PDA

View Full Version : Trojan, like WinSecurityCenter, onboard



lucky13
2010-09-02, 04:00
Just lost my text, why am I being logged-off so quickly? I should compose in notepad or wordpad maybe. Or copy to clipboard.
After son used late 8/29. Came up for me afternoon 8/30. Warnings of keylogger, trojan etc. followed by profuse popups of prompt to but their "fix". TaskMan ctrl-alt-del flash open/shut but each time left another perf. graph icon in tray (got up to about a dozen). Same w/SpyBot. Turn off delayed with me near panic at intesifying popups but shutdown before I could pull the plug.
Safe mode system restore worked, updated & ran SpyBot, only 3 tracking cookies. Went to here, safer-networking to investigate and it all started over when I got to this forum (really). Hit every F button, esc, combos, etc. then numlock broke it off enough to shutdown again. Restored to earlier still point. Had left it w/o net connection and checked some old email data I needed, then took a break myself.
Later, updated SpyBot again, different, newer but not current (to 8/30) update (weird, same?). No issues. Notice In my SpyBot FAQ #23 (listed as 2nd #22 in list 23 in text) possible CoolWWWSearch.SmartKiller similarity. Downloaded delcwssk fix, unzipped, ran, said file does not exist. Did this twice. File too old? or does the Trojan do this?
No other fixes/tools tried, registry backed up with ERUNT. Have not backed up data yet but will do asap before your response. I will need to disable teatimer then too. I think only the text DDS is asked for now, but the attach is ready. Thank you very much.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Your Daddy at 18:09:23.99 on Wed 09/01/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.1969 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\dldtcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell V305\dldtmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell V305\dldtMsdMon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Your Daddy\Desktop\dds.com
C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uStart Page = https://wwws.ameritrade.com/apps/LogIn
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - __BHODemonDisabled
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll__BHODemonDisabled
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [dldtmon.exe] "c:\program files\dell v305\dldtmon.exe"
mRun: [dldtamon] "c:\program files\dell v305\dldtamon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\yourda~1\startm~1\programs\startup\checkf~1.lnk - c:\jts\WiseUpdt.exe
StartupFolder: c:\docume~1\yourda~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: ameritrade.com\research
Trusted Zone: ameritrade.com\wwws
Trusted Zone: microsoft.com\www.update
Trusted Zone: wachovia.com\onlinebanking1
Trusted Zone: wachovia.com\onlinebanking2
Trusted Zone: wachovia.com\onlineservices
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://vcuhsra.mcvh-vcu.edu/vdesk/terminal/f5tunsrv.cab#version=6031,2009,1204,1610
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://vcuhsra.mcvh-vcu.edu/vdesk/terminal/InstallerControl.cab#version=6031,2009,1204,1613
DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - hxxps://vcuhsra.mcvh-vcu.edu/vdesk/terminal/vdeskctrl.cab#version=6031,2009,1212,1610
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://vcuhsra.mcvh-vcu.edu/vdesk/terminal/urxshost.cab#version=6031,2009,1204,1608
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://vcuhsra.mcvh-vcu.edu/vdesk/terminal/urxhost.cab#version=6031,2009,1204,1604
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-5 201320]
R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-5 358224]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-5 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-5 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-5 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-5 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-5 33832]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-5 40488]
S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [2008-2-25 99568]

=============== Created Last 30 ================

2010-09-01 22:05:32 0 d-----w- c:\windows\ERuNT
2010-08-31 23:51:48 0 d-----w- c:\windows\system32\wbem\Repository
2010-08-30 03:06:48 120 ----a-w- c:\windows\Dgoyo.dat
2010-08-30 03:06:48 0 ----a-w- c:\windows\Nzumupufaxawiro.bin
2010-08-30 03:03:17 397 ----a-w- c:\documents and settings\your daddy\exe.js

==================== Find3M ====================

2010-06-20 01:25:40 2136 ----a-w- c:\docume~1\yourda~1\applic~1\wklnhst.dat
2009-12-13 20:24:03 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 18:10:25.51 ===============

ken545
2010-09-05, 17:05
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.


Looking at a possible rootkit type of infection, not sure until we run some scans.

Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

lucky13
2010-09-07, 08:42
ken545 - I'm having terrible trouble with the bug - rootkit, trojan whatever - in that it's letting me start and run the gmer scan but after an hour-and-a-half, at least, into the scan, it finds a way to hang the system up. I've done this three times now (plus a stop/abort of my own to make sure I disabled tea timer).
The 1st time it looked like the scan was finished but when I hit "save", gmer froze up. I had left the forum page open (thinking that open is different than running which you wanted no programs to be. IE w/no other pages up?) and trying to close its IE window froze up and then "turn off computer" froze too (two out of three shut downs, incl. this one, were of the hold-the-button-in type).
After a safe mode restore to an even earlier restore point (as all my startups today, beginning and after each subsequent bug attack, were), with nothing open the next two were ended by a black screen, like power-saving, with a sluggish return/refresh that showed errors in windows, status bars, the taskbar and notif.tray etc. which spelled another freeze-up. Several new, unfamiliar, boxes came up too, with some persistance. The last try I sat and watched and the black screen came a few times but I brought it back just by moving the mouse (like at power-saving), and one time it quickly, after the black had been averted, brought up the WindowsXP screensaver screen (not in motion) which I never use (not any scrnsvrs).
After this last one and the restore bootup, I noticed the network connection icon was in the tray though I had left it disabled. I immediately disabled it and the went to "network connections" to see what happened and there was a NEW CONNECTION SETUP THERE. It was called "Broadband Connection WAN" and I think PPP2 or something like that. I was so surprised I remove it immediately. I did enable my regular LAN connection to post this (It's not posted til it's posted though! I hope this gets through or I'll have to go to a friend's tomorrow).
I'm now looking at a popup for Registry Cleaner with the same format as the earlier attacks but it is just sitting there, has been 15 min. Oh yeah, I think an unchecked firewall exception was checked as well, maybe two, so I've changed that again.
One background thing I remembered is that 2 mos. ago I downloaded what I thought was a trial version of UniBlue Registry something. I thought I checked it out first but it was very aggressive and pushy. I did seem to get rid of/uninstall it back then but who knows?
OK so the reg.cleaner thing just switched to "downloading registry repair software" which IE is telling me it has blocked from doing (I had disabled the LAN at the same time). The site it wants to download from is:


Anyway, can I run gmer in safe mode? If so, can I post it from safe mode/ Is there something else we should try at this point? Please note the small changes I mentioned about firewall exceptions. I deleted Dell data-safe online too, which I had never activated or installed (couldn't back up with it - had expired).
Well, Thank you and I'm sorry this has gotten so mucky. I hope this posts (I'm saving to notepad first). regards Bill "lucky13"

ken545
2010-09-07, 11:22
Hello Bill,

Lets forget GMER for the time being and run this program. Be sure to follow the instructions for renaming it and download to your desktop.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

lucky13
2010-09-08, 01:43
ken545 - downloaded ComboFiz OK, opened and downloaded Windows recovery console just fine, but 2 min. into the malware scan screen blacks out, then BLUE SCREEN OF CRITICAL CONDITION: windows has shutdown to prevent damage to your hardware and data. The next thing down the screen is simply: BAD_POOL_CALLER . There were some memory addresses (I assume) at the bottom after stop:. If you need 'em . . .?
Instructions were to restart (which I did 2 more times with the same result, each time having to disable all of the anti - spy,virus etc. as instr't'd). Next I was to boot safe mode and disable any new hard or software that may be the cause. I wasn't going to disable combofix but I thought I'd run it but it's unavailable in safe mode. I tried recovery console too but didn't enter the first thing and got out of there. Guess I do know enough to not go there without a guide.
Any thoughts? anything else to disable? I think I got everything. McAfee had more than just anti-virus in the comp.&files config. - spyware, SystemGuard and script scanning. Internet&netwrk had firewall and personal info protect. I disabled them all. And spybot resident - that's TeaTimer isn't it?
Oh well. I've got it bad I guess. Thanks. lucky13

lucky13
2010-09-08, 02:12
ken545 - I forgot that the last instruction from that blue screen was to go to BIOS setup and disable memory items like cache and shadowing. My BIOS setup does not offer any options in that regard (My chipset has an integrated L2 cache; don't know if that's why the BIOS doesn't have any cache option). So, no can do. Regards, Bill

ken545
2010-09-08, 02:43
BAD_POOL_CALLER <--This is a hardware problem, can be anything from bad memory, maybe memory sticks that have become unseated, it can also signal a failing hard drive.

See if you can run this program and if not I will link you to a windows forum that can help you analyze your hardware


Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

lucky13
2010-09-08, 06:06
OK Ken, that one seems to have done its thing - no hangups.
So far I notice I still get a new window redirect when I come to safer-networking.org - open to full window with trial news and, when you close, boxes that say "cancel to find out more", then another, the closes, then a new window and that one does close first time.
That BAD_POOL_CALLER incident, you said memory sticks unseated, I thought SD card, which I'd left on ein the socket. I tried combofix again but, same problem. That still may be something I should look into.
Well, I'm ready for the next step when you are. Thanks! luckyBill13


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4565

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/7/2010 10:09:19 PM
mbam-log-2010-09-07 (22-09-19).txt

Scan type: Quick scan
Objects scanned: 159925
Time elapsed: 5 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Your Daddy\Local Settings\Temp\exe.exe (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Your Daddy\Local Settings\Temp\hmtlvkTYHi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Your Daddy\Local Settings\Temp\xcwEuFvdUP.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Your Daddy\Local Settings\Temp\0.6715883474425943.exe (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Your Daddy\Local Settings\Temp\58EB.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Your Daddy\Local Settings\Temporary Internet Files\Content.IE5\N3VUFOJS\setup[2].exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Your Daddy\Local Settings\Temporary Internet Files\Content.IE5\WWC2VUAR\setup[1].exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Your Daddy\Local Settings\Temp\0.25053870379223475.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

lucky13
2010-09-08, 06:32
Also Ken, when I re-enabled TeaTimer I went ahead and updated SpyBot S&D definitions etc. There were many there from as long ago as June. Could they have been hidden from me? I updated regularly. I haven't run the scan yet, I'll wait for your OK.
I need to get new AV and firewall programs. If you have 2cents to put in on that I'd be interested in hearing. I've looked at a few threads in the forum and will check out more. I appreciate your help. Bill

ken545
2010-09-08, 11:23
Bill,

Running Spybot right now won't help so hang off a bit on running a scan.

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.




Lets try running Combofix in Safemode, but first drag the current version to the trash and download a fresh copy.

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop




To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

lucky13
2010-09-08, 23:54
ken545 - ok, went well; am left w/o all my program settings though I guess. Couldn't open combo before because I'd logged as administrator but had saved to desktop in my user (even though that's the user/admin. permissions) I thought that was a safemode thing but I didn't 2nd guess it right. So, here is the combofix log. I guess you'll tell me what to do next, if any. I haven't done enough here to see any problems. Fingers crossed.


ComboFix 10-09-08.01 - Your Daddy 09/08/2010 16:19:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2642 [GMT -4:00]
Running from: c:\documents and settings\Your Daddy\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Your Daddy\Local Settings\Application Data\{FA3C19F8-00D6-4648-BA63-9977F4967F4B}
c:\documents and settings\Your Daddy\Local Settings\Application Data\{FA3C19F8-00D6-4648-BA63-9977F4967F4B}\chrome\content\_cfg.js
c:\documents and settings\Your Daddy\Local Settings\Application Data\{FA3C19F8-00D6-4648-BA63-9977F4967F4B}\chrome\content\overlay.xul
c:\documents and settings\Your Daddy\Local Settings\Application Data\{FA3C19F8-00D6-4648-BA63-9977F4967F4B}\install.rdf

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
.

2010-09-08 01:17 . 2010-09-08 01:17 -------- d-----w- c:\documents and settings\Your Daddy\Application Data\Malwarebytes
2010-09-08 01:17 . 2010-09-08 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-08 01:17 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-08 01:17 . 2010-09-08 01:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-08 01:17 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-07 21:59 . 2010-09-07 21:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-09-07 03:49 . 2010-09-07 03:49 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-07 03:48 . 2010-09-07 03:48 -------- d-----w- c:\program files\Dell DataSafe Online
2010-09-01 22:05 . 2010-09-01 22:05 -------- d-----w- c:\windows\ERuNT
2010-09-01 22:01 . 2010-09-07 03:48 -------- d-----w- c:\program files\ERUNT
2010-09-01 00:04 . 2010-09-07 03:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-08-30 03:06 . 2010-08-30 16:16 0 ----a-w- c:\windows\Nzumupufaxawiro.bin
2010-08-30 03:06 . 2010-08-30 03:06 120 ----a-w- c:\windows\Dgoyo.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 19:54 . 2009-03-14 22:24 -------- d-----w- c:\program files\Dell V305
2010-08-31 22:55 . 2009-03-05 06:06 34776 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-17 18:51 . 2010-07-17 18:51 -------- d-----w- c:\documents and settings\Your Daddy\Application Data\Uniblue
2010-06-20 01:25 . 2009-05-16 02:02 2136 ----a-w- c:\documents and settings\Your Daddy\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"dldtmon.exe"="c:\program files\Dell V305\dldtmon.exe" [2008-06-24 668912]
"dldtamon"="c:\program files\Dell V305\dldtamon.exe" [2008-06-24 16624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\Your Daddy\Start Menu\Programs\Startup\
Check for TWS Updates.lnk - c:\jts\WiseUpdt.exe [2009-6-1 194775]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-3-5 50688]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-05 06:04 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" /m
"IgfxTray"=c:\windows\system32\igfxtray.exe
"RTHDCPL"=RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldttime.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NinjaTrader 6.5\\bin\\NinjaTrader.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell V305\\frun.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtjswx.exe"=
"c:\\Program Files\\Dell V305\\dldtmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldtpswx.exe"=
"c:\\WINDOWS\\system32\\dldtcoms.exe"=
"c:\\WINDOWS\\Installer\\{551C7C27-3BE9-4568-B056-E926D154C2E3}\\_8C90EB305EDA70EAF5E368.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\TunnelServer.exe"=

R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [2/25/2008 12:38 PM 99568]
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-05 19:32]
.
.
------- Supplementary Scan -------
.
uStart Page = https://wwws.ameritrade.com/apps/LogIn
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: ameritrade.com\research
Trusted Zone: ameritrade.com\wwws
Trusted Zone: microsoft.com\www.update
Trusted Zone: wachovia.com\onlinebanking1
Trusted Zone: wachovia.com\onlinebanking2
Trusted Zone: wachovia.com\onlineservices
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2010-09-08 16:25:01
ComboFix-quarantined-files.txt 2010-09-08 20:24

Pre-Run: 482,675,785,728 bytes free
Post-Run: 482,647,711,744 bytes free

- - End Of File - - 1F6E3DDCDF70ACC6BBD08202B60604B2

ken545
2010-09-09, 00:41
Hi,

We're making progress. These two files look there part of a rootkit. By the way , the dirt bags that write all this garbage try to infect anything they can and your cd driver file was infected and causing you some grief.



Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop.
Double click the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/OTMdesktopicon.png icon on your desktop.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area.
Do not include the word "Code".



:Processes
explorer.exe

:Services

:Reg

:Files
c:\windows\Nzumupufaxawiro.bin
c:\windows\Dgoyo.dat


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/results.png line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.




Post the report and then try to run GMER again. If it gives you problems you also can try this to in Safemode

Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

lucky13
2010-09-10, 05:13
OTM quick & simple, here's log. On to gmer so I shall return.

All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\windows\Nzumupufaxawiro.bin moved successfully.
c:\windows\Dgoyo.dat moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 321 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 321 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 589 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 1565 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 16770 bytes

User: Your Daddy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 10274041 bytes
->Java cache emptied: 85208728 bytes
->Flash cache emptied: 79784 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 7853 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 48460259 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 137.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 09092010_215209

Files moved on Reboot...
C:\Documents and Settings\Your Daddy\Local Settings\Temporary Internet Files\Content.IE5\O0OUB11N\showthread[3].htm moved successfully.
C:\Documents and Settings\Your Daddy\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...

lucky13
2010-09-10, 06:18
Ken, I got gmer done. It went smoothly but after I saved the log and ended gmer, when I went to post here, IE froze up, the taskbar and the desktop froze up and I had to hold button to shut down, then reboot. Don't know about that. Maybe some of McAfee came back enabled after otm reboot - yeah, it would have. Hope that's all it is and that it caused no other problems - probably should be noted though. I have to remember that every time, it's in the startup.
Here's gmer's ark.txt file:
---------------------------------------------------------------------------------------------------------


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-09 22:54:21
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\YOURDA~1\LOCALS~1\Temp\fxtdqpob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA8B519AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8B51958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA8B5196C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA8B519EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA8B51930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA8B51944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA8B519BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA8B51996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA8B51982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA8B51A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA8B51A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA8B519D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A8B519D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A8B519AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A8B519EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A8B51A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A8B519C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP A8B51934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP A8B51948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP A8B51986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A8B51970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A8B5195C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP A8B5199A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A8B51A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01A60FEF
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01A60095
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01A6007A
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01A60069
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01A60058
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01A6002C
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01A600C1
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01A600A6
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01A60F5E
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01A600ED
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01A60F43
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01A60047
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01A60000
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01A60F85
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01A6001B
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01A60FCA
.text C:\WINDOWS\Explorer.EXE[300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01A600DC
.text C:\WINDOWS\Explorer.EXE[300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01A50FD4
.text C:\WINDOWS\Explorer.EXE[300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01A50FB9
.text C:\WINDOWS\Explorer.EXE[300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01A50025
.text C:\WINDOWS\Explorer.EXE[300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A5000A
.text C:\WINDOWS\Explorer.EXE[300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01A50076
.text C:\WINDOWS\Explorer.EXE[300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01A50FEF
.text C:\WINDOWS\Explorer.EXE[300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01A5005B
.text C:\WINDOWS\Explorer.EXE[300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01A5004A
.text C:\WINDOWS\Explorer.EXE[300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF002C
.text C:\WINDOWS\Explorer.EXE[300] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FA1
.text C:\WINDOWS\Explorer.EXE[300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FC6
.text C:\WINDOWS\Explorer.EXE[300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\Explorer.EXE[300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF001B
.text C:\WINDOWS\Explorer.EXE[300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\Explorer.EXE[300] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\Explorer.EXE[300] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00FD000A
.text C:\WINDOWS\Explorer.EXE[300] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\Explorer.EXE[300] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00FD0FC3
.text C:\WINDOWS\Explorer.EXE[300] ws2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FE5
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[420] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C170 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[420] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1F0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0004009A
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040FA5
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0004007D
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0004006C
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040040
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000400D2
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000400C1
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00040F65
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000400FE
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00040119
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040051
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00040F94
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0004002F
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000400E3
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070080
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F89
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060F9A
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FBC
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FAB
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FD7
.text C:\WINDOWS\system32\services.exe[764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD009B
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD008A
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD006F
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0FB2
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0054
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD00B6
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F7A
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F38
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD00DB
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00EC
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F8B
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD002F
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0014
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F53
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E40FB9
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E40F61
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E40FD4
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E40F7C
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E40F8D
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [04, 89] {ADD AL, 0x89}
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E40F9E
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E30FB2
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30FC3
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E30018
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E30033
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E30FDE
.text C:\WINDOWS\system32\lsass.exe[776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00F79
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F00F8A
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F0006E
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00051
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00036
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F000A4
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F00089
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F000C9
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F00F30
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F000E4
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00FAF
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F00F68
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F0001B
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F00FCA
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F00F41
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F90FCA
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F90047
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F9001B
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F90FE5
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F90036
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F90F94
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [19, 89]
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F90FAF
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F80FC3
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F80FDE
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F80029
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F8004E
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C8008E
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C8007D
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C8006C
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80051
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80FB9
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C800C4
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C800B3
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C80101
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C800F0
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C80112
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C80040
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C80F88
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C800DF
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CB0FE5
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CB0FA5
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CB0036
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CB001B
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CB0FC0
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CB006C
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CB005B
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CA0FB9
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CA0044
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CA0029
.text C:\WINDOWS\system32\svchost.exe[1012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02900000
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02900F26
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02900F37
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02900F48
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02900F65
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02900011
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02900051
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02900F0B
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02900076
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02900EDD
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02900EC2
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02900F8A
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02900FE5
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02900036
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02900FA5
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02900FCA
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02900EEE
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 039A0FA8
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 039A0054
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 039A0FC3
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 039A0FDE
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 039A002F
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 039A0FEF
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 039A001E
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 039A0F97
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03990056
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 03990FC1
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03990FD2
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03990000
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03990027
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03990FE3
.text C:\WINDOWS\System32\svchost.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03980FEF
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 03970FEF
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 0397000A
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 03970FDE
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 03970025
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780078
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780F79
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0078005D
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780F94
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0078002F
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0078009F
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780F57
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00780F2B
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F46
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007800D5
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00780040
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0078000A
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00780F68
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00780FCD
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00780FDE
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007800C4
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007B0FB9
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007B0040
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007B0FD4
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007B002F
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007B0FE5
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007B0F8D
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9B, 88]
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007B0F9E
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007A0050
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 007A003F
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007A001D
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007A002E
.text C:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007A000C
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0079000A
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E70F55
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E70F7A
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E70054
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E70043
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E70F97
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E7008C
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E7006F
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E700B8
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E700A7
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E70F04
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E70028
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E70FD4
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E70F44
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E70FA8
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E70FC3
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E70F29
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E60FDB
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E60FAF
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E6002C
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E6001B
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E6006C
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E60FCA
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [06, 89]
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E60047
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E50FC3
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E5004E
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E50022
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E50033
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E50011
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C2008C
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C2007B
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C2006A
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C20043
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C20FBC
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C200B3
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20F6B
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C200FA
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C200DF
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C2010B
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C20FA1
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C20014
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C20F7C
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C20FCD
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C20FDE
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C200CE
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90047
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90FB9
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90FCA
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C90F8A
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C9002C
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C9001B
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80FB4
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80049
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C8002E
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80FD9
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C8001D
.text C:\WINDOWS\system32\svchost.exe[1276] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900087
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900F92
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900076
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900FB9
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900051
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009000AC
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F5A
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009000C7
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00900F38
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900F13
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900FCA
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900014
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900F77
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900040
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900025
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00900F49
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FD1
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F80
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0022
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0F9B
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0FAC
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88]
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD003D
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930FCD
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930058
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0093003D
.text C:\WINDOWS\system32\svchost.exe[1592] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\svchost.exe[1592] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1592] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00910025
.text C:\WINDOWS\system32\svchost.exe[1592] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00910036
.text C:\WINDOWS\system32\svchost.exe[1592] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00910047
.text C:\WINDOWS\system32\svchost.exe[1592] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\SearchIndexer.exe[1704] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00250000
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00250F6D
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0025006C
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0025005B
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00250FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00250FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002500B5
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0025009A
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00250F48
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002500E1
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00250F37
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00250040
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00250FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0025007D
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0025002F
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00250FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002500C6
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00340FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00340F72
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0034001E
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00340FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0034002F
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00340FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00340F97
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [54, 88]
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00340FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00350042
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] msvcrt.dll!system 77C293C7 5 Bytes JMP 00350FB7
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0035000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00350FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0035001D
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00350FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 015D0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 015D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 015D001B
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 015D002C
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] ws2_32.dll!socket 71AB4211 5 Bytes JMP 01CC0FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A74DBD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

ken545
2010-09-10, 07:59
GMER log looks ok.

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

lucky13
2010-09-10, 19:38
Here's that ESET log. Since yesterday after I forgot to disable McAfee, a "potentially harmful program" warning has come up from Security Center several times that warned about Tool-NirCmd, said it was blocking it and did I want to remove it. Not being sure about our process or the needs of the various tools we've used, I elected to "close this alert", i.e. neither remove or accept, to keep blocking. I did just disable McAfee before this scan though but the location given was like the five with .exe ending (didn't copy the whole location - numbers etc.) I hope all of that is gone, as this shows.
Something else I should mention: I forgot, because this annoyance had occurred a couple of times before in the past year, to mention that one time during our process, while disabling TeaTimer, I went into SpyBot's startup tool (looking into unchecking McAfee so's not to have to keep disabling manually - thought better of that though) and without much thought DID uncheck a dubious entry, ctfmon32.exe. This one has a history of being legitimately used once, when my stepson visited from Korea, as a keyboard enhancement for Asian alphabets. But seeing it has trojan and worm variants using it in SpyBot's details, I had been unchecking it for startup. The time I'm mentioning I had noticed there were two startup lines for it, one checked which I undid. Last night there were three instances of it in start up so I again unchecked the last one added. So I'll have to remove this if it's still left after this process (there's another file, a redundant audio control, that also can harbor fugitive programs, that I'll get rid of too).
Anyway, here's the ESET log. I'm ready for the next step(s). Bill
-----------------------------------------------------------------------------------------------------------

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=a0d18c1d664ae940b15ef0b50940f7bc
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-09-10 03:13:36
# local_time=2010-09-10 11:13:36 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16776873 100 96 46066643 97909377 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=44446
# found=9
# cleaned=9
# scan_time=540
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\cdrom.sys.vir Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP503\A0038372.exe a variant of Win32/Kryptik.GME trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP504\A0038397.exe a variant of Win32/Kryptik.GME trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP504\A0038415.exe a variant of Win32/Kryptik.GKU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP504\A0038416.dll a variant of Win32/Cimag.CK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP504\A0038417.dll a variant of Win32/Cimag.DH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP504\A0038420.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP505\A0038496.exe Win32/TrojanDownloader.FakeAlert.BDA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP515\A0048272.sys Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C

ken545
2010-09-10, 20:06
Hi,

That alert is not valid , its a false positive by McAfee.. When we uninstall Combofix it will go away.

The rest of what ESET found where backups of what Combofix removed and also some bad files in your system restore program.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.


Reboot your computer

Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.


Create a new Restore Point <-- Very Important


Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it





Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.





Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.



How are things running now ????

lucky13
2010-09-10, 22:33
OTC didn't seem to go through its process the way you described. I don't think it downloaded anything though it might have been very quick. No prompt about firewall. Went right to cleanup button (no yes button), then prompt "are you sure?", then "reboot Y/N?". But all of the tools are still there, so that's a problem.
ComboFix is gone but it didn't show any disclaimer or option to select anything. Gone though. I've noticed some of the tools are not exactly like you explain. I'm sure they change their interfaces, menus etc. so often it would be hard to keep up. Seems a little worrisome to me, as a jumpy, malware-inflicted user.
On startup the desktop shows the taskbar as an incomplete graphic for a second, not the clean, crisp bar that pops up before icons populate it. The broadband network connection is also enabled, which I don't think I ever setup that way. Of course I know, for instance, that I had McAfee update disabled - others too. Many program settings were lost I'm guessing along the way here. So I can find my way out of that one I hope.
I thought I would remove those startup items I mentioned in my last post. There are others too. Some need uninstalling maybe? Can others be deleted? Can I do any of it from SpyBot? After that (and the OTC cleanup), I was thinking another restore point. Yes?
Thanks, lucky Bill

lucky13
2010-09-10, 22:54
KEN, I noticed that, actually, OTM was removed by OTC. At least that.

ken545
2010-09-10, 23:21
Yes, go ahead and create a new Restore point

Let do this

Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.

Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe


Then this



Open HJT
Then open the Misc Tools section
click on Generate a Startup List Log,
Don't check the 2 boxes just yet.
Post the log into this thread

lucky13
2010-09-11, 02:36
Here's that 1st HJT StartupList Log -
---------------------------------------------------------------------------------------------------


StartupList report, 9/10/2010, 7:32:20 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16876)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dldtcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell V305\dldtmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell V305\dldtMsdMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\MICROS~2\WkDStore.exe
C:\PROGRA~1\MICROS~2\wkcalrem.exe
C:\Program Files\Microsoft Works\wkswp.exe
C:\PROGRA~1\MICROS~2\wkgdcach.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Your Daddy\Start Menu\Programs\Startup]
Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Persistence = C:\WINDOWS\system32\igfxpers.exe
mcagent_exe = C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
dellsupportcenter = "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
dldtmon.exe = "C:\Program Files\Dell V305\dldtmon.exe"
dldtamon = "C:\Program Files\Dell V305\dldtamon.exe"
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

AcroIEHelperStub - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
McAntiPhishingBHO - c:\PROGRA~1\mcafee\msk\mcapbho.dll - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4}
(no name) - __BHODemonDisabled (file missing) - {5C255C8A-E604-49b4-9D64-90988571CECB}
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B}
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
(no name) - C:\Program Files\Windows Live\Toolbar\wltcore.dll (disabled by BHODemon) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}
JQSIEStartDetectorImpl - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}

--------------------------------------------------

Enumerating Task Scheduler jobs:

McDefragTask.job

--------------------------------------------------

Enumerating Download Program Files:

[F5 Networks Dynamic Application Tunnel Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\TunnelServerX.dll
CODEBASE = https://vcuhsra.mcvh-vcu.edu/vdesk/terminal/f5tunsrv.cab#version=6031,2009,1204,1610

[F5 Networks Auto Update]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Conflict.0\InstallerControl.dll
CODEBASE = https://vcuhsra.mcvh-vcu.edu/vdesk/terminal/InstallerControl.cab#version=6031,2009,1204,1613

[{7530BFB8-7293-4D34-9923-61A11451AFC5}]
CODEBASE = http://download.eset.com/special/eos/OnlineScanner.cab

[F5 Virtual Sandbox Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\vdeskctrl.dll
CODEBASE = https://vcuhsra.mcvh-vcu.edu/vdesk/terminal/vdeskctrl.cab#version=6031,2009,1212,1610

ken545
2010-09-11, 03:22
Not seeing anything bad on your startup log

lucky13
2010-09-11, 06:36
Good, Ken. I think those things I was talking about are deselected and I can get rid of them. I don't like looking at them.
What I need to do next is get my settings right. I've had trouble with certain settings but I think I need to get as many of those that I've figured out all setup at once and saved in a restore point and better organized, with some, even a little, forethought, and it'll save me some annoyances later on. So I can move on to bigger and better annoyances!!
Well thanks for all the help. I feel like I've been driving with an empty tank on bald tires and no drivers license so long and have dodge a Mack truck so I promise I'll do better (to myself).
If there's something else to do let me know. I'm ready. Thanks for all you've done. lucky13

ken545
2010-09-11, 14:24
Hi,

Why don't you post here for any help you may need related to windows, as this forum is for malware removal only.
http://forums.pcpitstop.com/index.php?/forum/3-user-to-user-help/



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

lucky13
2010-09-13, 19:58
You've been great. I already had a list from "So how did I . . ." but this fills in some more.
I'm dumping McAfee - never liked their customer treatment or them wanting to OWN your PC. So AV and firewall are there too. The best ones in "firewall challenge" are Russian and Chinese and seem to be startups (or close to) AND they're not cheap. Guess I'll try something. Funny how the big players are way down the list.
Since OTM only remove OTC, I will uninstall the rest of the tools. I hope it's straightforward.
Well, the best to you, thanks for all you help, though I hope I don't have to call on you again (I'll try to build up my defences). My regards, lucky13

ken545
2010-09-13, 20:19
Your very welcome,

Take care,

ken :)

Have any issues uninstalling any programs post back please

ken545
2010-09-19, 15:27
Since this issue appears resolved this thread will be closed