt.dll!system 77518B63 5 Bytes JMP 00070FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] msvcrt.dll!_creat 7751C6F1 5 Bytes JMP 00070029
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] msvcrt.dll!_open 7751DA7E 5 Bytes JMP 0007000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] msvcrt.dll!_wcreat 7751DC9E 5 Bytes JMP 00070FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] msvcrt.dll!_wopen 7751DE79 5 Bytes JMP 00070FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] WININET.dll!InternetOpenA 771BD690 5 Bytes JMP 002F0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] WININET.dll!InternetOpenW 771BDB09 5 Bytes JMP 002F0014
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] WININET.dll!InternetOpenUrlA 771BF3A4 5 Bytes JMP 002F0FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] WININET.dll!InternetOpenUrlW 77206DDF 5 Bytes JMP 002F0FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[4068] WS2_32.dll!socket 77B936D1 5 Bytes JMP 002E0FEF
.text C:\hp\kbd\kbd.exe[4676] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\hp\kbd\kbd.exe[4676] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\hp\kbd\kbd.exe[4676] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\hp\kbd\kbd.exe[4676] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\hp\kbd\kbd.exe[4676] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\hp\kbd\kbd.exe[4676] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\hp\kbd\kbd.exe[4676] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\hp\kbd\kbd.exe[4676] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\hp\kbd\kbd.exe[4676] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\hp\kbd\kbd.exe[4676] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\hp\kbd\kbd.exe[4676] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ntdll.dll!NtCreateKey 77A48048 3 Bytes [FF, 25, 1E]
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ntdll.dll!NtCreateKey + 4 77A4804C 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ntdll.dll!NtSetValueKey 77A49088 3 Bytes [FF, 25, 1E]
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ntdll.dll!NtSetValueKey + 4 77A4908C 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] kernel32.dll!CreateProcessW 77911C01 6 Bytes JMP 5F0D0F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] kernel32.dll!CreateProcessA 77911C36 6 Bytes JMP 5F0A0F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] kernel32.dll!LoadLibraryExW 779330C3 6 Bytes JMP 5F070F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ADVAPI32.dll!CreateProcessAsUserW 7785A8F5 6 Bytes JMP 5F100F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ADVAPI32.dll!CreateServiceW 778838FF 6 Bytes JMP 5F1C0F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ADVAPI32.dll!CreateProcessWithLogonW 778A86A9 6 Bytes JMP 5F040F5A
.text C:\Users\The Coppola's\Desktop\jkgs2plg.exe[7036] ADVAPI32.dll!CreateServiceA 778C6C71 6 Bytes JMP 5F190F5A
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \Driver\00000666 -> \Driver\iaStor \Device\Harddisk0\DR0 844DC50C
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\drivers\iastor.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Hi,
Gmer log is sometimes long. Seems that either DDS got stopped in the middle of the scan or whole log didn't get posted. Please re-run it to see if it produces both dds.txt and attach.txt this time.
eighteyedspy
2009-11-26, 04:05
Got dds to work! Here are the two logs. Do you prefer I post or attach?
DDS (Ver_09-11-24.02) - NTFSx86
Run by The Coppola's at 20:56:06.38 on Wed 11/25/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.120 [GMT -5:00]
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\VeXpLite\MONLITE.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\VeXpLite\viritsvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\hp\kbd\kbd.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\The Coppola's\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [LDM] c:\program files\desktop messenger\8876480\program\BackWeb-8876480.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; FBSMTWB; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.nickjr.com/playtime/shows/dora/games/dora_pyramid.jhtml"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [<NO NAME>]
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [BHR] c:\program files\zamaan's software\browser hijack retaliator 4.5\BHR.exe
mRun: [VIRIT LITE MONITOR] c:\vexplite\MONLITE.EXE
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/armhelper.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-4 64288]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-11-25 19456]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-4-8 55280]
=============== Created Last 30 ================
2009-11-25 08:01:47 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 21:21:40 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 21:21:39 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-24 21:21:37 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-11-20 01:14:55 0 d-----w- C:\VeXpLite
2009-11-20 01:14:34 0 dc-h--w- c:\programdata\{0A28EA8B-8711-4F9F-8EE2-8ED92C986459}
2009-11-20 01:07:33 244024 ----a-w- c:\windows\system32\MSFLXGRD.OCX
2009-11-20 01:07:33 203976 ----a-w- c:\windows\system32\richtx32.ocx
2009-11-20 01:07:33 184320 ----a-w- c:\windows\system32\wzcsvc.dll
2009-11-20 01:07:31 0 d-----w- c:\program files\Zamaan's Software
2009-11-19 14:55:57 0 d-----w- c:\programdata\Real
2009-11-16 21:21:18 0 d-----w- c:\programdata\IObit
2009-11-16 21:21:09 0 d-----w- c:\program files\IObit
2009-11-16 21:03:23 0 d-----w- c:\program files\Trend Micro
2009-11-11 04:19:24 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 04:19:09 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-05 14:09:48 0 d-----w- c:\users\thecop~1\appdata\roaming\TweakNow PowerPack 2009
2009-11-05 14:09:48 0 d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 01:12:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-05 01:11:29 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-05 00:45:39 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-04 10:14:08 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-10-30 15:28:51 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-30 15:28:09 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-30 15:27:45 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-30 15:27:45 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-28 02:35:11 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 02:35:06 8147456 ----a-w- c:\windows\system32\wmploc.DLL
==================== Find3M ====================
2009-11-05 01:11:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-15 14:31:26 44288 --s-a-w- c:\windows\system32\drivers\VIRAGTLT.sys
2009-10-09 03:47:16 152904 ----a-w- c:\windows\system32\vghd.scr
2009-09-10 17:30:12 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 12:24:34 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 13:55:50 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55:46 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 12:39:07 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-07 12:59:40 86016 ----a-w- c:\windows\inf\infstor.dat
2009-08-07 12:59:40 51200 ----a-w- c:\windows\inf\infpub.dat
2009-08-07 12:59:40 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-06-11 07:10:18 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-06-06 19:19:55 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-03-21 15:35:26 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-03-21 15:35:26 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-03-21 15:35:26 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
============= FINISH: 20:59:47.01 ===============
eighteyedspy
2009-11-26, 04:07
And the Attach.txt
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-11-24.02)
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 3/10/2007 6:07:20 AM
System Uptime: 11/25/2009 8:34:39 PM (0 hours ago)
Motherboard: ASUSTek Computer INC. | | LEONITE
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Socket 775 | 3000/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 226 GiB total, 89.554 GiB free.
D: is FIXED (NTFS) - 7 GiB total, 0.904 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
==== Disabled Device Manager Items =============
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB CF Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#920321111113&1#
Manufacturer: Generic
Name: USB CF Reader
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#920321111113&1#
Service: WUDFRd
==== System Restore Points ===================
==== Installed Programs ======================
ActiveCheck component for HP Active Support Library
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.1.0
Adobe Shockwave Player 11
Adventure Chronicles: The Search for Lost Treasure
Adventures of Robinson Crusoe
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Barbie(TM) and the Magic of Pegasus(TM)
Big Fish Games Client
Bonjour
Browser Hijack Retaliator 4.5
Canon PhotoRecord
Canon Utilities CP Printer Guide
Canon Utilities PhotoStitch 3.1
Choice Guard
Comcast High-Speed Internet Install Wizard
Coupon Printer for Windows
CP Printer Guide
Enhanced Multimedia Keyboard Solution
ERUNT 1.1j
Escape Rosecliff Island
Fast Browser Search (My Web Tattoo)
Fast Browser Search Protection
Free 3GP Video Converter version 3.1
Free iPod Video Converter 1.34
Free WMA to MP3 Converter 1.16
GameTap Web Player
Google Earth
Google Update Helper
Google Updater
Guild Wars
Hardware Diagnostic Tools
Hidden Mysteries: Buckingham Palace ™
Hidden Secrets: The Nightmare
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Core
HP Easy Setup - Frontend
HP On-Screen Caps/Num/Scroll Lock Indicator
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Update
HPAsset component for HP Active Support Library
HPSSupply
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel® Viiv™ Software
IObit Security 360
iTunes
Java 2 Runtime Environment, SE v1.4.2_15
Java(TM) 6 Update 15
Java(TM) 6 Update 7
Junk Mail filter update
K-Lite Mega Codec Pack 2.2.5
LeapFrog Connect
LeapFrog Tag Plugin
LightScribe 1.4.136.1
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Logitech Desktop Messenger
Logitech iTouch Software
Logitech User's Guide
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Flight Simulator X
Microsoft Flight Simulator X Service Pack 1
Microsoft IntelliPoint 6.1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobileMe Control Panel
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
My HP Games
Netflix Movie Viewer
Nick Chase: A Detective Story ™
PhotoStitch
Python 2.4.3
Quicken 2008
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Redrum ™
Rhapsody
Rhapsody Player Engine
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Shop for HP Supplies
Simulator 6
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster 4.2
TomTom HOME
TurboTax 2008
TurboTax 2008 wgaiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Deluxe 2007
TweakNow PowerPack 2009
Uninstall 1.0.0.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb975960)
VC_MergeModuleToMSI
VirIT eXplorer Lite
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VueScan
Windows Driver Package - LeapFrog (FlyUsb) USB (06/15/2007 1.0.0.6)
Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker Beta
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Xfire (remove only)
==== End Of File ===========================
Hi,
Posting the logs is fine.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
eighteyedspy
2009-11-27, 13:37
Hey,
I have had some trouble running ComboFix. I keep getting the "detected rootkit activity" mesage. ComboFix reboots, gets through category 3 on the scan and then crashes. I've disabled all my security measures(uninstalled), with the same results. I have to go work a 48 shift so I will not be able to reply until Sunday evening. I will try again on Sunday. Thanks for your help and patience.
Hi,
Please see if you can get ComboFix run in safe mode (when asked for a boot make sure system returns to safe mode).
eighteyedspy
2009-11-29, 19:45
Hey,
I've tried everything I can think of to get ComboFix to run, and it still crashes. I have disabled all processes that might interfere, I've tried using safe mode, I've tried running it with my Internet connection disabled, and I even tried renaming the file when downloading. I'm kind of at a loss, any suggestions? Sorry, and thanks again.
Hi,
A question first: Do you have Vista installation media handy if needed?
Please try this:
1. Go to the c:\windows\system32\drivers folder
2. Locate the file - iastor.sys
3. Drag and move the file to Desktop
4. Wait 5 secs and press F5 to see if the operating system regenerated a fresh copy in c:\windows\system32\drivers folder
5a. If a fresh copy is regenerated, reboot the machine
5b. If a fresh copy ISNT regenerated, move the copy from Desktop back to c:\windows\system32\drivers folder.
If 5a was carried out, run GMER and post back the report. Are browsers redirecting?
If 5b was carried out, let me know.
eighteyedspy
2009-11-29, 23:44
Hi!
I cannot move iastor.sys, it's being used by another program, which I have been unable to identify. I do not have any installable Vista media. I do see an iastorV.sys, should I try that one. Browser is still redirecting, and new tabs for news services keep popping up now. Should I run GMER again?
Hi,
Please download a fresh copy of ComboFix and try to run it.
eighteyedspy
2009-12-01, 23:39
Hey,
Downloaded and ran ComboFix again. It self updated and completed a full scan. As soon as it said that it was going to produce the log, it crashed. Now when I run it, it won't make it past category 23 before crashing. I've tried downloading and changing the name and running it in safe mode. No success yet. Sometimes it reboots due to rootkit activity, other times it scans properly, but always ends in a crash.
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
iastor.sys
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
eighteyedspy
2009-12-02, 08:58
Woohoo! Came in late last night and ran ComboFix like 3 or 4 more times, and it finally worked. I am posting the logs that you originally requested. If you still want systemlog.txt let me know. Thanks for the patience!
combofix.txt
ComboFix 09-12-01.01 - The Coppola's 12/02/2009 1:09.28.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.430 [GMT -5:00]
Running from: c:\users\The Coppola's\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.
2009-12-02 06:30 . 2009-12-02 06:34 -------- d-----w- c:\users\The Coppola's\AppData\Local\temp
2009-12-02 06:30 . 2009-12-02 06:30 -------- d-----w- c:\users\Mcx2\AppData\Local\temp
2009-12-02 06:30 . 2009-12-02 06:30 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-12-02 06:30 . 2009-12-02 06:30 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2009-12-02 06:30 . 2009-12-02 06:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-02 05:58 . 2009-12-02 05:59 49152 d-----w- C:\32788R22FWJFW
2009-12-02 05:42 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-02 05:42 . 2009-10-30 16:09 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-12-02 05:42 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-02 05:42 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-02 05:42 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-02 05:42 . 2009-12-02 05:42 32768 d-----w- c:\program files\Spyware Doctor
2009-12-02 05:42 . 2009-12-02 05:42 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-02 05:42 . 2009-12-02 05:42 -------- d-----w- c:\users\The Coppola's\AppData\Roaming\PC Tools
2009-12-02 05:42 . 2009-12-02 05:42 -------- d-----w- c:\programdata\PC Tools
2009-11-29 13:58 . 2009-11-29 13:58 -------- d-----w- c:\users\The Coppola's\AppData\Local\Apps
2009-11-27 07:15 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-25 08:01 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 21:21 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 21:21 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-20 01:50 . 2009-11-20 01:56 4096 d-----w- c:\program files\ERUNT
2009-11-20 01:14 . 2009-11-20 01:14 -------- d-----w- c:\users\The Coppola's\AppData\Local\PackageAware
2009-11-20 01:07 . 2001-10-04 05:14 184320 ----a-w- c:\windows\system32\wzcsvc.dll
2009-11-19 14:55 . 2009-11-19 14:55 439816 ----a-w- c:\users\The Coppola's\AppData\Roaming\Real\Update\recsetup\setup.exe
2009-11-19 14:55 . 2009-11-19 14:55 118784 ----a-w- c:\users\The Coppola's\AppData\Roaming\Real\Update\recsetup\install.dll
2009-11-16 21:21 . 2009-11-16 21:21 -------- d-----w- c:\programdata\IObit
2009-11-16 21:21 . 2009-11-16 21:21 -------- d-----w- c:\program files\IObit
2009-11-16 21:03 . 2009-11-16 21:03 -------- d-----w- c:\program files\Trend Micro
2009-11-11 04:19 . 2009-08-14 13:53 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 04:19 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-05 14:09 . 2009-11-05 14:12 4096 d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 14:09 . 2009-11-05 14:09 -------- d-----w- c:\users\The Coppola's\AppData\Roaming\TweakNow PowerPack 2009
2009-11-05 01:11 . 2009-11-05 01:11 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 16:52 . 2008-11-26 04:33 4096 d-----w- c:\programdata\Google Updater
2009-11-27 02:31 . 2007-10-17 21:01 4096 d-----w- c:\programdata\McAfee
2009-11-27 02:27 . 2007-03-09 11:38 8192 d--h--w- c:\program files\InstallShield Installation Information
2009-11-27 02:26 . 2007-03-09 12:04 16384 d-----w- c:\program files\Common Files\Symantec Shared
2009-11-27 02:26 . 2007-03-09 12:04 4096 d-----w- c:\programdata\Symantec
2009-11-27 02:21 . 2007-06-08 00:09 12288 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-27 02:20 . 2007-06-08 00:09 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-27 02:14 . 2007-06-08 00:16 4096 d-----w- c:\programdata\Lavasoft
2009-11-11 08:20 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-11 08:04 . 2009-04-08 21:59 12288 d-----w- c:\programdata\Microsoft Help
2009-10-20 21:46 . 2009-10-09 03:47 7 ----a-w- c:\windows\sbacknt.bin
2009-10-20 18:07 . 2009-10-20 15:31 -------- d-----w- c:\program files\adnqbh
2009-10-16 07:07 . 2007-03-09 11:57 24576 d-----w- c:\program files\Microsoft Works
2009-10-09 03:47 . 2009-10-09 03:47 152904 ----a-w- c:\windows\system32\vghd.scr
2009-09-14 09:44 . 2009-10-16 03:05 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 17:30 . 2009-10-16 03:06 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 15:21 . 2009-10-28 02:35 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-10 15:21 . 2009-10-28 02:35 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-09-04 12:24 . 2009-10-16 03:05 61440 ----a-w- c:\windows\system32\msasn1.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-05-07 380928]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-19 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-19 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-19 133656]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [12/2/2009 12:42 AM 207792]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [9/3/2006 1:32 PM 208896]
S2 gupdate1c9e122120b6107;Google Update Service (gupdate1c9e122120b6107);c:\program files\Google\Update\GoogleUpdate.exe [5/30/2009 7:27 AM 133104]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [5/10/2006 12:13 PM 29696]
S3 FlyUsb;FLY Fusion;c:\windows\System32\drivers\FlyUsb.sys [11/25/2008 12:39 PM 19456]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [4/8/2009 7:50 PM 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 5:08 PM 533360]
.
Contents of the 'Scheduled Tasks' folder
2009-12-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-26 22:35]
2009-12-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 12:27]
2009-12-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 12:27]
2009-12-01 c:\windows\Tasks\User_Feed_Synchronization-{9F21EFA2-5087-4B5C-8230-A912354043C1}.job
- c:\windows\system32\msfeedssync.exe [2009-10-16 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 01:33
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\TEMP\SEPDC7B.tmp 0 bytes
scan completed successfully
hidden files: 1
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x844DB50C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x861a9322
\Driver\ACPI -> acpi.sys @ 0x806c5d4c
\Driver\atapi -> ataport.SYS @ 0x828d39a8
\Driver\iaStor -> iastor.sys @ 0x8283ad94
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(1148)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\RacAgent.exe
c:\windows\system32\lpremove.exe
.
**************************************************************************
.
Completion time: 2009-12-02 01:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-02 06:47
Pre-Run: 97,534,304,256 bytes free
Post-Run: 97,505,439,744 bytes free
- - End Of File - - 845474AB6C90A43A212764E192FCFB48
eighteyedspy
2009-12-02, 08:59
and of course the most current DDS log.
DDS (Ver_09-11-24.02) - NTFSx86
Run by The Coppola's at 1:50:28.65 on Wed 12/02/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.270 [GMT -5:00]
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\KbdStub.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\notepad.exe
C:\Users\The Coppola's\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; FBSMTWB; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.nickjr.com/playtime/shows/dora/games/dora_pyramid.jhtml"
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/armhelper.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
============= SERVICES / DRIVERS ===============
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-2 207792]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S2 gupdate1c9e122120b6107;Google Update Service (gupdate1c9e122120b6107);c:\program files\google\update\GoogleUpdate.exe [2009-5-30 133104]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2009-5-7 1089536]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-11-25 19456]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-4-8 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
=============== Created Last 30 ================
2009-12-02 05:42:56 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-12-02 05:42:56 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-02 05:42:56 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-02 05:42:52 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-02 05:42:52 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-02 05:42:52 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-02 05:42:52 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-02 05:42:44 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-02 05:42:44 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-02 05:42:36 0 d-----w- c:\users\thecop~1\appdata\roaming\PC Tools
2009-12-02 05:42:36 0 d-----w- c:\programdata\PC Tools
2009-12-02 05:42:36 0 d-----w- c:\program files\Spyware Doctor
2009-12-02 05:42:36 0 d-----w- c:\program files\common files\PC Tools
2009-11-27 07:15:37 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-26 16:32:38 98816 ----a-w- c:\windows\sed.exe
2009-11-26 16:32:38 77312 ----a-w- c:\windows\MBR.exe
2009-11-26 16:32:38 260608 ----a-w- c:\windows\PEV.exe
2009-11-26 16:32:38 161792 ----a-w- c:\windows\SWREG.exe
2009-11-25 08:01:47 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 21:21:40 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 21:21:39 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-24 21:21:37 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-11-20 01:07:33 244024 ----a-w- c:\windows\system32\MSFLXGRD.OCX
2009-11-20 01:07:33 203976 ----a-w- c:\windows\system32\richtx32.ocx
2009-11-20 01:07:33 184320 ----a-w- c:\windows\system32\wzcsvc.dll
2009-11-19 14:55:57 0 d-----w- c:\programdata\Real
2009-11-16 21:21:18 0 d-----w- c:\programdata\IObit
2009-11-16 21:21:09 0 d-----w- c:\program files\IObit
2009-11-16 21:03:23 0 d-----w- c:\program files\Trend Micro
2009-11-11 04:19:24 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 04:19:09 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-05 14:09:48 0 d-----w- c:\users\thecop~1\appdata\roaming\TweakNow PowerPack 2009
2009-11-05 14:09:48 0 d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 01:11:29 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-04 10:14:08 1638912 ----a-w- c:\windows\system32\mshtml.tlb
==================== Find3M ====================
2009-10-09 03:47:16 152904 ----a-w- c:\windows\system32\vghd.scr
2009-09-10 17:30:12 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 15:21:53 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-10 15:21:07 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-09-04 12:24:34 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-08-07 12:59:40 86016 ----a-w- c:\windows\inf\infstor.dat
2009-08-07 12:59:40 51200 ----a-w- c:\windows\inf\infpub.dat
2009-08-07 12:59:40 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-06-11 07:10:18 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-06-06 19:19:55 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
============= FINISH: 1:52:00.47 ===============
Please run GMER again and attach its log to your post (better use file attachment if log is long).
eighteyedspy
2009-12-02, 17:49
GMER log is much shorter this time.
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-02 10:47:27
Windows 6.0.6001 Service Pack 1
Running: zz84t86t.exe; Driver: C:\Users\THECOP~1\AppData\Local\Temp\awlyrkow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x82906CDE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x82906ED0]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x82906984]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x829070D8]
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetTimerEx + 43C 81EBCA00 3 Bytes [DE, 6C, 90]
.text ntkrnlpa.exe!KeSetTimerEx + 440 81EBCA04 3 Bytes [D0, 6E, 90] {SHR BYTE [ESI-0x70], 0x1}
.text ntkrnlpa.exe!KeSetTimerEx + 854 81EBCE18 4 Bytes [84, 69, 90, 82]
.text ntkrnlpa.exe!KeSetTimerEx + 918 81EBCEDC 4 Bytes [D8, 70, 90, 82]
.rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x828C402C]
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3324] kernel32.dll!CreateThread + 1A 767446E2 4 Bytes CALL 0044B8D9 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[3324] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044BA30] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[3324] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044BA30] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\drivers\iastor.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Hi,
Please run SystemLook now (instructions for that a few posts earlier).
eighteyedspy
2009-12-02, 18:56
Here is that log you wanted.
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 11:48 on 02/12/2009 by The Coppola's (Administrator - Elevation successful)
========== filefind ==========
Searching for "iastor.sys"
C:\hp\DRIVERS\Intel_raid\iastor.sys --a--- 250368 bytes [11:38 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 382488 bytes [10:48 12/09/2008] [22:50 02/06/2008] 3C4CD264B04D79A43A0F124C067BA08E
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys --a--- 305688 bytes [10:48 12/09/2008] [22:49 02/06/2008] 25C3D5F66A74A7BDDECA56085F040D2E
C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_6a23f079\iaStor.sys --a--- 250368 bytes [11:25 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_0afadd92\iaStor.sys --a--- 250368 bytes [11:25 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_27dcf4f5\iaStor.sys --a--- 305688 bytes [10:47 12/09/2008] [22:49 02/06/2008] 25C3D5F66A74A7BDDECA56085F040D2E
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_ee67416f\iaStor.sys --a--- 250368 bytes [13:01 07/06/2007] [18:46 31/10/2006] DE01BF14FFB150C779FD561BD0E3C5C5
C:\Windows\System32\drivers\iaStor.sys --a--- 305688 bytes [10:47 12/09/2008] [22:49 02/06/2008] 505903740473BB08BA8593CBCC7DEB5D
-=End Of File=-
Hi,
Upload C:\Windows\System32\drivers\iaStor.sys file to http://www.virustotal.com and post back the results.
eighteyedspy
2009-12-02, 19:25
Here are the results from the iastor.sys scan at virustotal.
a-squared 4.5.0.43 2009.12.02 -
AhnLab-V3 5.0.0.2 2009.12.02 -
AntiVir 7.9.1.92 2009.12.02 -
Antiy-AVL 2.0.3.7 2009.12.02 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.02 -
AVG 8.5.0.426 2009.12.02 -
BitDefender 7.2 2009.12.02 -
CAT-QuickHeal 10.00 2009.12.02 -
ClamAV 0.94.1 2009.12.02 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.02 -
eSafe 7.0.17.0 2009.12.02 -
eTrust-Vet None 2009.12.02 -
F-Prot 4.5.1.85 2009.12.02 -
F-Secure 9.0.15370.0 2009.11.29 -
Fortinet 4.0.14.0 2009.12.02 -
GData 19 2009.12.02 -
Ikarus T3.1.1.74.0 2009.12.02 -
K7AntiVirus 7.10.910 2009.12.02 -
Kaspersky 7.0.0.125 2009.12.02 -
McAfee 5819 2009.12.01 -
McAfee+Artemis 5819 2009.12.01 -
McAfee-GW-Edition 6.8.5 2009.12.02 Heuristic.BehavesLike.Exploit.CodeExec.NLLG
Microsoft 1.5302 2009.12.02 -
NOD32 4655 2009.12.02 -
Norman 6.03.02 2009.12.02 -
nProtect 2009.1.8.0 2009.12.02 -
Panda 10.0.2.2 2009.12.02 -
PCTools 7.0.3.5 2009.12.02 -
Prevx 3.0 2009.12.02 -
Rising 22.24.02.09 2009.12.02 -
Sophos 4.48.0 2009.12.02 -
Sunbelt 3.2.1858.2 2009.12.02 -
Symantec 1.4.4.12 2009.12.02 -
TheHacker 6.5.0.2.083 2009.12.01 -
TrendMicro 9.100.0.1001 2009.12.02 -
VBA32 3.12.12.0 2009.12.02 -
ViRobot 2009.12.2.2068 2009.12.02 -
Additional information
File size: 305688 bytes
MD5...: 505903740473bb08ba8593cbcc7deb5d
SHA1..: 17f92ddd356ada6b3e1d8ebb4dd4fe7c9380907b
SHA256: 9d3b1bfbfba89f0e61bed8d3f29472bc05b11074aa3843adcb5c168d0abc709d
ssdeep: 6144:5sS1uALz2gAgZG0Dw2kyUrSC7NAbnBpaWF:rz28rRUrSdbP
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Autodesk FLIC Image File (extensions: flc, fli, cel) (100.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Hi,
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
DIR /a c:\windows\lastgood >Log.txt
START Log.txt
DEL %0
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
eighteyedspy
2009-12-02, 22:33
Contents of fix.bat log.
Volume in drive C is COMPAQ
Volume Serial Number is D865-67C9
Directory of c:\windows
Hi,
Open notepad and then copy and paste lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
MKDIR "c:\windows\lastgood\system32\drivers"
COPY /Y "C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys" "C:\Windows\lastgood\System32\Drivers\iastor.sys" >Log.txt 2>&1
START Log.txt
DEL %0
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
eighteyedspy
2009-12-02, 23:24
Short log. This is all it said.
1 file(s) copied.
Hi,
Then restart the computer, and as it boots up tap the F8 key to access the startup menu. From that menu select the following:
Last Known Good Configuration
After the reboot run ComboFix and post back the log.
eighteyedspy
2009-12-03, 13:34
Hey,
ComboFix keeps crashing, again. I will retry on Friday morning when I get home from work. Thanks.
eighteyedspy
2009-12-05, 07:44
Hey,
Funny, ComboFix only seems to work after midnight! Sorry it took so long, but here is the new ComboFix log. Thanks for the patience.
ComboFix 09-12-04.02 - The Coppola's 12/05/2009 0:11.38.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.433 [GMT -5:00]
Running from: c:\users\The Coppola's\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programdata\Microsoft\WLSetup
c:\programdata\Microsoft\WLSetup\Logs\2009-04-08_20-41_14b4-cxj3timt.log
c:\programdata\Microsoft\WLSetup\wlt5BBA.tmp
.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.
2009-12-05 05:27 . 2009-12-05 05:33 -------- d-----w- c:\users\The Coppola's\AppData\Local\temp
2009-12-05 05:27 . 2009-12-05 05:27 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-05 05:27 . 2009-12-05 05:27 -------- d-----w- c:\users\Mcx2\AppData\Local\temp
2009-12-05 05:27 . 2009-12-05 05:27 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-12-05 05:27 . 2009-12-05 05:27 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2009-12-05 05:27 . 2009-12-05 05:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-02 05:42 . 2009-12-05 04:57 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-29 13:58 . 2009-11-29 13:58 -------- d-----w- c:\users\The Coppola's\AppData\Local\Apps
2009-11-27 07:15 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-25 08:01 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 21:21 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 21:21 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-20 01:50 . 2009-11-20 01:56 4096 d-----w- c:\program files\ERUNT
2009-11-20 01:14 . 2009-11-20 01:14 -------- d-----w- c:\users\The Coppola's\AppData\Local\PackageAware
2009-11-20 01:07 . 2001-10-04 05:14 184320 ----a-w- c:\windows\system32\wzcsvc.dll
2009-11-19 14:55 . 2009-11-19 14:55 439816 ----a-w- c:\users\The Coppola's\AppData\Roaming\Real\Update\recsetup\setup.exe
2009-11-19 14:55 . 2009-11-19 14:55 118784 ----a-w- c:\users\The Coppola's\AppData\Roaming\Real\Update\recsetup\install.dll
2009-11-16 21:21 . 2009-11-16 21:21 -------- d-----w- c:\programdata\IObit
2009-11-16 21:21 . 2009-11-16 21:21 -------- d-----w- c:\program files\IObit
2009-11-16 21:03 . 2009-11-16 21:03 -------- d-----w- c:\program files\Trend Micro
2009-11-11 04:19 . 2009-08-14 13:53 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 04:19 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-05 14:09 . 2009-11-05 14:12 4096 d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 14:09 . 2009-11-05 14:09 -------- d-----w- c:\users\The Coppola's\AppData\Roaming\TweakNow PowerPack 2009
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 19:55 . 2008-11-26 04:33 4096 d-----w- c:\programdata\Google Updater
2009-12-04 14:32 . 2008-11-26 04:33 4096 d-----w- c:\program files\Google
2009-11-27 02:31 . 2007-10-17 21:01 4096 d-----w- c:\programdata\McAfee
2009-11-27 02:27 . 2007-03-09 11:38 8192 d--h--w- c:\program files\InstallShield Installation Information
2009-11-27 02:26 . 2007-03-09 12:04 16384 d-----w- c:\program files\Common Files\Symantec Shared
2009-11-27 02:26 . 2007-03-09 12:04 4096 d-----w- c:\programdata\Symantec
2009-11-27 02:21 . 2007-06-08 00:09 12288 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-27 02:20 . 2007-06-08 00:09 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-27 02:14 . 2007-06-08 00:16 4096 d-----w- c:\programdata\Lavasoft
2009-11-11 08:20 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-11 08:04 . 2009-04-08 21:59 12288 d-----w- c:\programdata\Microsoft Help
2009-11-05 01:11 . 2009-11-05 01:11 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-20 21:46 . 2009-10-09 03:47 7 ----a-w- c:\windows\sbacknt.bin
2009-10-20 18:07 . 2009-10-20 15:31 -------- d-----w- c:\program files\adnqbh
2009-10-16 07:07 . 2007-03-09 11:57 24576 d-----w- c:\program files\Microsoft Works
2009-10-09 03:47 . 2009-10-09 03:47 152904 ----a-w- c:\windows\system32\vghd.scr
2009-09-14 09:44 . 2009-10-16 03:05 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 17:30 . 2009-10-16 03:06 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 15:21 . 2009-10-28 02:35 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-10 15:21 . 2009-10-28 02:35 310784 ----a-w- c:\windows\system32\unregmp2.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-05-07 380928]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-19 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-19 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-19 133656]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [9/3/2006 1:32 PM 208896]
S2 gupdate1c9e122120b6107;Google Update Service (gupdate1c9e122120b6107);c:\program files\Google\Update\GoogleUpdate.exe [5/30/2009 7:27 AM 133104]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [5/10/2006 12:13 PM 29696]
S3 FlyUsb;FLY Fusion;c:\windows\System32\drivers\FlyUsb.sys [11/25/2008 12:39 PM 19456]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [4/8/2009 7:50 PM 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 5:08 PM 533360]
.
Contents of the 'Scheduled Tasks' folder
2009-12-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-26 22:35]
2009-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 12:27]
2009-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 12:27]
2009-12-04 c:\windows\Tasks\User_Feed_Synchronization-{9F21EFA2-5087-4B5C-8230-A912354043C1}.job
- c:\windows\system32\msfeedssync.exe [2009-10-16 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 00:30
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x844D450C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x861a3322
\Driver\ACPI -> acpi.sys @ 0x8069dd4c
\Driver\atapi -> ataport.SYS @ 0x828d79a8
\Driver\iaStor -> iastor.sys @ 0x8283ed94
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(3772)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-12-05 00:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-05 05:41
Pre-Run: 95,390,457,856 bytes free
Post-Run: 95,339,704,320 bytes free
- - End Of File - - BAADF4E2C548029ECD550E695D3C1E37
Hi,
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
iastor.sys
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Run also new GMER scan and post back its log.
eighteyedspy
2009-12-06, 02:58
Hey,
Here's the systemlook and GMER logs.
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-05 19:57:28
Windows 6.0.6001 Service Pack 1
Running: zz84t86t.exe; Driver: C:\Users\THECOP~1\AppData\Local\Temp\awlyrkow.sys
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x828C802C]
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!SetWindowsHookExW 76E17B69 5 Bytes JMP 6A4297F5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!CallNextHookEx 76E18C33 5 Bytes JMP 6A41CE79 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!DialogBoxIndirectParamW 76E1BD25 5 Bytes JMP 6A52418F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!CreateWindowExW 76E23D67 5 Bytes JMP 6A42D67C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!DialogBoxParamW 76E31FD5 5 Bytes JMP 6A355435 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!UnhookWindowsHookEx 76E408BE 5 Bytes JMP 6A39466C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!DialogBoxParamA 76E580B2 5 Bytes JMP 6A52412C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!DialogBoxIndirectParamA 76E583DD 5 Bytes JMP 6A5241F2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!MessageBoxIndirectA 76E6D471 5 Bytes JMP 6A5240C1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!MessageBoxIndirectW 76E6D56B 5 Bytes JMP 6A524056 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!MessageBoxExA 76E6D5D1 5 Bytes JMP 6A523FF4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!MessageBoxExW 76E6D5F5 5 Bytes JMP 6A523F92 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] ole32.dll!OleLoadFromStream 77329726 5 Bytes JMP 6A5244F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] ole32.dll!CoCreateInstance 7735E188 5 Bytes JMP 6A42D6D8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] WS2_32.dll!closesocket 76B9330C 5 Bytes JMP 6FE0EEE9 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] WS2_32.dll!recv 76B9343A 5 Bytes JMP 6FE0F1C3 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] WS2_32.dll!socket 76B936D1 5 Bytes JMP 6FE0E59E C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] WS2_32.dll!connect 76B940D9 5 Bytes JMP 6FE0E62A C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] WS2_32.dll!getaddrinfo 76B9418A 5 Bytes JMP 6FE0E71D C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] WS2_32.dll!send 76B9659B 5 Bytes JMP 6FE0E9ED C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!DialogBoxIndirectParamW 76E1BD25 5 Bytes JMP 6A52418F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!CreateWindowExW 76E23D67 5 Bytes JMP 6A42D67C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!DialogBoxParamW 76E31FD5 5 Bytes JMP 6A355435 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!DialogBoxParamA 76E580B2 5 Bytes JMP 6A52412C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!DialogBoxIndirectParamA 76E583DD 5 Bytes JMP 6A5241F2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!MessageBoxIndirectA 76E6D471 5 Bytes JMP 6A5240C1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!MessageBoxIndirectW 76E6D56B 5 Bytes JMP 6A524056 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!MessageBoxExA 76E6D5D1 5 Bytes JMP 6A523FF4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3352] USER32.dll!MessageBoxExW 76E6D5F5 5 Bytes JMP 6A523F92 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \Driver\00000585 -> \Driver\iaStor \Device\Harddisk0\DR0 844D450C
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\drivers\iastor.sys suspicious modification
---- EOF - GMER 1.0.15 ----
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 18:24 on 05/12/2009 by The Coppola's (Administrator - Elevation successful)
========== filefind ==========
Searching for "iastor.sys"
C:\hp\DRIVERS\Intel_raid\iastor.sys --a--- 250368 bytes [11:38 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 382488 bytes [10:48 12/09/2008] [22:50 02/06/2008] 3C4CD264B04D79A43A0F124C067BA08E
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys --a--- 305688 bytes [10:48 12/09/2008] [22:49 02/06/2008] 25C3D5F66A74A7BDDECA56085F040D2E
C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_6a23f079\iaStor.sys --a--- 250368 bytes [11:25 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_0afadd92\iaStor.sys --a--- 250368 bytes [11:25 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_27dcf4f5\iaStor.sys --a--- 305688 bytes [10:47 12/09/2008] [22:49 02/06/2008] 25C3D5F66A74A7BDDECA56085F040D2E
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_ee67416f\iaStor.sys --a--- 250368 bytes [13:01 07/06/2007] [18:46 31/10/2006] DE01BF14FFB150C779FD561BD0E3C5C5
C:\Windows\System32\drivers\iaStor.sys --a--- 305688 bytes [10:47 12/09/2008] [22:49 02/06/2008] 505903740473BB08BA8593CBCC7DEB5D
-=End Of File=-
Hi,
Open notepad and then copy and paste lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
COPY /Y C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys c:\IaStor.sys
DEL %0
Double-click on fixes.bat file to execute it. Verify that c:\IaStor.sys file exists.
---
Download The Avenger by Swandog46 from here (http://swandog46.geekstogo.com/avenger2/download.php).
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
Files to move:
c:\IaStor.sys|C:\Windows\System32\drivers\iaStor.sys
In the avenger window, click the Paste Script from Clipboard, http://img220.imageshack.us/img220/8923/pastets4.png button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log, along with a new GMER log in your next reply.
eighteyedspy
2009-12-06, 19:21
hi, here is the GMER log and the Avenger log
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-06 12:19:03
Windows 6.0.6001 Service Pack 1
Running: y0fhczjm.exe; Driver: C:\Users\THECOP~1\AppData\Local\Temp\awlyrkow.sys
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x82AD202C]
---- Devices - GMER 1.0.15 ----
Device \Driver\00000653 -> \Driver\iaStor \Device\Harddisk0\DR0 844D350C
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\drivers\iastor.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "c:\IaStor.sys" not found!
File move operation "c:\IaStor.sys|C:\Windows\System32\drivers\iaStor.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
Hi,
Click start->all programs->accessories, right click command prompt and select run as administrator. In the opened command prompt, type this (press enter after):
copy /y C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys c:\IaStor.sys
You should get "1 file(s) copied." -message. After that, run Avenger again as instructed.
eighteyedspy
2009-12-08, 15:46
Hey,
I keep getting the response, "File Not Found".
Run SystemLook with this contents again:
:filefind
iastor.sys
eighteyedspy
2009-12-08, 17:49
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 10:41 on 08/12/2009 by The Coppola's (Administrator - Elevation successful)
========== filefind ==========
Searching for "iastor.sys"
C:\hp\DRIVERS\Intel_raid\iastor.sys --a--- 250368 bytes [11:38 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 382488 bytes [10:48 12/09/2008] [22:50 02/06/2008] 3C4CD264B04D79A43A0F124C067BA08E
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys --a--- 305688 bytes [10:48 12/09/2008] [22:49 02/06/2008] 25C3D5F66A74A7BDDECA56085F040D2E
C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_6a23f079\iaStor.sys --a--- 250368 bytes [11:25 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_0afadd92\iaStor.sys --a--- 250368 bytes [11:25 09/03/2007] [11:59 29/09/2006] E9F704CA833BD24BFAA3B4A59707633A
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_27dcf4f5\iaStor.sys --a--- 305688 bytes [10:47 12/09/2008] [22:49 02/06/2008] 25C3D5F66A74A7BDDECA56085F040D2E
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_ee67416f\iaStor.sys --a--- 250368 bytes [13:01 07/06/2007] [18:46 31/10/2006] DE01BF14FFB150C779FD561BD0E3C5C5
C:\Windows\System32\drivers\iaStor.sys --a--- 305688 bytes [10:47 12/09/2008] [22:49 02/06/2008] 505903740473BB08BA8593CBCC7DEB5D
-=End Of File=-
Hi,
I don't understand why you get "file not found" message while the file does exist. Anyway, let's try this:
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
COPY /Y C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys c:\IaStor.sys.bak >Log.txt 2>&1
START Log.txt
DEL %0
Right click on fixes.bat file and select run as administrator to execute file with necessary permissions. Notepad should open up. Post back its contents, please.
eighteyedspy
2009-12-08, 19:44
Hey,
This one says the same thing:
The system cannot find the file specified.
eighteyedspy
2009-12-08, 19:48
I can manually go to that location and copy the file. Should I try that?
Yes, please try to copy it manually to c: root (c:\).
eighteyedspy
2009-12-08, 21:42
Moved a copy of IaStor.sys to C:\ and ran Avenger, here is the resulting log.
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File move operation "c:\IaStor.sys|C:\Windows\System32\drivers\iaStor.sys" completed successfully.
Completed script processing.
*******************
Finished! Terminate.
Hi,
Please reboot and then run GMER again.
eighteyedspy
2009-12-08, 23:12
Hey,
Here's the GMER log.
GMER 1.0.15.15273 - http://www.gmer.net
Rootkit scan 2009-12-08 16:09:07
Windows 6.0.6001 Service Pack 1
Running: exd5xeye.exe; Driver: C:\Users\THECOP~1\AppData\Local\Temp\awlyrkow.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR
---- EOF - GMER 1.0.15 ----
Good. Those findings may look scary but are actually false positives :). Are you still experiencing browser hijacking?
eighteyedspy
2009-12-09, 04:12
Woohoo!
So far so good. I have not seen any pop ups or redirects. Thanks you so much for your help and patience.
You're welcome but there's still some work left ahead :)
Open notepad and copy/paste the text in the quotebox below into it:
DirLook::
c:\program files\adnqbh
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000000
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Uninstall old Adobe Reader versions and get the latest one (9.2) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Uninstall your current Adobe shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.
Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 17 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
eighteyedspy
2009-12-12, 00:15
Hey,
I was out of town for a couple of days, I'll try to get you the reports you want tonight.
eighteyedspy
2009-12-12, 12:52
Hey,
Had some problems with Kaspersky. I will run it again later, for now here is the ComboFix and DDS logs.
DDS (Ver_09-12-01.01) - NTFSx86
Run by The Coppola's at 5:45:24.23 on Sat 12/12/2009
Internet Explorer: 8.0.6001.18865
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.267 [GMT -5:00]
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\The Coppola's\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; FBSMTWB; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.nickjr.com/playtime/shows/dora/games/dora_pyramid.jhtml"
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/armhelper.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-9 64288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-8 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-8 35272]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-11-25 19456]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-4-8 55280]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-8 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-8 40552]
=============== Created Last 30 ================
2009-12-11 23:06:19 0 d-----w- c:\programdata\WindowsSearch
2009-12-11 23:00:50 0 d-----w- c:\programdata\NOS
2009-12-11 22:50:28 0 d-sh--w- C:\$RECYCLE.BIN
2009-12-11 22:19:27 0 d-----w- C:\ComboFix
2009-12-09 13:14:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-09 12:39:30 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-09 04:20:19 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-09 03:23:24 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 03:23:24 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 03:23:23 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 03:21:00 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-09 03:21:00 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 03:16:30 0 d-----w- c:\program files\SpywareBlaster
2009-12-09 02:59:17 11000 ----a-w- c:\windows\system32\Config.MPF
2009-12-09 02:56:01 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-09 02:56:01 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-09 02:56:01 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-09 02:55:56 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-09 02:55:12 0 d-----w- c:\program files\common files\McAfee
2009-12-09 02:55:08 0 d-----w- c:\program files\McAfee.com
2009-12-09 02:55:04 0 d-----w- c:\program files\McAfee
2009-12-09 02:52:12 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-08 20:21:12 155160480 ----a-w- c:\windows\MEMORY.DMP
2009-12-04 21:07:11 0 d-----w- c:\windows\pss
2009-12-02 05:42:36 0 d-----w- c:\program files\common files\PC Tools
2009-11-27 07:15:37 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-26 16:32:38 98816 ----a-w- c:\windows\sed.exe
2009-11-26 16:32:38 77312 ----a-w- c:\windows\MBR.exe
2009-11-26 16:32:38 261632 ----a-w- c:\windows\PEV.exe
2009-11-26 16:32:38 161792 ----a-w- c:\windows\SWREG.exe
2009-11-25 08:01:47 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 21:21:40 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 21:21:39 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-24 21:21:37 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-11-20 01:07:33 244024 ----a-w- c:\windows\system32\MSFLXGRD.OCX
2009-11-20 01:07:33 203976 ----a-w- c:\windows\system32\richtx32.ocx
2009-11-20 01:07:33 184320 ----a-w- c:\windows\system32\wzcsvc.dll
2009-11-19 14:55:57 0 d-----w- c:\programdata\Real
2009-11-16 21:21:18 0 d-----w- c:\programdata\IObit
2009-11-16 21:21:09 0 d-----w- c:\program files\IObit
2009-11-16 21:03:23 0 d-----w- c:\program files\Trend Micro
==================== Find3M ====================
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-05 01:11:25 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-04 21:54:12 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-09 03:47:16 152904 ----a-w- c:\windows\system32\vghd.scr
2009-08-07 12:59:40 86016 ----a-w- c:\windows\inf\infstor.dat
2009-08-07 12:59:40 51200 ----a-w- c:\windows\inf\infpub.dat
2009-08-07 12:59:40 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-06-11 07:10:18 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-06-06 19:19:55 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-09-03 07:09:49 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
============= FINISH: 5:47:53.92 ===============
eighteyedspy
2009-12-12, 12:53
ComboFix 09-12-11.01 - The Coppola's 12/11/2009 17:28:23.39.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1014.253 [GMT -5:00]
Running from: c:\users\The Coppola's\Desktop\ComboFix.exe
Command switches used :: c:\users\The Coppola's\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 )))))))))))))))))))))))))))))))
.
2009-12-11 22:42 . 2009-12-11 22:42 -------- d-----w- c:\users\The Coppola's\AppData\Local\temp
2009-12-11 22:42 . 2009-12-11 22:42 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-11 22:42 . 2009-12-11 22:42 -------- d-----w- c:\users\Mcx2\AppData\Local\temp
2009-12-11 22:42 . 2009-12-11 22:42 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-12-11 22:42 . 2009-12-11 22:42 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2009-12-11 22:42 . 2009-12-11 22:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-11 22:18 . 2009-12-11 22:19 -------- d-----w- C:\32788R22FWJFW
2009-12-09 13:14 . 2009-12-09 12:39 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-09 12:39 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-09 04:20 . 2009-12-09 04:32 -------- dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-09 03:23 . 2009-11-03 22:15 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 03:23 . 2009-11-03 19:53 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 03:23 . 2009-11-03 22:17 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 03:21 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 03:21 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-09 03:16 . 2009-12-09 03:17 -------- d-----w- c:\program files\SpywareBlaster
2009-12-09 02:56 . 2009-11-04 21:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-09 02:56 . 2009-11-04 21:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-09 02:56 . 2009-11-04 21:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-09 02:55 . 2009-07-16 17:32 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-09 02:55 . 2009-12-09 02:55 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-09 02:55 . 2009-12-09 02:55 -------- d-----w- c:\program files\McAfee.com
2009-12-09 02:55 . 2009-12-09 02:58 -------- d-----w- c:\program files\McAfee
2009-12-09 02:52 . 2009-11-04 21:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-02 05:42 . 2009-12-05 04:57 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-29 13:58 . 2009-11-29 13:58 -------- d-----w- c:\users\The Coppola's\AppData\Local\Apps
2009-11-27 07:15 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-25 08:01 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 21:21 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 21:21 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-20 01:50 . 2009-11-20 01:56 -------- d-----w- c:\program files\ERUNT
2009-11-20 01:14 . 2009-11-20 01:14 -------- d-----w- c:\users\The Coppola's\AppData\Local\PackageAware
2009-11-20 01:07 . 2001-10-04 05:14 184320 ----a-w- c:\windows\system32\wzcsvc.dll
2009-11-16 21:21 . 2009-11-16 21:21 -------- d-----w- c:\programdata\IObit
2009-11-16 21:21 . 2009-11-16 21:21 -------- d-----w- c:\program files\IObit
2009-11-16 21:03 . 2009-11-16 21:03 -------- d-----w- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-11 02:01 . 2008-11-26 04:33 -------- d-----w- c:\programdata\Google Updater
2009-12-10 08:07 . 2009-04-08 21:59 -------- d-----w- c:\programdata\Microsoft Help
2009-12-09 12:39 . 2009-12-09 12:39 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-09 12:39 . 2009-12-09 12:39 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-12-09 12:39 . 2009-12-09 12:39 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-09 12:39 . 2009-12-09 12:39 390288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-09 12:39 . 2009-12-09 12:39 537576 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-09 12:39 . 2009-12-09 12:39 370744 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-09 12:39 . 2009-12-09 12:39 163728 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-12-09 12:39 . 2009-12-09 12:39 194104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-09 12:38 . 2009-12-09 12:38 5908024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-09 12:38 . 2009-12-09 12:38 327000 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-12-09 12:38 . 2009-12-09 12:38 87496 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-12-09 12:38 . 2009-12-09 12:38 933120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-09 12:38 . 2009-12-09 12:38 641632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-12-09 12:38 . 2009-12-09 12:38 816272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-09 12:38 . 2009-12-09 12:38 822904 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-09 12:38 . 2009-12-09 12:38 1638640 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-09 12:38 . 2009-12-09 12:38 788880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-09 12:38 . 2009-12-09 12:38 1184912 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-09 04:33 . 2007-06-08 00:09 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-09 04:30 . 2007-06-08 00:33 -------- d-----w- c:\program files\Lavasoft
2009-12-09 04:30 . 2007-06-08 00:16 -------- d-----w- c:\programdata\Lavasoft
2009-12-09 04:12 . 2007-06-08 00:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-09 03:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 02:59 . 2007-10-17 21:01 -------- d-----w- c:\programdata\McAfee
2009-12-08 23:49 . 2009-12-08 23:49 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-04 14:32 . 2008-11-26 04:33 -------- d-----w- c:\program files\Google
2009-11-27 02:27 . 2007-03-09 11:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-27 02:26 . 2007-03-09 12:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-27 02:26 . 2007-03-09 12:04 -------- d-----w- c:\programdata\Symantec
2009-11-21 06:40 . 2009-12-09 03:25 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 03:25 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 03:25 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 03:25 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-19 14:55 . 2009-11-19 14:55 439816 ----a-w- c:\users\The Coppola's\AppData\Roaming\Real\Update\recsetup\setup.exe
2009-11-19 14:55 . 2009-11-19 14:55 118784 ----a-w- c:\users\The Coppola's\AppData\Roaming\Real\Update\recsetup\install.dll
2009-11-05 14:12 . 2009-11-05 14:09 -------- d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 14:09 . 2009-11-05 14:09 -------- d-----w- c:\users\The Coppola's\AppData\Roaming\TweakNow PowerPack 2009
2009-11-05 01:11 . 2009-11-05 01:11 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-04 21:54 . 2009-11-04 21:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-20 21:46 . 2009-10-09 03:47 7 ----a-w- c:\windows\sbacknt.bin
2009-10-20 18:07 . 2009-10-20 15:31 -------- d-----w- c:\program files\adnqbh
2009-10-16 07:07 . 2007-03-09 11:57 -------- d-----w- c:\program files\Microsoft Works
2009-10-09 03:47 . 2009-10-09 03:47 152904 ----a-w- c:\windows\system32\vghd.scr
2009-10-03 08:15 . 2009-12-09 04:32 2924848 -c--a-w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-09-14 09:44 . 2009-10-16 03:05 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\adnqbh ----
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-05-07 380928]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-19 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-19 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-19 133656]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [12/9/2009 7:39 AM 64288]
S2 0052791260327350mcinstcleanup;McAfee Application Installer Cleanup (0052791260327350);c:\users\THECOP~1\AppData\Local\Temp\005279~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\users\THECOP~1\AppData\Local\Temp\005279~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [9/3/2006 1:32 PM 208896]
S2 gupdate1c9e122120b6107;Google Update Service (gupdate1c9e122120b6107);c:\program files\Google\Update\GoogleUpdate.exe [5/30/2009 7:27 AM 133104]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [5/10/2006 12:13 PM 29696]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1184912]
S3 FlyUsb;FLY Fusion;c:\windows\System32\drivers\FlyUsb.sys [11/25/2008 12:39 PM 19456]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [4/8/2009 7:50 PM 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 5:08 PM 533360]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-11 17:42
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(2292)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
Completion time: 2009-12-11 17:53:29
ComboFix-quarantined-files.txt 2009-12-11 22:53
Pre-Run: 91,257,663,488 bytes free
Post-Run: 90,688,458,752 bytes free
- - End Of File - - 151C43B2ECDCF9A7E475918A511C335A
Hi,
Delete c:\program files\adnqbh folder. Did you uninstall old Javas and other vulnerable programs as instructed? What kind of issue you had with Kaspersky run?
eighteyedspy
2009-12-13, 23:09
Hey,
I uninstalled everything that you listed and reinstalled with updated versions. Also I got Kaspersky to finish. Here is that log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, December 13, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, December 13, 2009 12:40:50
Records in database: 3366562
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan statistics:
Objects scanned: 247263
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 05:14:31
No threats found. Scanned area is clean.
Selected area has been scanned.
Good. Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
A To disable the System Restore feature:
1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Uncheck any checkboxes listed for your hard drives.
7. Press OK.
B. Reboot.
C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives.
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
eighteyedspy
2009-12-14, 23:16
Blade,
I finished following the rest of your instructions. My computer is running properly again and I have not had any trouble since. Again I thank you for your time, patience, and help.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.