Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Please help me, my poor computer...

  1. #1
    Junior Member
    Join Date
    May 2009
    Posts
    9

    Default Please help me, my poor computer...

    Here is what i have done thus far:

    I opened firefox and navigated to a site that i have been to a million times, when McAfee goes nuts catching trojan after trojan, then my comp resets, boots up and i get a message that forces my comp to reset again in 59 seconds, so i find the process thats doing this and stop it from continuing this loop. Then preceed to get my comp scanned by McAfee, it finds about 5 more trojans, and then i download the newest HJT, and it wont run, (double click and nothin) so I try to run Regedit, and nothing. next i open mozilla and it has stopped working, luckily IE is still up, so i get scanned at a few more places that find nothing, I find this Site, and download Spybot S&D ran it a couple times, it found some stuff the first time and the second time, it only found one ( doubleclick?) this got Regedit to work, but there is still something stopping HJT, so I changed the name of the HJT, and it runs now... . I have backed up my registry, And have shut off tea timer, and mcafee, has been disabled since i began to have my comp checked by other programs. Here is the HJT log. please help


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:19:10 PM, on 5/20/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\Drivers\WTSRV.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\WINDOWS\system32\WTClient.exe
    G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\PROGRA~1\mcafee\msc\mcuimgr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThi.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - G:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
    O2 - BHO: (no name) - {269c5932-7c9a-4c31-85c3-741c961128cc} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - G:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WTClient] WTClient.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
    O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://*.mcafee.com
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5483.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1146416732703
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Themes ThemesCryptSvc (ThemesCryptSvc) - Unknown owner - C:\WINDOWS\system32\1031u.exe
    O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

    --
    End of file - 10604 bytes

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.


    Download GMER and save it your desktop:
    • Extract it to your desktop and double-click GMER.exe
    • Click rootkit-tab and then scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log in your reply.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    May 2009
    Posts
    9

    Default Ok here it goes

    Ok here are the DDS, Attach, and GMER things. sorry it took me soo long It was a long work day... It has too many characters so i am putting it in 2 maybe 3 posts. Thank you sooo much!



    ------------------------------------------------------
    ==========================================
    ------------------------------------------------------



    DDS (Ver_09-05-14.01) - NTFSx86
    Run by Owner at 8:30:17.32 on Thu 05/21/2009
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2287.1728 [GMT -5:00]

    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    svchost.exe "C:\WINDOWS\system32\1031u.exe"
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\Drivers\WTSRV.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\WINDOWS\system32\WTClient.exe
    G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\PROGRA~1\mcafee\msc\mcuimgr.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local;<local>
    uInternet Settings,ProxyServer = http=localhost:7171
    mWinlogon: SFCDisable=-99 (0xffffff9d)
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - g:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
    BHO: {269c5932-7c9a-4c31-85c3-741c961128cc} - No File
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - g:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
    mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
    mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
    mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
    mRun: [nwiz] nwiz.exe /install
    mRun: [WTClient] WTClient.exe
    mRun: [Acrobat Assistant 8.0] "g:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\rt2500 wireless lan card\installer\winxp\RaConfig2500.exe
    IE: Append to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146416732703
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
    STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
    LSA: Notification Packages = scecli c:\windows\system32\bewihafe.dll

    ============= SERVICES / DRIVERS ===============

    R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [2006-4-13 38784]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-15 201320]
    R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-9-19 72672]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-19 359248]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-3-15 144704]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-15 79304]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-15 35240]
    R3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [2008-7-12 360448]
    R3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-7-12 18944]
    R3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-7-12 33792]
    S1 chdlzdnk;chdlzdnk;\??\c:\windows\system32\drivers\chdlzdnk.sys --> c:\windows\system32\drivers\chdlzdnk.sys [?]
    S2 ThemesCryptSvc;Themes ThemesCryptSvc;c:\windows\system32\1031u.exe srv --> c:\windows\system32\1031u.exe srv [?]
    S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [2006-4-13 116224]
    S3 L6PODLV;PODxt Live Service;c:\windows\system32\drivers\L6PODLV.sys [2008-3-16 514432]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-15 33832]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-15 40488]
    S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-3-15 695624]

    =============== Created Last 30 ================

    2009-05-20 00:17 <DIR> --d----- c:\program files\Spybot - Search & Destroy
    2009-05-20 00:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2009-05-19 23:44 <DIR> --d----- c:\program files\Trend Micro
    2009-05-19 22:51 <DIR> --d----- c:\docume~1\owner\applic~1\Safer Networking
    2009-05-19 22:51 <DIR> --d----- c:\program files\Safer Networking
    2009-05-18 20:13 0 a------- c:\windows\st_1242714091.exe
    2009-05-18 20:13 0 a------- c:\windows\st_1242695661.exe
    2009-05-18 20:05 2 ----h--- c:\windows\sto453190.dat
    2009-05-18 20:04 32 a--s---- c:\windows\system32\2757321258.dat
    2009-05-18 20:04 53,248 ---shr-- c:\windows\system32\1031u.exe
    2009-05-18 20:04 20,480 a------- c:\windows\system32\digiwet.dll
    2009-05-02 00:45 215,465 a------- c:\windows\system32\nvapps.nvb
    2009-04-23 19:25 <DIR> --d----- c:\docume~1\owner\applic~1\GetRightToGo

    ==================== Find3M ====================

    2009-05-20 19:36 7,304 a------- c:\windows\TMP0001.TMP
    2009-05-19 23:32 6,832 a------- c:\windows\system32\d3d9caps.dat
    2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE
    2007-10-26 19:20 1,355 a------- c:\docume~1\owner\applic~1\SAS7_000.DAT
    2006-04-30 22:40 65 a------- c:\program files\common files\appop.log
    2006-05-01 07:46 56 ---shr-- c:\windows\system32\5E0AFDD4F0.sys
    2008-08-19 00:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat
    2009-02-18 20:09 16,384 a--sh--- c:\windows\temp\cookies\index.dat
    2009-02-18 20:09 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
    2009-02-18 20:09 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

    ============= FINISH: 8:30:49.03 ===============




    ---------------------------------------------------------
    ============================================
    ---------------------------------------------------------





    The Attach thing is attached, I wasnt sure how you wanted this one so I just followed the instructions it gave and zipped and attached it. If you would rather i just copy and paste it, let me know.






    ----------------------------------------------------------
    =============================================
    ----------------------------------------------------------







    GMER 1.0.15.14972 - http://www.gmer.net
    Rootkit scan 2009-05-21 20:55:57
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.15 ----

    SSDT spxl.sys ZwCreateKey [0xB9EAA0E0]
    SSDT spxl.sys ZwEnumerateKey [0xB9EC7CA2]
    SSDT spxl.sys ZwEnumerateValueKey [0xB9EC8030]
    SSDT spxl.sys ZwOpenKey [0xB9EAA0C0]
    SSDT spxl.sys ZwQueryKey [0xB9EC8108]
    SSDT spxl.sys ZwQueryValueKey [0xB9EC7F88]
    SSDT spxl.sys ZwSetValueKey [0xB9EC819A]

    INT 0x63 ? 8AB04BF8
    INT 0x73 ? 8AB04BF8
    INT 0x82 ? 8AB70BF8

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA7FCB9AA]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA7FCB958]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA7FCB96C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA7FCB9EA]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA7FCB930]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA7FCB944]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA7FCB9BE]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA7FCB996]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA7FCB982]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA7FCBA19]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA7FCBA00]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA7FCB9D4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP A7FCB9D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP A7FCB9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805A7500 7 Bytes JMP A7FCB9EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8316 5 Bytes JMP A7FCBA04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA94 7 Bytes JMP A7FCB9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenProcess 805C1322 5 Bytes JMP A7FCB934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenThread 805C15AE 5 Bytes JMP A7FCB948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE0 5 Bytes JMP A7FCB986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F6 7 Bytes JMP A7FCB970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AC 5 Bytes JMP A7FCB95C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B6 5 Bytes JMP A7FCB99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB6 5 Bytes JMP A7FCBA1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    ? spxl.sys The system cannot find the file specified. !
    .text USBPORT.SYS!DllUnload B81218AC 5 Bytes JMP 8A9054E0
    .text aav637q0.SYS B601C384 1 Byte [20]
    .text aav637q0.SYS B601C384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
    .text aav637q0.SYS B601C3AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
    .text aav637q0.SYS B601C3C4 3 Bytes [00, 00, 00]
    .text aav637q0.SYS B601C3C9 1 Byte [00]
    .text ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0082
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F8D
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F9E
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FAF
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FCA
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00AE
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0093
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00DA
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00C9
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00EB
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0051
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A001B
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F72
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0040
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FEF
    .text C:\WINDOWS\Explorer.EXE[384] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F4B
    .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290040
    .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0029007D
    .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0029001B
    .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FE5
    .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290062
    .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290000
    .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FC0
    .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [49, 88]
    .text C:\WINDOWS\Explorer.EXE[384] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290051
    .text C:\WINDOWS\Explorer.EXE[384] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0F95
    .text C:\WINDOWS\Explorer.EXE[384] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0016
    .text C:\WINDOWS\Explorer.EXE[384] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FC1
    .text C:\WINDOWS\Explorer.EXE[384] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
    .text C:\WINDOWS\Explorer.EXE[384] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FA6
    .text C:\WINDOWS\Explorer.EXE[384] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FD2
    .text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002C0000
    .text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002C0FDB
    .text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002C0FCA
    .text C:\WINDOWS\Explorer.EXE[384] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 002C0FB9
    .text C:\WINDOWS\Explorer.EXE[384] WS2_32.dll!socket 71AB4211 5 Bytes JMP 025A0000
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0FE5
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC005B
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0040
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0F66
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC002F
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0014
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0F41
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC0089
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC00A4
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC0F0B
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FC0EF0
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FC0F8D
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FC0FD4
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FC006C
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FC0FB2
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FC0FC3
    .text C:\WINDOWS\system32\services.exe[620] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FC0F26
    .text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0099001B
    .text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0099006C
    .text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0099000A
    .text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00990FD4
    .text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00990FAF
    .text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00990FEF
    .text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00990051
    .text C:\WINDOWS\system32\services.exe[620] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00990036
    .text C:\WINDOWS\system32\services.exe[620] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00980FA1
    .text C:\WINDOWS\system32\services.exe[620] msvcrt.dll!system 77C293C7 5 Bytes JMP 00980FBC
    .text C:\WINDOWS\system32\services.exe[620] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00980FD7
    .text C:\WINDOWS\system32\services.exe[620] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00980000
    .text C:\WINDOWS\system32\services.exe[620] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0098002C
    .text C:\WINDOWS\system32\services.exe[620] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00980011
    .text C:\WINDOWS\system32\services.exe[620] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00960FEF
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90FE5
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90078
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90067
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E9004A
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90F8D
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90FB9

  4. #4
    Junior Member
    Join Date
    May 2009
    Posts
    9

    Default part 2

    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E900BF
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E900AE
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E90F4B
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E90F5C
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E90F30
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E90F9E
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E90FD4
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E9009D
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E90025
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E9000A
    .text C:\WINDOWS\system32\lsass.exe[632] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E900DA
    .text C:\WINDOWS\system32\lsass.exe[632] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E8002F
    .text C:\WINDOWS\system32\lsass.exe[632] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E8005B
    .text C:\WINDOWS\system32\lsass.exe[632] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E80FD4
    .text C:\WINDOWS\system32\lsass.exe[632] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E80FE5
    .text C:\WINDOWS\system32\lsass.exe[632] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E80F9E
    .text C:\WINDOWS\system32\lsass.exe[632] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E80000
    .text C:\WINDOWS\system32\lsass.exe[632] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E80FB9
    .text C:\WINDOWS\system32\lsass.exe[632] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [08, 89]
    .text C:\WINDOWS\system32\lsass.exe[632] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E80040
    .text C:\WINDOWS\system32\lsass.exe[632] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E70F75
    .text C:\WINDOWS\system32\lsass.exe[632] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E70F90
    .text C:\WINDOWS\system32\lsass.exe[632] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E70FB5
    .text C:\WINDOWS\system32\lsass.exe[632] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70FE3
    .text C:\WINDOWS\system32\lsass.exe[632] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E7000A
    .text C:\WINDOWS\system32\lsass.exe[632] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E70FC6
    .text C:\WINDOWS\system32\lsass.exe[632] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C30FEF
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A9000A
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A90093
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A90F94
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A9006E
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A90FA5
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A90FCA
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A900D0
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A900B5
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A90F4F
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A900F2
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A90103
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A90051
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A9001B
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A900A4
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A90036
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A90FE5
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A900E1
    .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A80FB9
    .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A8005E
    .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A80FCA
    .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A80FE5
    .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A80043
    .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A80000
    .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00A80F97
    .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [C8, 88]
    .text C:\WINDOWS\system32\svchost.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A80FA8
    .text C:\WINDOWS\system32\svchost.exe[780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A70064
    .text C:\WINDOWS\system32\svchost.exe[780] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70049
    .text C:\WINDOWS\system32\svchost.exe[780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A7001D
    .text C:\WINDOWS\system32\svchost.exe[780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A70000
    .text C:\WINDOWS\system32\svchost.exe[780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70038
    .text C:\WINDOWS\system32\svchost.exe[780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A70FE3
    .text C:\WINDOWS\system32\svchost.exe[780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0FE5
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00093
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C0006E
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00F94
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00FA5
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00051
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C00F55
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F66
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00F29
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00F3A
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C000D3
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C00FCA
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C0000A
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C00F83
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C00040
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C00025
    .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C000B8
    .text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BF0FD4
    .text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BF0FA8
    .text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BF0025
    .text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BF000A
    .text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BF0FB9
    .text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BF0FEF
    .text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00BF005B
    .text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BF0040
    .text C:\WINDOWS\system32\svchost.exe[840] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0038
    .text C:\WINDOWS\system32\svchost.exe[840] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0027
    .text C:\WINDOWS\system32\svchost.exe[840] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE000C
    .text C:\WINDOWS\system32\svchost.exe[840] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FE3
    .text C:\WINDOWS\system32\svchost.exe[840] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FB7
    .text C:\WINDOWS\system32\svchost.exe[840] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FD2
    .text C:\WINDOWS\system32\svchost.exe[840] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01CA0000
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01CA0F99
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01CA0FAA
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01CA008E
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01CA0FD1
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01CA0058
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01CA0F61
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01CA00A9
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01CA0F35
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01CA00CE
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01CA0F1A
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01CA0073
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01CA001B
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01CA0F88
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01CA003D
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01CA002C
    .text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01CA0F50
    .text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00AD003D
    .text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00AD0058
    .text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00AD002C
    .text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00AD0011
    .text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00AD0F9B
    .text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00AD0000
    .text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00AD0FB6
    .text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [CD, 88] {INT 0x88}
    .text C:\WINDOWS\System32\svchost.exe[876] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00AD0FD1
    .text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AC0FC3
    .text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AC004E
    .text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AC0FEF
    .text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AC0000
    .text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AC0FDE
    .text C:\WINDOWS\System32\svchost.exe[876] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AC0029
    .text C:\WINDOWS\System32\svchost.exe[876] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AB0000
    .text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00AE0FEF
    .text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00AE0FCA
    .text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00AE0FAF
    .text C:\WINDOWS\System32\svchost.exe[876] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00AE000A
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780FEF
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0078008B
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780FA0
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0078007A
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780069
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780047
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007800B0
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780F6A
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007800DC
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F4D
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00780F28
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00780058
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0078000A
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00780F7B
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00780036
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0078001B
    .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 007800CB
    .text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0077002F
    .text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0077006C
    .text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00770FD4
    .text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00770FEF
    .text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00770FB9
    .text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0077000A
    .text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00770051
    .text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00770040
    .text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00760FCA
    .text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760055
    .text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00760029
    .text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760FEF
    .text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00760044
    .text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760018
    .text C:\WINDOWS\system32\svchost.exe[920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0FEF
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A00A1
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0090
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0075
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FB6
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A003D
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00C6
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F8A
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0103
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00F2
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0114
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0058
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FE5
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F9B
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A002C
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A001B
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00E1
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290FD4
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290FB9
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0029002F
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0029000A
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290076
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FEF
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00290065
    .text C:\WINDOWS\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290040
    .text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E007A
    .text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E005F
    .text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0029
    .text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
    .text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0044
    .text C:\WINDOWS\system32\svchost.exe[936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FEF
    .text C:\WINDOWS\system32\svchost.exe[936] Ws2_32.dll!socket 71AB4211 5 Bytes JMP 00900FEF
    .text C:\WINDOWS\system32\svchost.exe[936] Wininet.dll!InternetOpenA 7806C865 5 Bytes JMP 00910000
    .text C:\WINDOWS\system32\svchost.exe[936] Wininet.dll!InternetOpenW 7806CE99 5 Bytes JMP 00910011
    .text C:\WINDOWS\system32\svchost.exe[936] Wininet.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00910FE5
    .text C:\WINDOWS\system32\svchost.exe[936] Wininet.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00910036
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DC0000
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DC0F94
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DC0089
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DC0062
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DC0FA5
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC002C
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DC00AE
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DC0F66
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DC00DA
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DC0F41
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00DC0F26
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00DC003D
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00DC0FE5
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00DC0F83
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00DC001B
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00DC0FCA
    .text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00DC00BF
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DA0040
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DA007D
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DA0025
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DA0FE5
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DA0FC0
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DA0000
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00DA006C
    .text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DA0051
    .text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D90051
    .text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D90036
    .text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D9000A
    .text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D90FEF
    .text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D9001B
    .text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D90FC6
    .text C:\WINDOWS\system32\svchost.exe[960] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D80FEF
    .text C:\WINDOWS\system32\svchost.exe[960] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00DB0000
    .text C:\WINDOWS\system32\svchost.exe[960] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00DB0FE5
    .text C:\WINDOWS\system32\svchost.exe[960] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00DB0FD4
    .text C:\WINDOWS\system32\svchost.exe[960] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00DB0025
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40000
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40F7E
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F4007D
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F4006C
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40051
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40036
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F400BC
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F400AB
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F400D7
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40F3E
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F400F2
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F40FAF
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F40011
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F4008E
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F40FCA
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F40FDB
    .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F40F4F
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F30022
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F30062
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F30FDB
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F30011
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F30FA5
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F30000
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00F30047
    .text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F30FC0
    .text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C0FB9
    .text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C0044
    .text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C0FDE
    .text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C0000
    .text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C0033
    .text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C0FEF
    .text C:\WINDOWS\System32\svchost.exe[1292] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006B0000
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1484] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1484] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B50FEF
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B50F68
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B50F79
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B50F8A
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B50F9B
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B50036
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B500BA
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B50093
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B50F39
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B500DC
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B500ED
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B50047
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B50000
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B50078

  5. #5
    Junior Member
    Join Date
    May 2009
    Posts
    9

    Default part 3

    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B50FCA
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B5001B
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B500CB
    .text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B40033
    .text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B40F98
    .text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B40022
    .text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B40011
    .text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B40055
    .text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B40000
    .text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B40044
    .text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 1 Byte [E9]
    .text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B40FC7
    .text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B30F9C
    .text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B30FB7
    .text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B30FD2
    .text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B3000C
    .text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B30027
    .text C:\WINDOWS\system32\svchost.exe[1740] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B30FEF
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0025000A
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0025006C
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00250F81
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00250F92
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00250FAF
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0025004A
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00250F2E
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00250F4B
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00250EE4
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00250087
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00250098
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0025005B
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00250FEF
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00250F5C
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00250039
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00250FDE
    .text C:\Program Files\internet explorer\iexplore.exe[2624] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00250F09
    .text C:\Program Files\internet explorer\iexplore.exe[2624] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00340036
    .text C:\Program Files\internet explorer\iexplore.exe[2624] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0034008E
    .text C:\Program Files\internet explorer\iexplore.exe[2624] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00340025
    .text C:\Program Files\internet explorer\iexplore.exe[2624] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00340FE5
    .text C:\Program Files\internet explorer\iexplore.exe[2624] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00340073
    .text C:\Program Files\internet explorer\iexplore.exe[2624] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00340000
    .text C:\Program Files\internet explorer\iexplore.exe[2624] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00340062
    .text C:\Program Files\internet explorer\iexplore.exe[2624] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00340047
    .text C:\Program Files\internet explorer\iexplore.exe[2624] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2624] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2624] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2624] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2624] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2624] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2624] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2624] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2624] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00350070
    .text C:\Program Files\internet explorer\iexplore.exe[2624] msvcrt.dll!system 77C293C7 5 Bytes JMP 00350055
    .text C:\Program Files\internet explorer\iexplore.exe[2624] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0035003A
    .text C:\Program Files\internet explorer\iexplore.exe[2624] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00350000
    .text C:\Program Files\internet explorer\iexplore.exe[2624] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00350FE5
    .text C:\Program Files\internet explorer\iexplore.exe[2624] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0035001D
    .text C:\Program Files\internet explorer\iexplore.exe[2624] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01970000
    .text C:\Program Files\internet explorer\iexplore.exe[2624] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01970FE5
    .text C:\Program Files\internet explorer\iexplore.exe[2624] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01970025
    .text C:\Program Files\internet explorer\iexplore.exe[2624] WININET.dll!InternetOpenUrlW 780BAEB9 3 Bytes JMP 01970FD4
    .text C:\Program Files\internet explorer\iexplore.exe[2624] WININET.dll!InternetOpenUrlW + 4 780BAEBD 1 Byte [89]
    .text C:\Program Files\internet explorer\iexplore.exe[2624] ws2_32.dll!socket 71AB4211 5 Bytes JMP 01F50FEF

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EAB046] spxl.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EAB142] spxl.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EAB0C4] spxl.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EAB7CE] spxl.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EAB6A4] spxl.sys
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[HAL.dll!KfRaiseIrql] 000000AF
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[HAL.dll!KfLowerIrql] 0000009C
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[HAL.dll!HalGetInterruptVector] 000000A4
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[HAL.dll!HalTranslateBusAddress] 00000072
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[HAL.dll!READ_PORT_USHORT] 00000093
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
    IAT \SystemRoot\System32\Drivers\aav637q0.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\Explorer.EXE[384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [020C2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [020C2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [020C2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [020C2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe[836] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A72F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe[836] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A72CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe[836] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A72D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe[836] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A72CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2452] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A12F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2452] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A12CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2452] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A12D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2452] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A12CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\SYSTEM32\CTXFISPI.EXE[2572] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A92F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\SYSTEM32\CTXFISPI.EXE[2572] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A92CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\SYSTEM32\CTXFISPI.EXE[2572] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A92D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\SYSTEM32\CTXFISPI.EXE[2572] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A92CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\internet explorer\iexplore.exe[2624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00992F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\internet explorer\iexplore.exe[2624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00992CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\internet explorer\iexplore.exe[2624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00992D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\internet explorer\iexplore.exe[2624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00992CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\SOUNDMAN.EXE[2852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\SOUNDMAN.EXE[2852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\SOUNDMAN.EXE[2852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\SOUNDMAN.EXE[2852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[2884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[2884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[2884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[2884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe[2932] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A52F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe[2932] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A52CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe[2932] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A52D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe[2932] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A52CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe[2948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe[2948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe[2948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe[2948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\WTClient.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00992F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\WTClient.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00992CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\WTClient.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00992D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\WTClient.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00992CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A82F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A82CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A82D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe[3020] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A82CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\RUNDLL32.EXE[3036] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AC2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\RUNDLL32.EXE[3036] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AC2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\RUNDLL32.EXE[3036] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AC2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\RUNDLL32.EXE[3036] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AC2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3068] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AB2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3068] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AB2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3068] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AB2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3068] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AB2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\rundll32.exe[3100] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AC2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\rundll32.exe[3100] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AC2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\rundll32.exe[3100] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AC2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\rundll32.exe[3100] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AC2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\ctfmon.exe[3124] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00522F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\ctfmon.exe[3124] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00522CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\ctfmon.exe[3124] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00522D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\ctfmon.exe[3124] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00522CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3196] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3196] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3196] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3196] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT c:\PROGRA~1\mcafee\msc\mcuimgr.exe[3320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT c:\PROGRA~1\mcafee\msc\mcuimgr.exe[3320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT c:\PROGRA~1\mcafee\msc\mcuimgr.exe[3320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT c:\PROGRA~1\mcafee\msc\mcuimgr.exe[3320] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\Owner\Desktop\gmer.exe[4576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003C2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\Owner\Desktop\gmer.exe[4576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003C2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\Owner\Desktop\gmer.exe[4576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003C2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Documents and Settings\Owner\Desktop\gmer.exe[4576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003C2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8AB031F8

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    Device \FileSystem\Fastfat \FatCdrom 880831F8

    AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    Device \Driver\sptd \Device\388596654 spxl.sys
    Device \Driver\usbohci \Device\USBPDO-0 8A988500
    Device \Driver\usbehci \Device\USBPDO-1 8A99E500
    Device \Driver\NetBT \Device\NetBT_Tcpip_{C2471A79-A3D3-4371-A932-541365EF103E} 883971F8

    AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    Device \Driver\Ftdisk \Device\HarddiskVolume1 8AB051F8
    Device \Driver\Ftdisk \Device\HarddiskVolume2 8AB051F8
    Device \Driver\Cdrom \Device\CdRom0 8A9561F8
    Device \Driver\Cdrom \Device\CdRom1 8A9561F8
    Device \Driver\Cdrom \Device\CdRom2 8A9561F8
    Device \Driver\nvata \Device\00000074 8AB041F8
    Device \Driver\USBSTOR \Device\00000081 8834D1F8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 883971F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{8DA7980D-8606-4E28-A0C2-DC002E6E26E9} 883971F8
    Device \Driver\NetBT \Device\NetbiosSmb 883971F8
    Device \Driver\PCI_PNP5404 \Device\0000004f spxl.sys

    AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    Device \Driver\NetBT \Device\NetBT_Tcpip_{331EB944-64C1-449A-9AC2-5E230A30B3CB} 883971F8
    Device \Driver\usbohci \Device\USBFDO-0 8A988500
    Device \Driver\nvata \Device\NvAta0 8AB041F8
    Device \Driver\usbehci \Device\USBFDO-1 8A99E500
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 883751F8
    Device \Driver\nvata \Device\NvAta1 8AB041F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 883751F8
    Device \Driver\USBSTOR \Device\0000007c 8834D1F8
    Device \Driver\Ftdisk \Device\FtControl 8AB051F8
    Device \Driver\aav637q0 \Device\Scsi\aav637q01Port4Path0Target0Lun0 8A7D11F8
    Device \Driver\aav637q0 \Device\Scsi\aav637q01 8A7D11F8
    Device \Driver\aav637q0 \Device\Scsi\aav637q01Port4Path0Target1Lun0 8A7D11F8
    Device \FileSystem\Fastfat \Fat 880831F8

    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    Device \FileSystem\Cdfs \Cdfs 883741F8

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x27 0x87 0x01 0x31 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC2 0x2E 0xA8 0xB5 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x93 0x44 0xDE 0xAC ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xA6 0xFE 0xA4 0x53 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x27 0x87 0x01 0x31 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC2 0x2E 0xA8 0xB5 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x93 0x44 0xDE 0xAC ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xA6 0xFE 0xA4 0x53 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x27 0x87 0x01 0x31 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC2 0x2E 0xA8 0xB5 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB1 0x65 0x64 0x85 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xA6 0xFE 0xA4 0x53 ...

    ---- Files - GMER 1.0.15 ----

    File C:\Program Files\Sony\EverQuest\uifiles\default 0 bytes

    ---- EOF - GMER 1.0.15 ----

  6. #6
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi again,

    IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    µTorrent
    WinMX


    I'd like you to read this thread.

    Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


    After that:

    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds.txt log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Junior Member
    Join Date
    May 2009
    Posts
    9

    Default combofix

    When It booted up, and combofix finished its thing I tried out HJT without changing the name and it started up like a champ! Soo it looks like the ones that were causing the main issues have been caught! Here is the Combofix log, Let me know if there is anything else and what to do. Thank you again.





    ComboFix 09-05-22.05 - Owner 05/22/2009 19:08.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2287.1619 [GMT -5:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\st_1242695661.exe
    c:\windows\st_1242714091.exe
    c:\windows\system32\1031u.exe
    c:\windows\system32\getwn32.dll
    c:\windows\system32\wertyu.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_TDSSSERV.SYS
    -------\Legacy_THEMESCRYPTSVC
    -------\Service_ThemesCryptSvc


    ((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
    .

    2009-05-21 00:21 . 2009-05-21 00:21 -------- d-----w c:\program files\ERUNT
    2009-05-20 05:17 . 2009-05-20 05:20 -------- d-----w c:\program files\Spybot - Search & Destroy
    2009-05-20 05:17 . 2009-05-20 05:20 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-05-20 04:44 . 2009-05-20 04:44 -------- d-----w c:\program files\Trend Micro
    2009-05-20 04:39 . 2009-05-20 04:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Safer Networking
    2009-05-20 04:37 . 2009-05-20 04:37 47688 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-05-20 04:37 . 2009-05-20 04:37 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
    2009-05-20 03:51 . 2009-05-20 03:51 -------- d-----w c:\documents and settings\Owner\Application Data\Safer Networking
    2009-05-20 03:51 . 2009-05-20 03:51 -------- d-----w c:\program files\Safer Networking
    2009-05-19 01:05 . 2009-05-19 01:05 2 ---h--w c:\windows\sto453190.dat
    2009-05-19 01:04 . 2009-05-19 01:04 32 --s-a-w c:\windows\system32\2757321258.dat
    2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
    2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
    2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
    2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
    2009-04-24 00:25 . 2009-04-24 02:10 -------- d-----w c:\documents and settings\Owner\Application Data\GetRightToGo

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-05-23 05:39 . 2007-05-20 02:28 7304 ----a-w c:\windows\TMP0001.TMP
    2009-05-22 23:32 . 2007-12-23 03:08 -------- d-----w c:\program files\uTorrent
    2009-05-22 23:31 . 2006-04-26 05:46 -------- d-----w c:\program files\WinMX
    2009-05-20 04:32 . 2006-05-01 13:10 6832 ----a-w c:\windows\system32\d3d9caps.dat
    2009-05-19 05:40 . 2006-05-19 01:47 -------- d-----w c:\program files\Windows Live Safety Center
    2009-05-12 02:12 . 2008-02-16 01:52 -------- d-----w c:\program files\Ableton
    2009-05-12 02:09 . 2007-11-24 04:25 -------- d-----w c:\documents and settings\Owner\Application Data\Ableton
    2009-05-07 06:45 . 2009-01-13 03:26 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
    2009-05-02 05:48 . 2008-03-16 02:32 -------- d-----w c:\program files\McAfee
    2009-05-02 02:40 . 2009-01-08 03:39 -------- d-----w c:\program files\SystemRequirementsLab
    2009-05-02 02:38 . 2009-01-08 03:39 -------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
    2009-03-27 13:14 . 2006-05-01 13:24 453152 ----a-w c:\windows\system32\NVUNINST.EXE
    2006-05-01 03:40 . 2006-04-14 02:09 65 ----a-w c:\program files\Common Files\appop.log
    2006-05-01 12:46 . 2006-05-01 07:29 56 --sh--r c:\windows\system32\5E0AFDD4F0.sys
    .

    ------- Sigcheck -------

    [7] 2004-08-04 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
    [7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
    [-] 2008-11-30 07:12 507904 3969440BA384D35317DBBDEEAAE641CE c:\windows\system32\winlogon.exe

    [7] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
    [7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
    [-] 2008-11-30 07:12 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
    "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880]
    "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
    "Acrobat Assistant 8.0"="g:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
    "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
    "SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-08-17 90112]
    "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
    "WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Ralink Wireless Utility.lnk - c:\program files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe [2006-4-10 561152]

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
    "midi1"= ma_cmidn.dll
    "midi4"= ma_cmidn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk
    backup=c:\windows\pss\Dragon NaturallySpeaking.lnkStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPM2fbcc373
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vinawiguma

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "IDriverT"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    "SerialNumber"="A109A-K13-3ZXD-BAP5-TE"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
    "c:\\Program Files\\Sony\\EverQuest II\\EverQuest2.exe"=
    "c:\\Program Files\\RALINK\\RT2500 Wireless LAN Card\\Installer\\WINXP\\RaConfig2500.exe"=
    "c:\\WINDOWS\\system32\\drwtsn32.exe"=
    "c:\\WINDOWS\\system32\\dwwin.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=

    R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [4/13/2006 9:09 PM 38784]
    R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [9/19/2007 9:11 AM 72672]
    S1 chdlzdnk;chdlzdnk;\??\c:\windows\system32\drivers\chdlzdnk.sys --> c:\windows\system32\drivers\chdlzdnk.sys [?]
    S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [4/13/2006 9:09 PM 116224]
    S3 L6PODLV;PODxt Live Service;c:\windows\system32\drivers\L6PODLV.sys [3/16/2008 6:00 PM 514432]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
    S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [7/12/2008 6:33 PM 360448]
    S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [7/12/2008 6:33 PM 18944]
    S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [7/12/2008 6:33 PM 33792]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - udffsrec
    .
    Contents of the 'Scheduled Tasks' folder

    2009-05-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-16 18:32]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{269c5932-7c9a-4c31-85c3-741c961128cc} - (no file)
    SafeBoot-procexp90.Sys


    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local;<local>
    uInternet Settings,ProxyServer = http=localhost:7171
    IE: Append to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-05-23 00:40
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\4.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1275210071-2147168017-725345543-1003\Software\SecuROM\License information*]
    "datasecu"=hex:4c,dd,3e,96,8f,f2,71,75,33,7f,f8,38,c5,92,3f,70,f4,f7,92,dd,ab,
    17,04,f0,7b,ef,3c,67,27,f6,03,1b,5d,0a,76,c8,7f,2c,1a,e5,11,de,33,8d,74,b7,\
    "rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(184)
    c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
    c:\windows\system32\nview.dll
    c:\windows\system32\nvwddi.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\CTSVCCDA.EXE
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\drivers\WTSrv.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    c:\windows\system32\CTXFISPI.EXE
    c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
    c:\progra~1\McAfee\MSC\mcuimgr.exe
    c:\windows\system32\taskmgr.exe
    .
    **************************************************************************
    .
    Completion time: 2009-05-23 0:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-05-23 05:48

    Pre-Run: 14,224,998,400 bytes free
    Post-Run: 13,968,957,440 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    Current=3 Default=3 Failed=2 LastKnownGood=1 Sets=1,2,3,4
    223 --- E O F --- 2009-02-14 03:30

  8. #8
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi again,



    Show hidden files
    -----------------
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.



    Upload these files to http://www.virustotal.com and post back the results or links to the results:
    c:\windows\system32\winlogon.exe
    c:\windows\system32\termsrv.dll
    c:\windows\sto453190.dat
    c:\windows\system32\2757321258.dat




    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Driver::
    chdlzdnk
    
    File::
    c:\windows\system32\drivers\svchost.exe
    c:\windows\system32\drivers\chdlzdnk.sys
    
    DDS::
    uInternet Settings,ProxyOverride = *.local;<local>
    uInternet Settings,ProxyServer = http=localhost:7171
    
    Folder::
    c:\program files\uTorrent
    c:\program files\WinMX
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPM2fbcc373]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vinawiguma]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=-
    "UpdatesDisableNotify"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\drivers\\svchost.exe"=-

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.


    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.


    Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.



    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


    Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Junior Member
    Join Date
    May 2009
    Posts
    9

    Default Logs as requested

    Thank you for this, it means alot to me...

    Ok here are the requested scanned item logs:




    c:\windows\system32\winlogon.exe


    File has already been analysed:
    MD5: 3969440ba384d35317dbbdeeaae641ce
    First received: 2008.11.27 18:17:00 UTC
    Date: 2009.02.11 17:45:35 UTC [>100D]
    Results: 1/39
    Permalink: analisis/80ec02f1c71f5249c0976b4ea96d9622899fca5591d47d87d4edc1897387c8f7-1234374335

    This is info on the page where the Permalink brings me:

    File winlogon.exe.vir received on 2009.02.11 17:45:35 (UTC)
    Current status: finished

    Result: 1/39 (2.56%)
    Compact Print results
    Antivirus Version Last Update Result
    a-squared 4.0.0.93 2009.02.11 -
    AhnLab-V3 5.0.0.2 2009.02.11 -
    AntiVir 7.9.0.76 2009.02.11 -
    Authentium 5.1.0.4 2009.02.11 -
    Avast 4.8.1335.0 2009.02.11 -
    AVG 8.0.0.229 2009.02.11 -
    BitDefender 7.2 2009.02.11 -
    CAT-QuickHeal 10.00 2009.02.11 -
    ClamAV 0.94.1 2009.02.11 -
    Comodo 974 2009.02.11 -
    DrWeb 4.44.0.09170 2009.02.11 -
    eSafe 7.0.17.0 2009.02.11 Win32.Banker
    eTrust-Vet 31.6.6350 2009.02.11 -
    F-Prot 4.4.4.56 2009.02.11 -
    F-Secure 8.0.14470.0 2009.02.11 -
    Fortinet 3.117.0.0 2009.02.11 -
    GData 19 2009.02.11 -
    Ikarus T3.1.1.45.0 2009.02.11 -
    K7AntiVirus 7.10.627 2009.02.11 -
    Kaspersky 7.0.0.125 2009.02.11 -
    McAfee 5523 2009.02.11 -
    McAfee+Artemis 5522 2009.02.10 -
    Microsoft 1.4306 2009.02.11 -
    NOD32 3846 2009.02.11 -
    Norman 6.00.02 2009.02.11 -
    nProtect 2009.1.8.0 2009.02.11 -
    Panda 10.0.0.10 2009.02.11 -
    PCTools 4.4.2.0 2009.02.11 -
    Prevx1 V2 2009.02.11 -
    Rising 21.16.22.00 2009.02.11 -
    SecureWeb-Gateway 6.7.6 2009.02.11 -
    Sophos 4.38.0 2009.02.11 -
    Sunbelt 3.2.1851.2 2009.02.11 -
    Symantec 10 2009.02.11 -
    TheHacker 6.3.1.85.252 2009.02.11 -
    TrendMicro 8.700.0.1004 2009.02.11 -
    VBA32 3.12.8.12 2009.02.11 -
    ViRobot 2009.2.11.1600 2009.02.11 -
    VirusBuster 4.5.11.0 2009.02.11 -
    Additional information
    File size: 507904 bytes
    MD5 : 3969440ba384d35317dbbdeeaae641ce
    SHA1 : c87bb53e5dd5258e80df74ebd4f68aef193ea5af
    SHA256: 80ec02f1c71f5249c0976b4ea96d9622899fca5591d47d87d4edc1897387c8f7
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x3E5E1
    timedatestamp.....: 0x48027549 (Sun Apr 13 23:04:09 2008)
    machinetype.......: 0x14C (Intel I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x70991 0x70A00 6.82 8b92c0dadae385ba7a05299c9a7cafbf
    .data 0x72000 0x4E70 0x2000 6.28 44bd27282514b5e3a27b570106930d8d
    .rsrc 0x77000 0x9020 0x9200 3.62 8b50f3590d97bb27639f10bacbc53187

    ( 0 imports )


    ( 0 exports )

    TrID : File type identification
    Win64 Executable Generic (80.9%)
    Win32 Executable Generic (8.0%)
    Win32 Dynamic Link Library (generic) (7.1%)
    Generic Win/DOS Executable (1.8%)
    DOS Executable Generic (1.8%)
    ThreatExpert: http://www.threatexpert.com/report.a...dbbdeeaae641ce
    ssdeep: 6144:kNZlxEdL5RvGlcHJ37newMLao6nMnKHOD13XRnCfOVSePfLtisgZYl:jdz+lc3Kao6nSKHsRqOMgxZg
    PEiD : -
    CWSandbox: http://research.sunbelt-software.com...dbbdeeaae641ce
    RDS : NSRL Reference Data Set




    ===========================================================
    ===========================================================




    c:\windows\system32\termsrv.dll


    File has already been analysed:
    MD5: 63999d0abd8dabfd76a9c07f6e104868
    First received: 2008.11.26 04:21:07 UTC
    Date: 2009.05.19 17:47:24 UTC [>3D]
    Results: 2/40
    Permalink: analisis/5f6f0507b9ec1e8843363ea312475e9e6dd129e03ecb5308db285cd15fdfd482-1242755244


    This is info on the page where the Permalink brings me:


    File termsrv.dll received on 2009.05.19 17:47:24 (UTC)
    Current status: finished

    Result: 2/40 (5.00%)
    Compact Print results
    Antivirus Version Last Update Result
    a-squared 4.0.0.101 2009.05.19 -
    AhnLab-V3 5.0.0.2 2009.05.19 -
    AntiVir 7.9.0.168 2009.05.19 -
    Antiy-AVL 2.0.3.1 2009.05.19 -
    Authentium 5.1.2.4 2009.05.19 -
    Avast 4.8.1335.0 2009.05.18 -
    AVG 8.5.0.336 2009.05.19 -
    BitDefender 7.2 2009.05.19 -
    CAT-QuickHeal 10.00 2009.05.19 -
    ClamAV 0.94.1 2009.05.19 -
    Comodo 1157 2009.05.08 -
    DrWeb 5.0.0.12182 2009.05.19 -
    eSafe 7.0.17.0 2009.05.19 -
    eTrust-Vet 31.6.6511 2009.05.19 -
    F-Prot 4.4.4.56 2009.05.18 -
    F-Secure 8.0.14470.0 2009.05.19 -
    Fortinet 3.117.0.0 2009.05.19 -
    GData 19 2009.05.19 -
    Ikarus T3.1.1.49.0 2009.05.19 -
    K7AntiVirus 7.10.739 2009.05.19 -
    Kaspersky 7.0.0.125 2009.05.19 -
    McAfee 5620 2009.05.19 potentially unwanted program Patched Termsrv
    McAfee+Artemis 5620 2009.05.19 potentially unwanted program Patched Termsrv
    McAfee-GW-Edition 6.7.6 2009.05.19 -
    Microsoft 1.4602 2009.05.19 -
    NOD32 4088 2009.05.19 -
    Norman 6.01.05 2009.05.19 -
    nProtect 2009.1.8.0 2009.05.19 -
    Panda 10.0.0.14 2009.05.18 -
    PCTools 4.4.2.0 2009.05.18 -
    Prevx 3.0 2009.05.19 -
    Rising 21.30.14.00 2009.05.19 -
    Sophos 4.41.0 2009.05.19 -
    Sunbelt 3.2.1858.2 2009.05.18 -
    Symantec 1.4.4.12 2009.05.19 -
    TheHacker 6.3.4.1.327 2009.05.19 -
    TrendMicro 8.950.0.1092 2009.05.19 -
    VBA32 3.12.10.5 2009.05.19 -
    ViRobot 2009.5.19.1740 2009.05.19 -
    VirusBuster 4.6.5.0 2009.05.19 -
    Additional information
    File size: 295424 bytes
    MD5 : 63999d0abd8dabfd76a9c07f6e104868
    SHA1 : 509689ba3edd2cfad361773708b72dc35f1c77b8
    SHA256: 5f6f0507b9ec1e8843363ea312475e9e6dd129e03ecb5308db285cd15fdfd482
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x219FD
    timedatestamp.....: 0x4802A11C (Mon Apr 14 02:11:08 2008)
    machinetype.......: 0x14C (Intel I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x3F7CA 0x3F800 6.62 d12183a6fa34bf7974abe33c87bdee41
    .data 0x41000 0x9838 0x1200 5.40 2c69a08d65ee8234c239668dd7d86937
    .rsrc 0x4B000 0x3E50 0x4000 3.25 07385c44d1453e3272809960a81ac436
    .reloc 0x4F000 0x32EE 0x3400 6.19 c59c84e9cda7289330e30d991fa19248

    ( 17 imports )

    > advapi32.dll: GetSidSubAuthorityCount, GetSidSubAuthority, AccessCheckAndAuditAlarmW, AllocateAndInitializeSid, SetEntriesInAclW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegEnumKeyW, DeregisterEventSource, CryptAcquireContextW, CryptCreateHash, CryptImportKey, CryptVerifySignatureW, CryptDestroyKey, CryptDestroyHash, CryptReleaseContext, AddAce, GetAce, GetAclInformation, GetUserNameA, CryptHashData, RegisterServiceCtrlHandlerW, GetSidIdentifierAuthority, IsValidSid, GetTokenInformation, EqualSid, LookupAccountSidW, RegSetValueExW, CryptGenRandom, RegisterEventSourceW, ReportEventW, SetServiceBits, RegOpenKeyW, GetUserNameW, SetServiceStatus, RegOpenKeyExW, GetSecurityDescriptorDacl, LsaDelete, LsaSetSecret, LsaClose, LsaOpenSecret, LsaCreateSecret, LsaOpenPolicy, LsaFreeMemory, LsaQuerySecret, GetEventLogInformation, LsaQueryInformationPolicy, RegQueryValueExW, RegCloseKey, LogonUserW, AddAccessAllowedAce, InitializeAcl, GetLengthSid, OpenThreadToken, CheckTokenMembership, MakeSelfRelativeSD, MakeAbsoluteSD, IsValidSecurityDescriptor, ElfReportEventW, ElfRegisterEventSourceW, I_ScSendTSMessage, RegNotifyChangeKeyValue, RegCreateKeyExW, RegQueryValueExA, RegOpenKeyExA, GetCurrentHwProfileA, RegEnumKeyExA, RegEnumKeyExW, LsaStorePrivateData, LsaNtStatusToWinError, LsaRetrievePrivateData, RegDeleteValueW, OpenProcessToken
    > authz.dll: AuthzFreeResourceManager, AuthziAllocateAuditParams, AuthziInitializeAuditParamsWithRM, AuthziInitializeAuditEvent, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthziFreeAuditParams, AuthzInitializeResourceManager, AuthziInitializeAuditEventType, AuthziFreeAuditEventType
    > crypt32.dll: CertCloseStore, CertCreateCertificateContext, CertOpenStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertGetIssuerCertificateFromStore, CertVerifySubjectCertificateContext, CryptExportPublicKeyInfo, CertEnumCertificatesInStore, CertFindExtension, CertVerifyCertificateChainPolicy, CertComparePublicKeyInfo, CryptDecodeObject, CryptVerifyCertificateSignature, CryptBinaryToStringW
    > icaapi.dll: IcaOpen, IcaStackCallback, IcaStackConnectionWait, IcaStackConnectionRequest, IcaStackConnectionAccept, _IcaStackIoControl, IcaStackUnlock, IcaStackReconnect, IcaStackTerminate, IcaChannelClose, IcaStackIoControl, IcaPushConsoleStack, IcaChannelOpen, IcaChannelIoControl, IcaStackConnectionClose, IcaStackClose, IcaClose, IcaIoControl, IcaStackOpen, IcaStackDisconnect
    > kernel32.dll: GetLocalTime, GetDiskFreeSpaceA, GetDateFormatW, FileTimeToSystemTime, InitializeCriticalSection, GetVersion, CreateMutexW, GetModuleHandleA, InterlockedExchange, OutputDebugStringA, GetProcessAffinityMask, SetThreadAffinityMask, ResumeThread, GetExitCodeThread, GetSystemInfo, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GetVolumeInformationA, GlobalMemoryStatus, lstrlenA, lstrcpyA, GetFileSize, WriteFile, SetFilePointer, ReadFile, CreateFileA, HeapAlloc, HeapFree, CompareFileTime, CreateWaitableTimerW, SetWaitableTimer, FormatMessageW, LeaveCriticalSection, GetSystemDefaultLCID, SystemTimeToFileTime, LoadLibraryExA, GetVersionExA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetCurrentThreadId, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, DelayLoadFailureHook, lstrcpynW, GetACP, MultiByteToWideChar, SetLastError, lstrlenW, LocalFree, LocalAlloc, GetProcessHeap, DisableThreadLibraryCalls, DebugBreak, Sleep, CloseHandle, CreateProcessW, GetCurrentProcessId, IsDebuggerPresent, GetVersionExW, ResetEvent, SetEvent, VerifyVersionInfoW, CreateEventW, GetLastError, ReleaseMutex, UnmapViewOfFile, MapViewOfFile, OpenFileMappingW, WaitForMultipleObjects, OpenEventW, OpenMutexW, InterlockedDecrement, CreateThread, CreateFileW, GetSystemDirectoryW, GetSystemTime, GetComputerNameA, GetSystemTimeAsFileTime, UnregisterWait, WaitForSingleObject, InterlockedIncrement, lstrcpyW, ExitThread, QueryDosDeviceW, ProcessIdToSessionId, IsBadReadPtr, IsBadWritePtr, OpenProcess, GetComputerNameW, FreeLibrary, GetProcAddress, LoadLibraryW, GetProfileStringW, GetTickCount, RegisterWaitForSingleObject, lstrcatW, lstrcmpiW, GetProfileIntW, GetWindowsDirectoryW, SetThreadPriority, GetCurrentThread, LocalSize, GetCurrentProcess, PulseEvent, GetComputerNameExW, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, DeleteCriticalSection
    > mstlsapi.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
    > msvcrt.dll: wcscpy, wcscmp, _except_handler3, _wcsnicmp, wcscat, swscanf, wcsncpy, wcslen, wcsncat, swprintf, wcsrchr, memmove, _snwprintf, wcschr, sprintf, qsort, strncpy, gmtime, time, mktime, _mbslen, mbstowcs, __3@YAXPAX@Z, __2@YAPAXI@Z, free, _initterm, malloc, _adjust_fdiv, _ftol, _snprintf, strncmp, iswdigit, _wcsupr, wcstok, _wtol, _stricmp, __CxxFrameHandler, _purecall, _wcsicmp
    > ntdll.dll: NtOpenProcessToken, NtQueryInformationToken, RtlLengthSid, RtlCopySid, NtAllocateVirtualMemory, NtFreeVirtualMemory, RtlAcquireResourceShared, NtDelayExecution, DbgBreakPoint, RtlPrefixUnicodeString, NtResetEvent, NtWaitForMultipleObjects, RtlInitializeGenericTable, RtlDeleteCriticalSection, NtOpenProcess, NtQueryVirtualMemory, RtlLookupElementGenericTable, RtlCompareMemory, RtlInsertElementGenericTable, RtlDeleteElementGenericTable, RtlInitializeResource, NtCreateEvent, NtDuplicateObject, NtQuerySystemTime, RtlEqualSid, RtlAdjustPrivilege, RtlInitializeCriticalSection, NtTerminateProcess, RtlLengthRequiredSid, NtReleaseMutant, NtWaitForSingleObject, NtCreateMutant, NtQueryInformationProcess, NtDuplicateToken, NtSetInformationThread, RtlpNtEnumerateSubKey, NtRequestPort, NtConnectPort, NtSetEvent, RtlEnterCriticalSection, RtlAllocateHeap, NtOpenThreadToken, NtReplyPort, NtCompleteConnectPort, NtAcceptConnectPort, NtCreateSection, NtReplyWaitReceivePort, RtlFreeUnicodeString, NtCreatePort, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlQueryRegistryValues, NtDeviceIoControlFile, RtlExtendedLargeIntegerDivide, RtlConvertExclusiveToShared, RtlConvertSharedToExclusive, RtlDeleteResource, NtRequestWaitReplyPort, RtlFreeHeap, RtlLeaveCriticalSection, RtlAcquireResourceExclusive, RtlReleaseResource, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, NtClose, VerSetConditionMask, RtlCreateEnvironment, RtlSetProcessIsCritical, DbgPrint, NtQuerySystemInformation, NtSetTimer, NtCreateTimer, RtlCopySecurityDescriptor, RtlNtStatusToDosError, RtlDeleteAce, RtlGetAce, RtlQueryInformationAcl, RtlGetDaclSecurityDescriptor, RtlMapGenericMask, RtlSubAuthoritySid, RtlInitializeSid, RtlCreateUserSecurityObject, RtlSetDaclSecurityDescriptor, RtlAddAccessAllowedAce, RtlCreateAcl, RtlCreateSecurityDescriptor, RtlWriteRegistryValue, RtlCreateRegistryKey, RtlLengthSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, NtSetSecurityObject, NtQuerySecurityObject, NtOpenSymbolicLinkObject, NtQueryDirectoryObject, NtCreateDirectoryObject, RtlFreeSid, RtlAllocateAndInitializeSid, RtlIntegerToUnicodeString, RtlAppendUnicodeToString, NtQueryMutant
    > oleaut32.dll: -, -, -, -, -, -, -, -, -, -
    > rpcrt4.dll: RpcServerInqDefaultPrincNameW, RpcServerRegisterAuthInfoW, RpcServerRegisterIfEx, RpcBindingToStringBindingW, RpcServerListen, RpcImpersonateClient, I_RpcBindingIsClientLocal, RpcRevertToSelf, RpcServerUseProtseqEpW, I_RpcBindingInqLocalClientPID, RpcStringFreeW, RpcRaiseException, RpcSsContextLockExclusive, NdrServerCall2, RpcServerRegisterIf, RpcStringBindingParseW
    > secur32.dll: GetUserNameExW
    > setupapi.dll: SetupDiGetDeviceRegistryPropertyA, SetupDiGetClassDevsA, SetupDiEnumDeviceInfo, SetupDiDestroyDeviceInfoList
    > shell32.dll: SHGetFolderPathA
    > shlwapi.dll: PathAppendA
    > user32.dll: GetCursorPos, wvsprintfA, BroadcastSystemMessageA, wsprintfA, GetSystemMetrics, wsprintfW, ExitWindowsEx, LoadStringW, MessageBeep, GetMessageTime
    > wintrust.dll: CryptCATAdminCalcHashFromFileHandle, CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminReleaseCatalogContext, CryptCATAdminReleaseContext, WTHelperProvDataFromStateData, WTHelperGetProvSignerFromChain, CryptCATAdminAcquireContext, WinVerifyTrust
    > ws2_32.dll: -, -, -, getaddrinfo, -, -

    ( 1 exports )

    > ServiceMain
    TrID : File type identification
    80.9% (.EXE) Win64 Executable Generic (85619/45/3)
    8.0% (.EXE) Win32 Executable Generic (8527/13/3)
    7.1% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
    1.8% (.EXE) Generic Win/DOS Executable (2002/3)
    1.8% (.EXE) DOS Executable Generic (2000/1)
    ssdeep: 6144:BRp6fWMV1Adl7LQup17zettU8kY0c0XwJs/nE0fiLitmNGAM:BPvMV1/ixettmXwu/nHtc8
    PEiD : -
    CWSandbox: http://research.sunbelt-software.com...a9c07f6e104868
    RDS : NSRL Reference Data Set
    -




    =======================================================
    =======================================================




    c:\windows\sto453190.dat


    File has already been analysed:
    MD5: 6226f7cbe59e99a90b5cef6f94f966fd
    First received: 2009.05.18 12:58:41 UTC
    Date: 2009.05.23 16:54:03 UTC [<1D]
    Results: 0/39
    Permalink: analisis/03042cf8100db386818cee4ff0f2972431a62ed78edbd09ac08accfabbefd818-1243097643


    This is info on the page where the Permalink brings me:


    File sto453250.dat received on 2009.05.23 16:54:03 (UTC)
    Current status: finished

    Result: 0/39 (0.00%)
    Compact Print results
    Antivirus Version Last Update Result
    a-squared 4.0.0.101 2009.05.23 -
    AhnLab-V3 5.0.0.2 2009.05.23 -
    AntiVir 7.9.0.168 2009.05.23 -
    Antiy-AVL 2.0.3.1 2009.05.22 -
    Authentium 5.1.2.4 2009.05.22 -
    Avast 4.8.1335.0 2009.05.23 -
    AVG 8.5.0.339 2009.05.23 -
    BitDefender 7.2 2009.05.23 -
    CAT-QuickHeal 10.00 2009.05.23 -
    ClamAV 0.94.1 2009.05.22 -
    Comodo 1157 2009.05.08 -
    DrWeb 5.0.0.12182 2009.05.23 -
    eSafe 7.0.17.0 2009.05.21 -
    eTrust-Vet 31.6.6519 2009.05.23 -
    F-Prot 4.4.4.56 2009.05.22 -
    F-Secure 8.0.14470.0 2009.05.23 -
    Fortinet 3.117.0.0 2009.05.23 -
    GData 19 2009.05.23 -
    Ikarus T3.1.1.49.0 2009.05.23 -
    K7AntiVirus 7.10.741 2009.05.21 -
    Kaspersky 7.0.0.125 2009.05.23 -
    McAfee 5624 2009.05.23 -
    McAfee+Artemis 5624 2009.05.23 -
    McAfee-GW-Edition 6.7.6 2009.05.23 -
    Microsoft 1.4701 2009.05.23 -
    NOD32 4098 2009.05.22 -
    Norman 6.01.05 2009.05.22 -
    nProtect 2009.1.8.0 2009.05.23 -
    Panda 10.0.0.14 2009.05.23 -
    PCTools 4.4.2.0 2009.05.21 -
    Prevx 3.0 2009.05.23 -
    Rising 21.30.52.00 2009.05.23 -
    Sophos 4.42.0 2009.05.23 -
    Sunbelt 3.2.1858.2 2009.05.23 -
    Symantec 1.4.4.12 2009.05.23 -
    TheHacker 6.3.4.3.331 2009.05.22 -
    TrendMicro 8.950.0.1092 2009.05.23 -
    VBA32 3.12.10.5 2009.05.23 -
    ViRobot 2009.5.23.1749 2009.05.23 -
    Additional information
    File size: 2 bytes
    MD5 : 6226f7cbe59e99a90b5cef6f94f966fd
    SHA1 : 4452d71687b6bc2c9389c3349fdc17fbd73b833b
    SHA256: 03042cf8100db386818cee4ff0f2972431a62ed78edbd09ac08accfabbefd818
    TrID : File type identification
    Unknown!
    ssdeep: 3:G:G
    PEiD : -
    RDS : NSRL Reference Data Set

    ( Check Point Software Technologies Ltd )

    Check Point 2000 Enterprise Suite v.4.1 Strong (3DES) Edition: etcertut.exe




    ================================================
    ================================================




    c:\windows\system32\2757321258.dat


    File has already been analysed:
    MD5: 5e7e954d7eb504af49747a85336da63a
    First received: 2008.03.25 12:09:56 UTC
    Date: 2009.05.23 16:49:19 UTC [<1D]
    Results: 0/40
    Permalink: analisis/e8c8ac428fe98b423e983b4251fc6fa45776407223475cc55f03e0d874a9f863-1243097359


    This is info on the page where the Permalink brings me:


    File 213905052.dat received on 2009.05.23 16:49:19 (UTC)
    Current status: finished

    Result: 0/40 (0.00%)
    Compact Print results
    Antivirus Version Last Update Result
    a-squared 4.0.0.101 2009.05.23 -
    AhnLab-V3 5.0.0.2 2009.05.23 -
    AntiVir 7.9.0.168 2009.05.23 -
    Antiy-AVL 2.0.3.1 2009.05.22 -
    Authentium 5.1.2.4 2009.05.22 -
    Avast 4.8.1335.0 2009.05.23 -
    AVG 8.5.0.339 2009.05.23 -
    BitDefender 7.2 2009.05.23 -
    CAT-QuickHeal 10.00 2009.05.23 -
    ClamAV 0.94.1 2009.05.22 -
    Comodo 1157 2009.05.08 -
    DrWeb 5.0.0.12182 2009.05.23 -
    eSafe 7.0.17.0 2009.05.21 -
    eTrust-Vet 31.6.6519 2009.05.23 -
    F-Prot 4.4.4.56 2009.05.22 -
    F-Secure 8.0.14470.0 2009.05.23 -
    Fortinet 3.117.0.0 2009.05.23 -
    GData 19 2009.05.23 -
    Ikarus T3.1.1.49.0 2009.05.23 -
    K7AntiVirus 7.10.741 2009.05.21 -
    Kaspersky 7.0.0.125 2009.05.23 -
    McAfee 5624 2009.05.23 -
    McAfee+Artemis 5624 2009.05.23 -
    McAfee-GW-Edition 6.7.6 2009.05.23 -
    Microsoft 1.4701 2009.05.23 -
    NOD32 4098 2009.05.22 -
    Norman 6.01.05 2009.05.22 -
    nProtect 2009.1.8.0 2009.05.23 -
    Panda 10.0.0.14 2009.05.23 -
    PCTools 4.4.2.0 2009.05.21 -
    Prevx 3.0 2009.05.23 -
    Rising 21.30.52.00 2009.05.23 -
    Sophos 4.42.0 2009.05.23 -
    Sunbelt 3.2.1858.2 2009.05.23 -
    Symantec 1.4.4.12 2009.05.23 -
    TheHacker 6.3.4.3.331 2009.05.22 -
    TrendMicro 8.950.0.1092 2009.05.23 -
    VBA32 3.12.10.5 2009.05.23 -
    ViRobot 2009.5.23.1749 2009.05.23 -
    VirusBuster 4.6.5.0 2009.05.23 -
    Additional information
    File size: 32 bytes
    MD5 : 5e7e954d7eb504af49747a85336da63a
    SHA1 : c1a385f81c2f3789d7b113599901c4b562491023
    SHA256: e8c8ac428fe98b423e983b4251fc6fa45776407223475cc55f03e0d874a9f863
    TrID : File type identification
    Unknown!
    ssdeep: 3:5aW5fZYLU4GUJ78:EYfmg4V78
    PEiD : -
    RDS : NSRL Reference Data Set

  10. #10
    Junior Member
    Join Date
    May 2009
    Posts
    9

    Default The new Combofix Log

    When Combofix attempted to reset the computer a popup message appeared that said:

    "Dwwin.exe failed to initialize because Windows station is shutting down" with a "ok" box

    I let it sit for about 5 minutes at which point I attempted to open the Task manager, It would not open, so i clicked ok on the popup message button, at which time the computer finished reseting.


    Here is the combofix log:


    ComboFix 09-05-22.08 - Owner 05/23/2009 12:44.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2287.1665 [GMT -5:00]
    Running from: c:\documents and settings\Owner\Desktop\HOLYCRAP\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

    FILE ::
    c:\windows\system32\drivers\chdlzdnk.sys
    c:\windows\system32\drivers\svchost.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\uTorrent
    c:\program files\uTorrent\8179-utorrent.d6de.dmp
    c:\program files\WinMX
    c:\program files\WinMX\wpnpchannelcmds.txt

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_chdlzdnk


    ((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
    .

    2009-05-21 00:21 . 2009-05-21 00:21 -------- d-----w c:\program files\ERUNT
    2009-05-20 05:17 . 2009-05-20 05:20 -------- d-----w c:\program files\Spybot - Search & Destroy
    2009-05-20 05:17 . 2009-05-20 05:20 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-05-20 04:44 . 2009-05-20 04:44 -------- d-----w c:\program files\Trend Micro
    2009-05-20 04:39 . 2009-05-20 04:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Safer Networking
    2009-05-20 04:37 . 2009-05-20 04:37 47688 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-05-20 04:37 . 2009-05-20 04:37 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
    2009-05-20 03:51 . 2009-05-20 03:51 -------- d-----w c:\documents and settings\Owner\Application Data\Safer Networking
    2009-05-20 03:51 . 2009-05-20 03:51 -------- d-----w c:\program files\Safer Networking
    2009-05-19 01:05 . 2009-05-19 01:05 2 ---h--w c:\windows\sto453190.dat
    2009-05-19 01:04 . 2009-05-19 01:04 32 --s-a-w c:\windows\system32\2757321258.dat
    2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
    2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
    2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
    2009-05-02 02:38 . 2009-05-02 02:38 290816 ----a-w c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
    2009-04-24 00:25 . 2009-04-24 02:10 -------- d-----w c:\documents and settings\Owner\Application Data\GetRightToGo

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-05-23 17:49 . 2007-05-20 02:28 7304 ----a-w c:\windows\TMP0001.TMP
    2009-05-20 04:32 . 2006-05-01 13:10 6832 ----a-w c:\windows\system32\d3d9caps.dat
    2009-05-19 05:40 . 2006-05-19 01:47 -------- d-----w c:\program files\Windows Live Safety Center
    2009-05-12 02:12 . 2008-02-16 01:52 -------- d-----w c:\program files\Ableton
    2009-05-12 02:09 . 2007-11-24 04:25 -------- d-----w c:\documents and settings\Owner\Application Data\Ableton
    2009-05-07 06:45 . 2009-01-13 03:26 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
    2009-05-02 05:48 . 2008-03-16 02:32 -------- d-----w c:\program files\McAfee
    2009-05-02 02:40 . 2009-01-08 03:39 -------- d-----w c:\program files\SystemRequirementsLab
    2009-05-02 02:38 . 2009-01-08 03:39 -------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
    2009-03-27 13:14 . 2006-05-01 13:24 453152 ----a-w c:\windows\system32\NVUNINST.EXE
    2006-05-01 03:40 . 2006-04-14 02:09 65 ----a-w c:\program files\Common Files\appop.log
    2006-05-01 12:46 . 2006-05-01 07:29 56 --sh--r c:\windows\system32\5E0AFDD4F0.sys
    .

    ------- Sigcheck -------

    [7] 2004-08-04 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
    [7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
    [-] 2008-11-30 07:12 507904 3969440BA384D35317DBBDEEAAE641CE c:\windows\system32\winlogon.exe

    [7] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
    [7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
    [-] 2008-11-30 07:12 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2009-05-23_05.40.37 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-07-19 13:11 . 2009-05-23 15:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-07-19 13:11 . 2009-05-23 05:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-07-19 13:11 . 2009-05-23 15:10 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2008-07-19 13:11 . 2009-05-23 05:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
    "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880]
    "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
    "Acrobat Assistant 8.0"="g:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
    "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
    "SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-08-17 90112]
    "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
    "WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Ralink Wireless Utility.lnk - c:\program files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe [2006-4-10 561152]

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
    "midi1"= ma_cmidn.dll
    "midi4"= ma_cmidn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk
    backup=c:\windows\pss\Dragon NaturallySpeaking.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "IDriverT"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "SerialNumber"="A109A-K13-3ZXD-BAP5-TE"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
    "c:\\Program Files\\Sony\\EverQuest II\\EverQuest2.exe"=
    "c:\\Program Files\\RALINK\\RT2500 Wireless LAN Card\\Installer\\WINXP\\RaConfig2500.exe"=
    "c:\\WINDOWS\\system32\\drwtsn32.exe"=
    "c:\\WINDOWS\\system32\\dwwin.exe"=

    R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [4/13/2006 9:09 PM 38784]
    R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [9/19/2007 9:11 AM 72672]
    S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [4/13/2006 9:09 PM 116224]
    S3 L6PODLV;PODxt Live Service;c:\windows\system32\drivers\L6PODLV.sys [3/16/2008 6:00 PM 514432]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
    S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [7/12/2008 6:33 PM 360448]
    S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [7/12/2008 6:33 PM 18944]
    S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [7/12/2008 6:33 PM 33792]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - udffsrec
    .
    Contents of the 'Scheduled Tasks' folder

    2009-05-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-16 18:32]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    IE: Append to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j6tnr1aj.default\
    FF - prefs.js: network.proxy.http - localhost
    FF - prefs.js: network.proxy.http_port - 7171
    FF - prefs.js: network.proxy.type - 1
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07030901.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-05-23 12:50
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\4.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1275210071-2147168017-725345543-1003\Software\SecuROM\License information*]
    "datasecu"=hex:4c,dd,3e,96,8f,f2,71,75,33,7f,f8,38,c5,92,3f,70,f4,f7,92,dd,ab,
    17,04,f0,7b,ef,3c,67,27,f6,03,1b,5d,0a,76,c8,7f,2c,1a,e5,11,de,33,8d,74,b7,\
    "rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(8144)
    c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
    c:\windows\system32\nview.dll
    c:\windows\system32\nvwddi.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\CTSVCCDA.EXE
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\drivers\WTSrv.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    c:\windows\system32\CTXFISPI.EXE
    c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
    c:\progra~1\McAfee\MSC\mcuimgr.exe
    .
    **************************************************************************
    .
    Completion time: 2009-05-23 12:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-05-23 17:56
    ComboFix2.txt 2009-05-23 05:48

    Pre-Run: 13,941,227,520 bytes free
    Post-Run: 13,934,288,896 bytes free

    Current=3 Default=3 Failed=2 LastKnownGood=1 Sets=1,2,3,4
    216 --- E O F --- 2009-02-14 03:30

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •