PDA

View Full Version : Unable to Remove Malware



drmcnabb
2011-03-27, 20:25
Our pc got infected with 'XP Anti-Spyware' on Friday. *I was able to find and remove that from the files and registry entries. *Still have numerious problems such as cannot access windowsupdate.com or update.microsoft.com. *I removed SpyBot in Aug-2010 due to performance concerns and perceived incompatibilities with McAfee. *I reinstalled and ran SpyBot again on Saturday. *It detected and indicated that it fixed several problems however there are no current checklogs. *Resident TeaTimer has been disabled. *I tried running MSRT and got a blue-screen. *I am running another McAfee Scan since I've paid for the product but I don't expect much from it at this time. *I'm also running OneCare safety scan. *

I have run ERUNT and DSS, here is the DSS log and several lines from SpyBot reports. *Thanks for any assistance. *

***********Doug & Suzanne McNabb

DSS.txt
.
DDS (Ver_11-03-05.01) - NTFSx86 *
Run by Suzanne at 21:19:07.57 on Sat 03/26/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional *5.1.2600.3.1252.1.1033.18.2038.1057 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\System32\svchost.exe -k itlsvc
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Online Backup\OnlineBackup.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee Online Backup\MOBKstat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Documents and Settings\Suzanne\My Documents\Downloaded Program Updates\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.goodsearch.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101104090656.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: att.net Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OnlineBackupScheduler] c:\program files\online backup\OnlineBackup.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Norton Ghost 10.0] "c:\program files\norton ghost\agent\GhostTray.exe"
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee online backup\MOBKstat.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} - hxxp://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: fN9/ - itlnfw32.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: itlnfw32 - itlnfw32.dll
Notify: itlntfy - itlnfw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 * *www.spywareinfo.com (http://www.spywareinfo.com)
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-16 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-4 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2011-1-17 54776]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-12-13 198248]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-12-13 181864]
R2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2005-8-16 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-30 210216]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-4 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-4 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-4 271480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-4 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-4 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-4 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-4-13 229688]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-1-13 822424]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-4 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-30 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-30 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-4 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-4 88544]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-12-13 79464]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-4 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-4 84264]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-30 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-30 40552]
.
=============== Created Last 30 ================
.
2011-03-27 00:37:16 * *-------- * *d-----w- * *C:\VundoFix Backups
2011-03-25 23:55:32 * *146432 * *----a-w- * *c:\windows\regedit.com
2011-03-25 12:23:02 * *4199768 * *----a-w- * *c:\windows\system32\cdintf400.dll
2011-03-24 17:49:53 * *53248 * *----a-w- * *c:\windows\system32\6to4v32.dll
2011-03-24 17:49:45 * *34816 * *----a-w- * *c:\windows\system32\itlnfw32.dll
2011-03-24 17:49:45 * *216064 * *----a-w- * *c:\windows\system32\itlpfw32.dll
2011-03-22 06:01:34 * *5943120 * *----a-w- * *c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{2b19e4f6-b2c8-4dbc-9641-5cb9512a9453}\mpengine.dll
2011-03-12 01:30:12 * *244416 * *----a-w- * *c:\windows\system32\Msflxgrd.ocx
2011-03-12 01:30:12 * *203976 * *----a-w- * *c:\windows\system32\RICHTX32.OCX
2011-03-12 01:29:29 * *-------- * *d-----w- * *c:\docume~1\suzanne\applic~1\PCHC
2011-03-11 23:47:03 * *-------- * *d-----w- * *c:\program files\iPod
2011-03-11 23:46:46 * *-------- * *d-----w- * *c:\program files\iTunes
2011-03-09 21:40:17 * *-------- * *d-----w- * *c:\program files\ATT
2011-03-09 21:26:24 * *-------- * *d-----w- * *c:\docume~1\suzanne\locals~1\applic~1\Yahoo
2011-03-09 21:25:25 * *-------- * *d-----w- * *c:\docume~1\suzanne\locals~1\applic~1\ATTYToolbar
2011-03-09 21:25:23 * *-------- * *d-----w- * *c:\docume~1\alluse~1\applic~1\ATTYToolbar
2011-03-09 21:25:05 * *-------- * *d-----w- * *c:\program files\Yahoo!
2011-03-08 18:11:18 * *-------- * *d-----w- * *c:\program files\ATT-HSI
2011-03-08 18:10:59 * *-------- * *d-----w- * *c:\program files\common files\Motive
.
==================== Find3M *====================
.
2011-02-18 21:36:58 * *4184352 * *----a-w- * *c:\windows\system32\usbaaplrc.dll
2011-02-04 22:48:32 * *456192 * *----a-w- * *c:\windows\system32\encdec.dll
2011-02-04 22:48:30 * *291840 * *----a-w- * *c:\windows\system32\sbe.dll
2011-02-02 22:11:20 * *222080 * *------w- * *c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 * *2067456 * *----a-w- * *c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 * *677888 * *----a-w- * *c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 * *439296 * *----a-w- * *c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 * *290048 * *----a-w- * *c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 * *1854976 * *----a-w- * *c:\windows\system32\win32k.sys
.
=================== ROOTKIT *====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89C6D439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89c737d0]; MOV EAX, [0x89c7384c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; *}
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A588030]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89C38540]
\Driver\iastor[0x8A58FDC8] -> IRP_MJ_CREATE -> 0x89C6D439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; *}
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskARRAY1.0.00_U#4&38ab82b6&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 156249086 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 21:21:55.51 ===============

Checks.110310-0130.log
10.03.2011 01:30:56 - ##### check started #####
10.03.2011 01:30:56 - ### Version: 1.6.2
10.03.2011 01:30:56 - ### Date: 3/10/2011 1:30:56 AM
10.03.2011 01:31:01 - ##### checking bots #####

Run Entry History.txt
When: ******2011-03-26 12:44:33
Who: *******C:\Program Files\Spybot - Search & Destroy\advcheck.dll
Run Entry: *Spybot - Search & Destroy
Executable: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
Reason: ****scan result requested reboot (allowed by user feedback)

Update downloads.log
<--earlier entries deleted-->
8/25/2010 12:57:16 AM Downloaded update info file. (http://www.safer-networking.org/updates/spybotsd.ini)
8/25/2010 12:57:35 AM downloaded update Detection rules: iPhone
8/25/2010 12:57:35 AM *- URL: http://imp.betanews.com/updates/files/includes.iPhone.zip
8/25/2010 12:57:35 AM *- Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.iPhone.zip
8/25/2010 12:57:36 AM downloaded update Detection rules: Keyloggers
8/25/2010 12:57:36 AM *- URL: http://imp.betanews.com/updates/files/includes.keyloggers.zip
8/25/2010 12:57:36 AM *- Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.keyloggers.zip
8/25/2010 12:57:38 AM downloaded update Detection rules: Malware
8/25/2010 12:57:38 AM *- URL: http://imp.betanews.com/updates/files/includes.malware.zip
8/25/2010 12:57:38 AM *- Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.malware.zip
8/25/2010 12:57:40 AM downloaded update Detection rules: PUPS
8/25/2010 12:57:40 AM *- URL: http://imp.betanews.com/updates/files/includes.pups.zip
8/25/2010 12:57:40 AM *- Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.pups.zip
8/25/2010 12:57:41 AM downloaded update Detection rules: Spybots
8/25/2010 12:57:41 AM *- URL: http://imp.betanews.com/updates/files/includes.spybots.zip
8/25/2010 12:57:41 AM *- Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.spybots.zip
8/25/2010 12:57:44 AM downloaded update Detection rules: Supplemental
8/25/2010 12:57:44 AM *- URL: http://imp.betanews.com/updates/files/supplemental.zip
8/25/2010 12:57:44 AM *- Local file: C:\Program Files\Spybot - Search & Destroy\Updates\supplemental.zip
8/25/2010 12:57:46 AM downloaded update Detection rules: Trojans
8/25/2010 12:57:46 AM *- URL: http://imp.betanews.com/updates/files/includes.trojans.zip
8/25/2010 12:57:46 AM *- Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.trojans.zip
8/25/2010 12:58:01 AM downloaded update Detection rules: Update
8/25/2010 12:58:01 AM *- URL: http://imp.betanews.com/updates/files/includes.zip
8/25/2010 12:58:01 AM *- Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.zip
3/26/2011 12:07:21 PM Downloaded update info file. (http://www.safer-networking.org/updates/spybotsd.ini)
3/26/2011 12:07:55 PM downloaded update Advanced detection library 1.6.5
3/26/2011 12:07:55 PM *- URL: http://spybot.xploredownload.com/updates/files/advcheck165.zip
3/26/2011 12:07:55 PM *- Local file: C:\Program Files\Spybot - Search & Destroy\Updates\advcheck165.zip
3/26/2011 12:07:56 PM downloaded update English descriptions
3/26/2011 12:07:56 PM *- URL: http://spybot.xploredownload.com/updates/files/desc.english.zip
3/26/2011 12:07:56 PM *- Local file: C:\Program Files\Spybot - Search & Destroy\Updates\desc.english.zip
3/26/2011 12:07:57 PM downloaded update Immunization database
3/26/2011 12:07:57 PM *- URL: http://spybot.xploredownload.com/updates/files/clsid.zip
3/26/2011 12:07:57 PM *- Local file: C:\Program Files\Spybot - Search & Destroy\Updates\clsid.zip
3/26/2011 12:07:59 PM downloaded update Startup info
3/26/2011 12:07:59 PM *- URL: http://spybot.xploredownload.com/updates/files/startup.zip
3/26/2011 12:07:59 PM *- Local file: C:\Program Files\Spybot - Search & Destroy\Updates\startup.zip
3/26/2011 12:08:01 PM downloaded update TeaTimer update 1.6.6
3/26/2011 12:08:01 PM *- URL: http://spybot.xploredownload.com/updates/files/teatimer166.zip
3/26/2011 12:08:01 PM *- Local file: C:\Program Files\Spybot - Search & Destroy\Updates\teatimer166.zip
3/26/2011 9:24:55 PM Downloaded update info file. (http://www.safer-networking.org/updates/spybotsd.ini)
3/27/2011 10:17:08 AM Downloaded update info file. (http://www.safer-networking.org/updates/spybotsd.ini)

Btw, I was unable to post the note through the infected pc so I had to make this post from another machine.

Here's the attach.zip file.

km2357
2011-03-29, 21:59
Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.infospyware.net/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.com)
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.



Step # 2: Download and Run Gmer

Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.

Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.

GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post

drmcnabb
2011-04-01, 14:43
I have attached the files from DDS. Please note that I elected to recover my entire c-drive using a backup from the end of February. As it happens that was before I stopped running Spybot S&D. I have rerun S&D, MBAM, MSRT, etc. Several problems were fixed but I would like your opinion based on the DDS files. Are there any problems identified and should I run gmer or anything else to confirm my system state?

Thanks for pitching in and helping your fellow netizens. :thanks:

Doug

km2357
2011-04-01, 22:05
Thanks for the logs. :) Any future logs I ask for please post them normally, do not attach them. Only attach them if asked to do so. Thanks. :)


Looking over your DDS Logs, I don't see anything bad that jumps out at me. Since you restored from a backup from February, have you noticed any problems that you stated from your first post? Such as "Still have numerious problems such as cannot access windowsupdate.com or update.microsoft.com." or have those been solved?

Which of these two is your main partition on your Hard Drive?:

C: is FIXED (NTFS) - 51 GiB total, 1.894 GiB free.

F: is FIXED (NTFS) - 466 GiB total, 62.214 GiB free.

If it is C:, then your computer is extremely low on free space. I'd suggest for you to go to Add/Remove Programs and uninstall any programs you no longer need/use. Also you can transfer any movies, music or other files to an external Hard Drive or USB/Flash Drive for extra space as well.


Though DDS didn't show anything, I'd still like for you to run GMER and post the log for me to look at. :) You also mentioned running MBAM, please post the log from your latest run as well.


In your next post/reply, I need to see the following:

1. GMER Log
2. Latest MalwareBytes' Log.

drmcnabb
2011-04-03, 17:39
Since the recovery I have not noticed any problems. I was able to successfully download the latest windows updates. And so far things look good. The main partition on my hard drive is C: and I have moved MyPictures off to D: leaving 7.96 GiB free. The F: drive is an external FreeAgent drive which I use for my backups but could also hold MyMusic. I will also look at Add/Remove programs. Thanks for the suggestion.

My first attempt at running gmer was unsuccessful though it didn't seem to report any problems. Because of the length of time it took my screen saver activated and once while checking the status it seemed to hang. I set the Screen saver to (None) hoping to prevent that problem on the next run. Unfortunately the second attempt failed with an error as did the third which was run after a reboot. I downloaded it again and it completed this time. Many thanks.

drmcnabb
2011-04-03, 17:41
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-03 10:29:24
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Intel___ rev.1.0.
Running: gmer.exe; Driver: C:\DOCUME~1\Suzanne\LOCALS~1\Temp\awliipog.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DDA0E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DDA0F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DDA120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DDA176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DDA0CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DDA0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DDA0B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DDA10A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DDA14C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DDA136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DDA1A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DDA18C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DDA160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9DDA164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B9DDA17A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B9DDA190 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B9DDA150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9DDA0A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9DDA0BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B9DDA1A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B9DDA13A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B9DDA10E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B9DDA0E4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B9DDA0F8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B9DDA124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9DDA0D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

drmcnabb
2011-04-03, 17:43
---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0FC0
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF00AB
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF009A
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF007D
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0047
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF00D2
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F8A
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0119
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00FE
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F6F
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0062
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0FA5
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FDB
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF00ED
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FAF
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660025
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FD4
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660F72
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00660F83
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [86, 88]
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660F94
.text C:\WINDOWS\system32\svchost.exe[588] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650FC3
.text C:\WINDOWS\system32\svchost.exe[588] msvcrt.dll!system 77C293C7 5 Bytes JMP 0065004E
.text C:\WINDOWS\system32\svchost.exe[588] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[588] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[588] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FDE
.text C:\WINDOWS\system32\svchost.exe[588] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0065001D
.text C:\WINDOWS\system32\svchost.exe[588] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[588] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00630011
.text C:\WINDOWS\system32\svchost.exe[588] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00630FDB
.text C:\WINDOWS\system32\svchost.exe[588] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 0063002C
.text C:\WINDOWS\system32\svchost.exe[588] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0064000A
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1164] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1164] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00050FCA
.text C:\WINDOWS\system32\services.exe[1164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040F66
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040051
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040F77
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040F9E
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00040036
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040F29
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00040F44
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0004008C
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00040EFD
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00040ECE
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040FAF
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00040F55
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00040025
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040FCA
.text C:\WINDOWS\system32\services.exe[1164] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040F0E
.text C:\WINDOWS\system32\services.exe[1164] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006F0025
.text C:\WINDOWS\system32\services.exe[1164] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006F0076
.text C:\WINDOWS\system32\services.exe[1164] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006F0014
.text C:\WINDOWS\system32\services.exe[1164] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006F0FDE
.text C:\WINDOWS\system32\services.exe[1164] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006F0FAF
.text C:\WINDOWS\system32\services.exe[1164] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\services.exe[1164] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006F0051
.text C:\WINDOWS\system32\services.exe[1164] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006F0040
.text C:\WINDOWS\system32\services.exe[1164] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070F8B
.text C:\WINDOWS\system32\services.exe[1164] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070F9C
.text C:\WINDOWS\system32\services.exe[1164] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070FC1
.text C:\WINDOWS\system32\services.exe[1164] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1164] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070016
.text C:\WINDOWS\system32\services.exe[1164] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070FD2
.text C:\WINDOWS\system32\services.exe[1164] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\lsass.exe[1176] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C40FE5
.text C:\WINDOWS\system32\lsass.exe[1176] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C40014
.text C:\WINDOWS\system32\lsass.exe[1176] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C40FD4
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C3005E
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C30F69
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C30043
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C30F86
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C30F97
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C30F3D
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C30085
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C30EFD
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C300A0
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C300B1
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C3001E
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C30FDE
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C30F4E
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C30FB2
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C30FCD
.text C:\WINDOWS\system32\lsass.exe[1176] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C30F22
.text C:\WINDOWS\system32\lsass.exe[1176] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0103003D
.text C:\WINDOWS\system32\lsass.exe[1176] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01030F87
.text C:\WINDOWS\system32\lsass.exe[1176] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0103002C
.text C:\WINDOWS\system32\lsass.exe[1176] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01030011
.text C:\WINDOWS\system32\lsass.exe[1176] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01030FA2
.text C:\WINDOWS\system32\lsass.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\lsass.exe[1176] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01030FBD
.text C:\WINDOWS\system32\lsass.exe[1176] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [23, 89]
.text C:\WINDOWS\system32\lsass.exe[1176] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0103004E
.text C:\WINDOWS\system32\lsass.exe[1176] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01020FB7
.text C:\WINDOWS\system32\lsass.exe[1176] msvcrt.dll!system 77C293C7 5 Bytes JMP 01020FC8
.text C:\WINDOWS\system32\lsass.exe[1176] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0102001D
.text C:\WINDOWS\system32\lsass.exe[1176] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01020000
.text C:\WINDOWS\system32\lsass.exe[1176] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0102002E
.text C:\WINDOWS\system32\lsass.exe[1176] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01020FE3
.text C:\WINDOWS\system32\lsass.exe[1176] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01010FE5

drmcnabb
2011-04-03, 17:43
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F6000A
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F60025
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F50F7C
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50071
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50F8D
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50F9E
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50040
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50F50
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50F61
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F50F2B
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F500CE
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F50F1A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F50FB9
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F5000A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F5008C
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F50025
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F500BD
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F90FB2
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F90F83
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F90FC3
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F90FD4
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F90040
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F90025
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F90014
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F80064
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F80FE3
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F80038
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F80049
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F80011
.text C:\WINDOWS\system32\svchost.exe[1376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A80011
.text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A70F8A
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A7007F
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A70FA5
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A70058
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A70FC0
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A70F54
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A70F65
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A700CB
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A70F32
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A70F17
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A7003D
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A70011
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A70090
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A70FDB
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A7002C
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A70F43
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF006F
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF004A
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BF0FA8
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 88]
.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AA005D
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AA0042
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AA0027
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AA0FD2
.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AA000C
.text C:\WINDOWS\system32\svchost.exe[1468] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 03F40FEF
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 03F4002F
.text C:\WINDOWS\System32\svchost.exe[1672] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 03F4000A
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03F30000
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03F30F77
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03F30F92
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03F3006C
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03F3005B
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03F30036
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03F30F41
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03F30087
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03F30F0B
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03F300A4
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03F300BF
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03F30FB9
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03F30011
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03F30F5C
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03F30FCA
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03F30FDB
.text C:\WINDOWS\System32\svchost.exe[1672] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03F30F26
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03F20FDB
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03F20FA8
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03F20036
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03F20025
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03F20FB9
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03F20000
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03F20FCA
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [12, 8C]
.text C:\WINDOWS\System32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03F20051
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03F60033
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!system 77C293C7 5 Bytes JMP 03F60F9E
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03F60FD4
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03F60FEF
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03F60FB9
.text C:\WINDOWS\System32\svchost.exe[1672] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03F6000C
.text C:\WINDOWS\System32\svchost.exe[1672] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03F50000
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 03F10000
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 03F10FEF
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03F10FD4
.text C:\WINDOWS\System32\svchost.exe[1672] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 03F10025
.text C:\WINDOWS\system32\svchost.exe[1744] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1744] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\svchost.exe[1744] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD00A4
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0089
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD006C
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0FAF
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0FDB
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD00CB
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0F83
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD0108
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD00F7
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD0123
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0FC0
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD0F94
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0047
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD002C
.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD00E6
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FC0FA8
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FC0043
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FC0FC3
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FC0FD4
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FC0F7C
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FC001E
.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FC0F8D
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FB0FCA
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FB0055
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FB0033
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FB0044
.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\system32\svchost.exe[1744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FA0000
.text C:\WINDOWS\system32\svchost.exe[1940] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1940] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A20FCD
.text C:\WINDOWS\system32\svchost.exe[1940] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A20FDE
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10F6F
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A1006E
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A1005D
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A10040
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10FB9
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A10F41
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10089
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A100BF
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A10F1C
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A100D0
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10F9E
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A10025
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A10F5E
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10FCA
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10FE5
.text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A100A4
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A00014
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A00F68
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A00025
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A00F8D
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C0, 88]
.text C:\WINDOWS\system32\svchost.exe[1940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A00F9E
.text C:\WINDOWS\system32\svchost.exe[1940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009F0FAB
.text C:\WINDOWS\system32\svchost.exe[1940] msvcrt.dll!system 77C293C7 5 Bytes JMP 009F002C
.text C:\WINDOWS\system32\svchost.exe[1940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009F0011
.text C:\WINDOWS\system32\svchost.exe[1940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009F0FE3
.text C:\WINDOWS\system32\svchost.exe[1940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009F0FBC
.text C:\WINDOWS\system32\svchost.exe[1940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[1996] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[1996] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1996] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AE0F50
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AE0F61
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AE0F7C
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AE0F8D
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AE002F
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AE0071
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AE0F29
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AE0EE9
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AE0082
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AE0ED8
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AE0FA8
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AE0FDE
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AE0060
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AE0014
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AE0FC3
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AE0F0E
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AD0FCA
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AD0F68
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AD001B
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AD0F83
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AD000A
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AD0F9E
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CD, 88] {INT 0x88}
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AD0FAF
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AC0F9F
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AC0FB0
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AC0FC1
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AC0FEF
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AC0016
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AC0FD2
.text C:\WINDOWS\system32\svchost.exe[1996] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\svchost.exe[2052] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\system32\svchost.exe[2052] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DF0025
.text C:\WINDOWS\system32\svchost.exe[2052] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DF0014
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DE0F83
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DE0078
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DE005B
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DE0F9E
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DE0FB9
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DE0F41
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DE0089
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DE00B5
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DE00A4
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DE00DA
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DE0040
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DE000A
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DE0F68
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DE002F
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DE0FDE
.text C:\WINDOWS\system32\svchost.exe[2052] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DE0F30
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DD0FB2
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DD0039
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DD0FC3
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DD0FDE
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DD0F86
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DD0028
.text C:\WINDOWS\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DD0FA1
.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DC0F90
.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DC001B
.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DC0FB5
.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DC0FE3
.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DC000A
.text C:\WINDOWS\system32\svchost.exe[2052] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DC0FC6

drmcnabb
2011-04-03, 17:44
.text C:\WINDOWS\Explorer.EXE[3420] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01120000
.text C:\WINDOWS\Explorer.EXE[3420] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01120FDB
.text C:\WINDOWS\Explorer.EXE[3420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0112001B
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0111000A
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01110F66
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0111005B
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01110F8D
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01110F9E
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01110036
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01110F55
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0111009D
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011100DD
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01110F3A
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01110F1F
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01110FAF
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0111001B
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01110076
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01110FCA
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!CreateNamedPipeA 7C860CDC 3 Bytes JMP 01110FE5
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!CreateNamedPipeA + 4 7C860CE0 1 Byte [84]
.text C:\WINDOWS\Explorer.EXE[3420] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011100B8
.text C:\WINDOWS\Explorer.EXE[3420] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0110002C
.text C:\WINDOWS\Explorer.EXE[3420] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01100058
.text C:\WINDOWS\Explorer.EXE[3420] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0110001B
.text C:\WINDOWS\Explorer.EXE[3420] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01100FDB
.text C:\WINDOWS\Explorer.EXE[3420] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01100FA5
.text C:\WINDOWS\Explorer.EXE[3420] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01100000
.text C:\WINDOWS\Explorer.EXE[3420] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01100FC0
.text C:\WINDOWS\Explorer.EXE[3420] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [30, 89]
.text C:\WINDOWS\Explorer.EXE[3420] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01100047
.text C:\WINDOWS\Explorer.EXE[3420] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00FA6
.text C:\WINDOWS\Explorer.EXE[3420] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FB7
.text C:\WINDOWS\Explorer.EXE[3420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E0001D
.text C:\WINDOWS\Explorer.EXE[3420] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\Explorer.EXE[3420] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E00FD2
.text C:\WINDOWS\Explorer.EXE[3420] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E0000C
.text C:\WINDOWS\Explorer.EXE[3420] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DE000A
.text C:\WINDOWS\Explorer.EXE[3420] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\Explorer.EXE[3420] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DE002F
.text C:\WINDOWS\Explorer.EXE[3420] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00DE004A
.text C:\WINDOWS\Explorer.EXE[3420] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\system32\dllhost.exe[3688] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\dllhost.exe[3688] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F60FD4
.text C:\WINDOWS\system32\dllhost.exe[3688] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F50062
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50051
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50F79
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50F8A
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50FC0
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50F48
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50090
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F50F12
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F500AB
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F50F01
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F50FA5
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F5000A
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F50073
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F5002C
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F5001B
.text C:\WINDOWS\system32\dllhost.exe[3688] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F50F2D
.text C:\WINDOWS\system32\dllhost.exe[3688] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F30FCD
.text C:\WINDOWS\system32\dllhost.exe[3688] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F30058
.text C:\WINDOWS\system32\dllhost.exe[3688] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F30022
.text C:\WINDOWS\system32\dllhost.exe[3688] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\dllhost.exe[3688] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F30033
.text C:\WINDOWS\system32\dllhost.exe[3688] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F30011
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F40F83
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F40FE5
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F40040
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F40FA8
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [14, 89] {ADC AL, 0x89}
.text C:\WINDOWS\system32\dllhost.exe[3688] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F40FB9
.text C:\WINDOWS\system32\dllhost.exe[3688] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F20FE5

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[872] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[872] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077A0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00F02F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00F02C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00F02CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00F02CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[3420] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C62F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[3420] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C62C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[3420] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C62CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[3420] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C62CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A5F62D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

drmcnabb
2011-04-03, 17:45
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6218

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/30/2011 2:36:56 PM
mbam-log-2011-03-30 (14-36-56).txt

Scan type: Quick scan
Objects scanned: 181806
Time elapsed: 22 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Adware.ClosetMaid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{BFC48A4D-75B9-455B-A4C3-9DC3F940B245} (Adware.ClosetMaid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4040A92C-93F0-49B4-9DD0-93E1887E724A} (Adware.ClosetMaid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CMaidCtlApp.MaidCtrl.1 (Adware.ClosetMaid) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Adware.ClosetMaid) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Adware.ClosetMaid) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Adware.ClosetMaid) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6FD31ED6-7C94-4BBC-8E95-F927F4D3A949} (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\DOWNLOADED PROGRAM FILES\CMAIDCTL.OCX (Adware.ClosetMaid) -> Value: CMAIDCTL.OCX -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\downloaded program files\CMAIDCTL.OCX (Adware.ClosetMaid) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6231

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/1/2011 1:12:39 AM
mbam-log-2011-04-01 (01-12-39).txt

Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 280588
Time elapsed: 1 hour(s), 15 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

km2357
2011-04-03, 20:01
Good to hear that you're not experiencing any problems.

Let's do a couple more scans and see if they tell us anything more.





Step # 1: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Step # 2 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)


First, go to Add/Remove Programs and uninstall Adobe Reader 7.1.0.
Please go to this link Adobe Acrobat Reader Download Link (http://get.adobe.com/reader/)
On the right Untick McAfee® Security Scan Plus if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

Note: Adobe Reader X is a large program and if you prefer a smaller program you can get Foxit 4.3.1 instead from http://www.foxitsoftware.com/downloads/index.php

If you decide to install Foxit 4.3.1 instead of Adobe, do the following during Foxit's Setup/Installation process:

Uncheck the following boxes:

I accept the License Terms and want to install Foxit Toolbar

Make Ask.com my default search

Create desktop, quick launch and start menu icon to eBay



Step # 3 Run Malwarebytes' Anti-Malware

Launch Malwarebytes' Anti-Malware.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:

Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.



Step # 4 Run ESET

I'd like us to scan your machine with ESET OnlineScan Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan) Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. Accept any security warnings from your browser. Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png Push the Start button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Make sure that Remove found threats is unchecked
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png


In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. ESET Log

km2357
2011-04-07, 21:08
drmcnabb? How are things coming along?

drmcnabb
2011-04-08, 22:03
I've been really busy with work. The computer seems to be working well and I will get you the additional scans done as soon as I can. It may be another week though if that is ok.

km2357
2011-04-08, 22:08
That's fine, I'll go ahead and keep the thread open in the meantime.

Thanks for letting me know that you'll be busy/away from the computer. :)

drmcnabb
2011-04-09, 04:12
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6314

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/8/2011 9:08:04 PM
mbam-log-2011-04-08 (21-08-04).txt

Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 266256
Time elapsed: 1 hour(s), 0 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

drmcnabb
2011-04-09, 05:28
ESET Online Scanner ended with no threats found and no option to export a file. The following information was displayed:

No threats found.
Scanned Files: 119318
Infected Files; 0
Cleaned files: 0
Total scan time: 00:58:20
Scan status: Finished


Select Uninstall if you want to remove all ESET Online Scanner files…..

I Clicked on Finish. The next screen was for purchasing or getting a 30-day trial for ESET NOD32 Antivirus and EST Smart Security.

Please let me know if I did this correctly and if you have any other suggestions. Thanks again for your assistance.

Doug McNabb

km2357
2011-04-09, 08:05
It sounds like you did everything correctly and since you report no more problems you're good to go. :)

You can delete the following off of your computer:

DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log

Empty your Recycle Bin.


Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK

Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. You can find SpywareBlaster here:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload_free.html)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.spybot.info/showthread.php?t=279)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.


Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.

drmcnabb
2011-04-09, 17:12
I have read your post, many thanks. I have a question about the host file. I have been using Spybot S & D. There is a 422 Kb hosts file in C:\WINDOWS\system32\drivers\etc with entries from that product.

# Start of entries inserted by Spybot - Search & Destroy

I also checked the dns client and it is set to automatic. So is it being used and should I remove this option from Spybot S & D. Would I be better served with the mvps hosts file?

Doug

km2357
2011-04-09, 19:50
As long as you keep Spybot S&D updated, its host file section should stay updated too and it'll be ok to use that instead of MVPS hosts file. :)

km2357
2011-04-13, 09:08
Since this issue appears to be resolved ... this Topic has been closed. Glad we could
help.

Note: If it has been three days or more since your last post, and the helper assisting
you posted a response to that post to which you did not reply, your topic will not be
reopened. At that point, if you still require help, please start a new topic and include
a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread
re-opened, please send me or your helper a private message (pm). A valid, working link to
the closed topic is required.