IE 6 hijacked and spybot wont start up

[john butler]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:40 PM, on 8/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Xcalibur\system\programs\finSS_Server.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\program files\aim toolbar\aimtbServer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O1 - Hosts: 172.16.0.101 surveyor-host
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Finnigan Security Server - Unknown owner - C:\Xcalibur\system\programs\finSS_Server.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7750 bytes

 

[Shaba]

Hi john butler

Download gmer.zip and save to your desktop.
alternate download site

• Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
• When you have done this, disconnect from the Internet and close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.
• Double-click on Gmer.exe to start the program.
• Allow the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
• Click on the Rootkit tab.
• Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
• Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
• Click on the "Scan" and wait for the scan to finish.
  Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
• When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
• Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

 

[john butler]

Shaba,

Thanks for the help. I downloaded gmer.zip and created a folder to extract the .exe to. I disconnected from my network. I tried running it out of a normal boot and safe mode. It would not start. I get no message. In the task manager it blinks for a second and disappears.

Any suggestions?

 

[Shaba]

Please rename gmer.exe and try again.

 

[john butler]

Shama,

Attached is the gmer log.

 

[john butler]

Shaba,

Am I supposed to include the log as an attachment?

 

[john butler]

part 1

Shaba,

Incase the attachment didn't take here is the log in three parts.

Thanks,

John

GMER 1.0.15.15020 [fixit.exe.exe] - http://www.gmer.net
Rootkit scan 2009-08-12 22:03:08
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAA4F19AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAA4F1A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAA4F1958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAA4F196C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAA4F1A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAA4F1A81]
Code 86315A26 ZwEnumerateKey
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAA4F1AD9]
Code 8631A886 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAA4F19EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAA4F1B1E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAA4F1A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAA4F1930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAA4F1944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAA4F19BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAA4F1B5A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAA4F1AC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAA4F1AAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAA4F1A6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAA4F1B46]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAA4F1B32]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAA4F1996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAA4F1982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAA4F1A97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAA4F1A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAA4F1B08]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAA4F1A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAA4F19D4]
Code 86312B5D IofCallDriver
Code 8677E89D IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
Code 86337B2D ZwSaveKey
Code 863393D5 ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 86312B62
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 8677E8A2
.text ntoskrnl.exe!ZwSaveKey 804E42AE 5 Bytes JMP 86337B32
.text ntoskrnl.exe!ZwSaveKeyEx 804E42C2 5 Bytes JMP 863393DA
.text ntoskrnl.exe!ZwYieldExecution 80509014 7 Bytes JMP AA4F19D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80571CB4 5 Bytes JMP AA4F1A31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 805720F8 7 Bytes JMP AA4F1AB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057722F 5 Bytes JMP AA4F1A45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80577FA4 7 Bytes JMP AA4F1B5E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 805783A4 5 Bytes JMP 86315A2A
PAGE ntoskrnl.exe!NtOpenProcess 80579084 5 Bytes JMP AA4F1934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80579399 7 Bytes JMP AA4F19C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057D3BC 5 Bytes JMP AA4F19AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057E29B 5 Bytes JMP AA4F1A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E713 7 Bytes JMP AA4F19EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 8057FF0B 7 Bytes JMP AA4F1A9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80581B25 5 Bytes JMP AA4F1986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80585F1C 5 Bytes JMP 8631A88A
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058AB14 7 Bytes JMP AA4F1970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058C39D 5 Bytes JMP AA4F1A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 8058F45F 7 Bytes JMP AA4F1ADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 805969F7 7 Bytes JMP AA4F1A85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 8059817B 7 Bytes JMP AA4F1A59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 805B1337 5 Bytes JMP AA4F1948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 805B1BA6 5 Bytes JMP AA4F1B22 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805C0C00 5 Bytes JMP AA4F195C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 80633D93 5 Bytes JMP AA4F199A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8065316C 5 Bytes JMP AA4F1B36 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 80653445 7 Bytes JMP AA4F1B0C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 80653D14 7 Bytes JMP AA4F1AC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8065415B 7 Bytes JMP AA4F1A6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8065464E 5 Bytes JMP AA4F1B4A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\system32\drivers\sonyhcb.sys Access is denied.
.text USBPORT.SYS!DllUnload F6AFE62C 5 Bytes JMP 86FD01C8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[256] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[508] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E6006F
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E60054
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E60043
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E60F90
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E60FB2
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E60F69
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E600B1
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E60F33
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E600D6
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00E60F22
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00E60FA1
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00E60FD4
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00E60094
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00E60014
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00E60FC3
.text C:\WINDOWS\system32\svchost.exe[508] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00E60F58
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00E50036
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00E50073
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00E50025
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00E50062
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00E50051
.text C:\WINDOWS\system32\svchost.exe[508] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00E50FCA
.text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E4005D
.text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E40042
.text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E4001D
.text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E40FD2
.text C:\WINDOWS\system32\svchost.exe[508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E40FE3
.text C:\WINDOWS\system32\svchost.exe[508] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00E30FD4
.text C:\WINDOWS\system32\svchost.exe[508] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[508] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00E30FC3
.text C:\WINDOWS\system32\svchost.exe[508] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00E30FB2
.text C:\WINDOWS\system32\svchost.exe[508] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\winlogon.exe[744] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 008C000A
.text C:\WINDOWS\system32\winlogon.exe[744] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 008D000A
.text C:\WINDOWS\system32\services.exe[788] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\services.exe[788] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 009E000A
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E90F86
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E90FA1
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExW 7C801AF1 3 Bytes JMP 00E9006F
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExW + 4 7C801AF5 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E90FB2
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E90FC3
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E900B1
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E90F69
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E90F3A
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E900DD
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00E900EE
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00E9004A
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00E90FD4
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00E90096
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00E90025
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00E90014
.text C:\WINDOWS\system32\services.exe[788] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00E900C2
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 0007001E
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0007008A
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0007006F
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FAD
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060038
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0006001D
.text C:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\services.exe[788] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[788] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[788] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00050025
.text C:\WINDOWS\system32\services.exe[788] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\services.exe[788] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\lsass.exe[800] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 009E000A
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 013F0000
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 013F0F5C
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 013F005B
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 013F0F81
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 013F0F9E
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 013F0036
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 013F0F29
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 013F0F3A
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 013F0EE2
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 013F0F07
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 013F0ED1
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 013F0FAF
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 013F0FDB
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 013F0F4B
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 013F0011
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 013F0FC0
.text C:\WINDOWS\system32\lsass.exe[800] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 013F0F18
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 013E0036
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 013E0F8A
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 013E0011
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 013E0000
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 013E0047
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 013E0FE5
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 013E0FA5
.text C:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 013E0FC0
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013D0051
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!system 77C293C7 5 Bytes JMP 013D0FC6
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013D001B
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013D0000
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013D002C
.text C:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013D0FD7
.text C:\WINDOWS\system32\lsass.exe[800] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0136000A
.text C:\WINDOWS\system32\lsass.exe[800] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 013C001B
.text C:\WINDOWS\system32\lsass.exe[800] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 013C000A
.text C:\WINDOWS\system32\lsass.exe[800] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 013C0FEF
.text C:\WINDOWS\system32\lsass.exe[800] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 013C0FDE
.text C:\WINDOWS\system32\svchost.exe[852] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DF0F7A
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DF0065
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DF0054
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DF0F97
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00DF0FB9
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DF009B
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DF0F55
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DF0F09
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DF0F24
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00DF00BD
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00DF0FA8
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00DF001B
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00DF0080
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00DF0FCA
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00DF0FE5
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00DF00AC
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00D1002C
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00D10FA8
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00D1000A
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00D10FB9
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00D10FCA
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00D10047
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00F8B
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00F9C
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00FC1
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00016
.text C:\WINDOWS\system32\svchost.exe[852] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D00FDE
.text C:\WINDOWS\system32\svchost.exe[852] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00CF0011
.text C:\WINDOWS\system32\svchost.exe[852] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[852] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00CF0022
.text C:\WINDOWS\system32\svchost.exe[852] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00CF0FDB
.text C:\WINDOWS\system32\svchost.exe[852] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02990000
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02990F4D
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02990F68
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02990F79
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02990F8A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02990FC0
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02990F1F
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02990067
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 029900AE
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02990093
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 029900C9
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02990FAF
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02990FE5
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02990F3C
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 02990036
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0299001B
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 02990082
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 02980FC3
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0298006F
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 02980FD4
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 02980FE5
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 02980054
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 02980000
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 02980FB2
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0298002F
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02970F86
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!system 77C293C7 5 Bytes JMP 02970011
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02970FBC
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02970FEF
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02970FAB
.text C:\WINDOWS\system32\svchost.exe[988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02970000
.text C:\WINDOWS\system32\svchost.exe[988] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 01450FE5
.text C:\WINDOWS\system32\svchost.exe[988] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 01450000
.text C:\WINDOWS\system32\svchost.exe[988] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 01450FCA
.text C:\WINDOWS\system32\svchost.exe[988] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 0145001D
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01330FEF
.text C:\WINDOWS\Explorer.EXE[1020] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00D4000A
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001F0FEF
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001F0090
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001F007F
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001F0062
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001F0047
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001F0FCA
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001F0F5E
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001F0F6F
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001F00DC
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001F00C1
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001F0F32
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001F0FA5
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001F000A
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001F0F80
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001F0036
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001F001B
.text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001F0F43
.text C:\WINDOWS\Explorer.EXE[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 002D0FB9
.text C:\WINDOWS\Explorer.EXE[1020] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 002D0F7C
.text C:\WINDOWS\Explorer.EXE[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 002D0FD4
.text C:\WINDOWS\Explorer.EXE[1020] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 002D0FE5
.text C:\WINDOWS\Explorer.EXE[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 002D002F
.text C:\WINDOWS\Explorer.EXE[1020] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 002D000A
.text C:\WINDOWS\Explorer.EXE[1020] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 002D0F8D
.text C:\WINDOWS\Explorer.EXE[1020] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 002D0F9E
.text C:\WINDOWS\Explorer.EXE[1020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002E0F8B
.text C:\WINDOWS\Explorer.EXE[1020] msvcrt.dll!system 77C293C7 5 Bytes JMP 002E0FA6
.text C:\WINDOWS\Explorer.EXE[1020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002E0FD2
.text C:\WINDOWS\Explorer.EXE[1020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002E000C
.text C:\WINDOWS\Explorer.EXE[1020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002E0FC1
.text C:\WINDOWS\Explorer.EXE[1020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002E0FEF
.text C:\WINDOWS\Explorer.EXE[1020] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00300FDE
.text C:\WINDOWS\Explorer.EXE[1020] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00300FEF
.text C:\WINDOWS\Explorer.EXE[1020] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00300FC1
.text C:\WINDOWS\Explorer.EXE[1020] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00300014
.text C:\WINDOWS\Explorer.EXE[1020] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B90FE5

 

[john butler]

part 2

.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1172] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00A6000A
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01140000
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01140F7E
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0114007D
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01140F99
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01140FC0
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01140051
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 011400A9
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01140098
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01140F21
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01140F46
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 01140F10
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 01140062
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 01140FEF
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 01140F6D
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 01140040
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 01140025
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 011400C4
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 01130040
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 01130FA8
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 01130025
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 0113000A
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 01130FC3
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 01130FEF
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0113005B
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 01130FD4
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0112001B
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!system 77C293C7 5 Bytes JMP 01120F90
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01120FAB
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01120FEF
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01120000
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01120FC6
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 01110014
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 01110FEF
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 01110025
.text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 01110FD2
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00FF000A
.text C:\Xcalibur\system\programs\finSS_Server.exe[1292] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 08CB000A
.text C:\Xcalibur\system\programs\finSS_Server.exe[1292] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 08CC000A
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[1388] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00B1000A
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[1388] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00B2000A
.text C:\Program Files\iPod\bin\iPodService.exe[1456] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00AE000A
.text C:\Program Files\iPod\bin\iPodService.exe[1456] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00AF000A
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[1620] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00CB000A
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02C60000
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02C60F83
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02C60F94
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02C60FAF
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02C60062
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02C60FCA
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02C60F55
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02C60F72
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02C60F44
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02C600D3
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 02C60F33
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02C60051
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02C6001B
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02C60093
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 02C60FDB
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02C6002C
.text C:\WINDOWS\System32\svchost.exe[1640] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 02C600C2
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 02C5002C
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 02C50F9E
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 02C50FDB
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 02C50011
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 02C50FAF
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 02C50000
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 02C50FC0
.text C:\WINDOWS\System32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 02C50047
.text C:\WINDOWS\System32\svchost.exe[1640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02C40042
.text C:\WINDOWS\System32\svchost.exe[1640] msvcrt.dll!system 77C293C7 5 Bytes JMP 02C40FB7
.text C:\WINDOWS\System32\svchost.exe[1640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02C40FD9
.text C:\WINDOWS\System32\svchost.exe[1640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02C40000
.text C:\WINDOWS\System32\svchost.exe[1640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02C40FC8
.text C:\WINDOWS\System32\svchost.exe[1640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02C4001D
.text C:\WINDOWS\System32\svchost.exe[1640] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 02C30011
.text C:\WINDOWS\System32\svchost.exe[1640] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 02C30000
.text C:\WINDOWS\System32\svchost.exe[1640] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 02C30FDB
.text C:\WINDOWS\System32\svchost.exe[1640] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 02C30FBE
.text C:\WINDOWS\System32\svchost.exe[1640] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02C20000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1688] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A8000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1688] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00A9000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1688] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1688] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1756] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C00FA5
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C00090
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C00073
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C00FB6
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C00047
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C000D0
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C00F94
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C00F6D
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C000FC
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00C00121
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00C00058
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00C0001B
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00C000BF
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00C00FDB
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00C0002C
.text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00C000EB
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00BF0098
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00BF0087
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00BF0062
.text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00BF0051
.text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0F90
.text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FC6
.text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FAB
.text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FE3
.text C:\WINDOWS\system32\svchost.exe[1756] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1756] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1756] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1756] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00BD0FC8
.text C:\WINDOWS\system32\svchost.exe[1756] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BC0FEF
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[1824] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A6000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[1824] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E0000A
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E000A4
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E00089
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E0006C
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E00FB9
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E0004A
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E00F68
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E00F79
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E000CB
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E00F32
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00E00F17
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00E0005B
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00E00F94
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00E0002F
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00E00FDE
.text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00E00F4D
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00DF001B
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00DF0F6F
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00DF0FCA
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00DF002C
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00DF0FE5
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00DF0F94
.text C:\WINDOWS\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00DF0FAF
.text C:\WINDOWS\system32\svchost.exe[1860] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DE004B
.text C:\WINDOWS\system32\svchost.exe[1860] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DE003A
.text C:\WINDOWS\system32\svchost.exe[1860] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DE0029
.text C:\WINDOWS\system32\svchost.exe[1860] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\system32\svchost.exe[1860] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DE0FD4
.text C:\WINDOWS\system32\svchost.exe[1860] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DE000C
.text C:\WINDOWS\system32\svchost.exe[1860] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00DD0FDB
.text C:\WINDOWS\system32\svchost.exe[1860] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00DD0000
.text C:\WINDOWS\system32\svchost.exe[1860] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00DD0FCA
.text C:\WINDOWS\system32\svchost.exe[1860] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00DD001D
.text C:\WINDOWS\system32\svchost.exe[1860] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B2005B
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B20F70
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B2004A
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B20F8D
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B20FB9
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B2009D
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B20F55
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B200BF
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B200AE
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00B20F01
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00B20F9E
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00B20014
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00B20076
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00B20025
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00B20FDE
.text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00B20F30
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 010A000A
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 010A0F83
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 010A0FB9
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 010A0FD4
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 010A0036
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 010A0FEF
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 010A0F94
.text C:\WINDOWS\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 010A001B
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0109003F
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!system 77C293C7 5 Bytes JMP 0109002E
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0109001D
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01090FBE
.text C:\WINDOWS\system32\svchost.exe[1968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01090FE3
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 00FF0FD2
.text C:\WINDOWS\system32\svchost.exe[1968] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 00FF0FB7
.text C:\WINDOWS\system32\svchost.exe[1968] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\system32\HPZipm12.exe[2000] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\HPZipm12.exe[2000] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00A5000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[2032] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A5000A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[2032] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00A6000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2388] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00AE000A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2388] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00AF000A
.text C:\Program Files\iTunes\iTunesHelper.exe[2884] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 08D0000A
.text C:\Program Files\iTunes\iTunesHelper.exe[2884] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 08D1000A
.text C:\WINDOWS\System32\alg.exe[2912] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 009F000A
.text C:\WINDOWS\System32\alg.exe[2912] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00A0000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00EA000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 002B0FEF
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 002B0073
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 002B0062
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 002B0047
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 002B0F94
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 002B001B
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 002B0F2B
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 002B0F46
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002B0EE4
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 002B0EFF
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 002B0ED3
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 002B002C
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 002B000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 002B0F6D
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 002B0FB9
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 002B0FD4
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 002B0F1A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00390FC3
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00390FDE
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00390033
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00390FEF
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0039004E
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00390018
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 003A002C
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 003A0062
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 003A0FE5
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 003A001B
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 003A0F9B
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 003A0000
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 003A0047
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 003A0FC0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 003C0FDE
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] WININET.dll!HttpAddRequestHeadersA 771C40A2 5 Bytes JMP 00F5000C
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 003C0FEF
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 003C000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] WININET.dll!HttpAddRequestHeadersW 771CEEDC 5 Bytes JMP 0104000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 003C0027
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C00FEF
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00B027E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] WS2_32.dll!send 71AB428A 5 Bytes JMP 00B027C0
.text C:\Program Files\Internet Explorer\Iexplore.exe[3068] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00B029A0
.text C:\Documents and Settings\JB\Desktop\fixit.exe.exe[3476] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 08D7000A
.text C:\Documents and Settings\JB\Desktop\fixit.exe.exe[3476] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 08D8000A
.text C:\WINDOWS\system32\wuauclt.exe[3528] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A0000A
.text C:\WINDOWS\system32\wuauclt.exe[3528] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00200000
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00200098
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00200073
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00200062
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00200FAF
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00200FCA
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00200F77
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 002000BF
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00200F37
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00200F48
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 002000EB
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00200051
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0020001B
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00200F88
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00200FE5
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0020002C
.text C:\WINDOWS\system32\wuauclt.exe[3528] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 002000D0
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002E0047
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!system 77C293C7 5 Bytes JMP 002E0FB2
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002E0011
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002E0000
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002E0022
.text C:\WINDOWS\system32\wuauclt.exe[3528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002E0FE3
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 002F0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 002F0062
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 002F0025
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 002F000A
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 002F0051
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 002F0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 002F0FAF
.text C:\WINDOWS\system32\wuauclt.exe[3528] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 002F0036
.text C:\WINDOWS\system32\wuauclt.exe[3528] WININET.dll!InternetOpenW 771BAEE5 5 Bytes JMP 006C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3528] WININET.dll!InternetOpenA 771C575E 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3528] WININET.dll!InternetOpenUrlA 771C5A11 5 Bytes JMP 006C0FC3
.text C:\WINDOWS\system32\wuauclt.exe[3528] WININET.dll!InternetOpenUrlW 771D5B5A 5 Bytes JMP 006C0016
.text C:\WINDOWS\system32\wuauclt.exe[3528] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 008C0000
.text C:\WINDOWS\System32\hkcmd.exe[3816] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 08CE000A
.text C:\WINDOWS\System32\hkcmd.exe[3816] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 08CF000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F75A697E] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F75A692A] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F75C1B4E] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F75A697E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7592AB4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7592BFA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7592B7C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7593728] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F75935FE] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86FCF1E8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \FatCdrom 862FC980

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

 

[john butler]

part 3

Device \Driver\NetBT \Device\NetBT_Tcpip_{C600931F-64E4-47FF-90A0-C30BC30EA80B} 862E3660
Device \Driver\usbuhci \Device\USBPDO-0 867461E8
Device \Driver\usbuhci \Device\USBPDO-1 867461E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86FD11E8
Device \Driver\dmio \Device\DmControl\DmConfig 86FD11E8
Device \Driver\dmio \Device\DmControl\DmPnP 86FD11E8
Device \Driver\dmio \Device\DmControl\DmInfo 86FD11E8
Device \Driver\usbuhci \Device\USBPDO-2 867461E8
Device \Driver\usbuhci \Device\USBPDO-3 867461E8
Device \Driver\usbehci \Device\USBPDO-4 8672F1E8

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86F5E1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86F5E1E8
Device \Driver\USBSTOR \Device\00000072 86279460
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86F5D1E8
Device \Driver\atapi \Device\Ide\IdePort0 86F5D1E8
Device \Driver\atapi \Device\Ide\IdePort1 86F5D1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 86F5D1E8
Device \Driver\USBSTOR \Device\00000075 86279460
Device \Driver\NetBT \Device\NetBt_Wins_Export 862E3660
Device \Driver\NetBT \Device\NetbiosSmb 862E3660

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 867461E8
Device \Driver\usbuhci \Device\USBFDO-1 867461E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 862D41E8
Device \Driver\usbuhci \Device\USBFDO-2 867461E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 862D41E8
Device \Driver\usbuhci \Device\USBFDO-3 867461E8
Device \Driver\usbehci \Device\USBFDO-4 8672F1E8
Device \Driver\Ftdisk \Device\FtControl 86F5E1E8
Device \FileSystem\Fastfat \Fat 862FC980

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs 8647D1E8
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UAChblnnrekdp.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [988] 0x02CB0000
Library \\?\globalroot\systemroot\system32\UACelxfoliipk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [988] 0x02FC0000

---- Services - GMER 1.0.15 ----

Service system32\drivers\gaopdxkaprmbjx.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\SKYNETkdbvfdtj.sys (*** hidden *** ) [SYSTEM] SKYNETcgvpuyvp <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACwpkayqljpo.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\vsfoceahyocoph.sys (*** hidden *** ) [SYSTEM] vsfocebjeihugk <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxkaprmbjx.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp@imagepath \systemroot\system32\drivers\SKYNETkdbvfdtj.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\main@aid 10002
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\main@sid 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETkdbvfdtj.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\modules@SKYNETcmd.dll \systemroot\system32\SKYNETqqqcrmlh.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\modules@SKYNETlog.dat \systemroot\system32\SKYNETrhamuxuc.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\modules@SKYNETwsp.dll \systemroot\system32\SKYNETqunapqol.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETcgvpuyvp\modules@SKYNET.dat \systemroot\system32\SKYNETfpqkebvu.dat
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7B 0x84 0xCB 0x1B ...
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACwpkayqljpo.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACwpkayqljpo.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACxyhafmbydn.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACuvfiuduuhj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACfbweqrbxhp.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACdqutusosvg.db
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACelxfoliipk.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UAChjiahyjoph.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UAChblnnrekdp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk@imagepath \systemroot\system32\drivers\vsfoceahyocoph.sys
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\main@aid 10002
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\main@sid 1
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\modules@vsfocerk.sys \systemroot\system32\drivers\vsfoceahyocoph.sys
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\modules@vsfocecmd.dll \systemroot\system32\vsfocerihjhjlv.dll
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\modules@vsfocelog.dat \systemroot\system32\vsfocenngsspfg.dat
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\modules@vsfocewsp.dll \systemroot\system32\vsfocewuosnqno.dll
Reg HKLM\SYSTEM\ControlSet001\Services\vsfocebjeihugk\modules@vsfoce.dat \systemroot\system32\vsfocegqilhugg.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxkaprmbjx.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp@imagepath \systemroot\system32\drivers\SKYNETkdbvfdtj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\main@sid 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETkdbvfdtj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\modules@SKYNETcmd.dll \systemroot\system32\SKYNETqqqcrmlh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\modules@SKYNETlog.dat \systemroot\system32\SKYNETrhamuxuc.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\modules@SKYNETwsp.dll \systemroot\system32\SKYNETqunapqol.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETcgvpuyvp\modules@SKYNET.dat \systemroot\system32\SKYNETfpqkebvu.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7B 0x84 0xCB 0x1B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACwpkayqljpo.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACwpkayqljpo.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACxyhafmbydn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACuvfiuduuhj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACfbweqrbxhp.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACdqutusosvg.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACelxfoliipk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UAChjiahyjoph.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UAChblnnrekdp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk@imagepath \systemroot\system32\drivers\vsfoceahyocoph.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\main@sid 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\modules@vsfocerk.sys \systemroot\system32\drivers\vsfoceahyocoph.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\modules@vsfocecmd.dll \systemroot\system32\vsfocerihjhjlv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\modules@vsfocelog.dat \systemroot\system32\vsfocenngsspfg.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\modules@vsfocewsp.dll \systemroot\system32\vsfocewuosnqno.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocebjeihugk\modules@vsfoce.dat \systemroot\system32\vsfocegqilhugg.dat
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxkaprmbjx.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp@imagepath \systemroot\system32\drivers\SKYNETkdbvfdtj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\main@sid 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETkdbvfdtj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\modules@SKYNETcmd.dll \systemroot\system32\SKYNETqqqcrmlh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\modules@SKYNETlog.dat \systemroot\system32\SKYNETrhamuxuc.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\modules@SKYNETwsp.dll \systemroot\system32\SKYNETqunapqol.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETcgvpuyvp\modules@SKYNET.dat \systemroot\system32\SKYNETfpqkebvu.dat
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7B 0x84 0xCB 0x1B ...
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACwpkayqljpo.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACwpkayqljpo.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACxyhafmbydn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACuvfiuduuhj.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACfbweqrbxhp.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACdqutusosvg.db
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACelxfoliipk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UAChjiahyjoph.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UAChblnnrekdp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk@imagepath \systemroot\system32\drivers\vsfoceahyocoph.sys
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\main@sid 1
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\modules@vsfocerk.sys \systemroot\system32\drivers\vsfoceahyocoph.sys
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\modules@vsfocecmd.dll \systemroot\system32\vsfocerihjhjlv.dll
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\modules@vsfocelog.dat \systemroot\system32\vsfocenngsspfg.dat
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\modules@vsfocewsp.dll \systemroot\system32\vsfocewuosnqno.dll
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocebjeihugk\modules@vsfoce.dat \systemroot\system32\vsfocegqilhugg.dat

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\SKYNETkdbvfdtj.sys 70656 bytes <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\UACwpkayqljpo.sys 54784 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\SKYNETfpqkebvu.dat 91 bytes
File C:\WINDOWS\system32\SKYNETqqqcrmlh.dll 44544 bytes
File C:\WINDOWS\system32\SKYNETqunapqol.dll 20480 bytes
File C:\WINDOWS\system32\SKYNETrhamuxuc.dat 173263 bytes
File C:\WINDOWS\system32\UACdqutusosvg.db 1110399 bytes
File C:\WINDOWS\system32\UACelxfoliipk.dll 30208 bytes executable
File C:\WINDOWS\system32\UACfbweqrbxhp.dat 310 bytes
File C:\WINDOWS\system32\UAChblnnrekdp.dll 20480 bytes executable
File C:\WINDOWS\system32\UAChjiahyjoph.dll 18432 bytes executable
File C:\WINDOWS\system32\uacinit.dll 6580 bytes
File C:\WINDOWS\system32\UACuvfiuduuhj.dll 74240 bytes executable
File C:\WINDOWS\system32\UACxyhafmbydn.dll 26624 bytes executable
File C:\WINDOWS\Temp\UAC4e59.tmp 74240 bytes executable

---- EOF - GMER 1.0.15 ----

 

[Shaba]

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

 

[john butler]

Shaba.

combifix won't run.

John

 

[Shaba]

Please rename combofix.exe and try again.

 

[john butler]

combifix log

Shaba,

It ran. See attached.

Regards,

John

 

[john butler]

Hijackthis log

Shaba,

Hijach this ran OK but I could not attach the log. Here it is.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:40 AM, on 8/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Xcalibur\system\programs\finSS_Server.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy bak\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy bak\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy bak\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Finnigan Security Server - Unknown owner - C:\Xcalibur\system\programs\finSS_Server.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 7037 bytes

 

[Shaba]

Please copy/paste combofix log to your next reply

 

[john butler]

Combifix log

ComboFix 09-08-10.06 - repair 08/13/2009 8:14.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.617 [GMT -5:00]
Running from: c:\documents and settings\repair\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fonts\mlog
c:\windows\Install.txt
c:\windows\run.log
c:\windows\system\msvbvm60.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\components
c:\windows\system32\config\systemprofile\Desktop\System Security 2009.lnk
c:\windows\system32\drivers\gaopdxkaprmbjx.sys
c:\windows\system32\drivers\SKYNETkdbvfdtj.sys
c:\windows\system32\drivers\UACwpkayqljpo.sys
c:\windows\system32\drivers\vsfoceahyocoph.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Install.txt
c:\windows\system32\SKYNETfpqkebvu.dat
c:\windows\system32\SKYNETqqqcrmlh.dll
c:\windows\system32\SKYNETqunapqol.dll
c:\windows\system32\SKYNETrhamuxuc.dat
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\UACdqutusosvg.db
c:\windows\system32\UACelxfoliipk.dll
c:\windows\system32\UACfbweqrbxhp.dat
c:\windows\system32\UAChblnnrekdp.dll
c:\windows\system32\UAChjiahyjoph.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACuvfiuduuhj.dll
c:\windows\system32\UACxyhafmbydn.dll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vsfocegqilhugg.dat
c:\windows\system32\vsfocenngsspfg.dat
c:\windows\system32\vsfocerihjhjlv.dll
c:\windows\system32\vsfocewuosnqno.dll
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys
-------\Legacy_gaopdxserv.sys
-------\Service_SKYNETcgvpuyvp
-------\Legacy_SKYNETcgvpuyvp
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Service_vsfocebjeihugk
-------\Legacy_vsfocebjeihugk
-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_MSNCACHE
-------\Legacy_SOPIDKC


((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-13 12:49 . 2009-08-13 12:49 -------- d-----w- c:\documents and settings\repair\Application Data\Malwarebytes
2009-08-11 13:30 . 2009-08-11 13:31 -------- d-----w- c:\program files\Spybot - Search & Destroy bak
2009-08-11 01:57 . 2009-08-11 01:57 -------- d-----w- c:\program files\ERUNT
2009-08-11 01:50 . 2009-08-11 01:50 -------- d-s---w- c:\documents and settings\repair\UserData
2009-08-11 01:42 . 2009-07-13 06:42 286880 ----a-r- c:\documents and settings\repair\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-08-11 01:39 . 2009-08-11 01:39 -------- d-----w- c:\documents and settings\repair\Application Data\McAfee
2009-08-11 01:39 . 2009-08-11 01:39 49152 ----a-r- c:\documents and settings\repair\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-08-11 01:39 . 2009-08-11 01:39 49152 ----a-r- c:\documents and settings\repair\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-08-09 23:25 . 2009-08-09 23:25 -------- d-----w- c:\documents and settings\JB\.housecall6.6
2009-08-07 22:23 . 2009-08-07 22:23 -------- d-----w- c:\program files\CDBurnerXP
2009-08-07 03:05 . 2009-08-07 03:05 -------- d-----w- c:\documents and settings\THE PRESIDENT BUTLER\Application Data\Malwarebytes
2009-08-07 03:04 . 2009-08-07 03:04 -------- d-s---w- c:\documents and settings\THE PRESIDENT BUTLER\UserData
2009-08-05 12:25 . 2009-08-05 12:25 -------- d-s---w- c:\documents and settings\New User\UserData
2009-08-05 11:43 . 2009-08-05 11:43 -------- d-----w- c:\documents and settings\New User\Local Settings\Application Data\AIM Toolbar
2009-08-05 11:39 . 2009-08-05 11:39 -------- d-----w- c:\documents and settings\New User\Application Data\Malwarebytes
2009-08-05 03:04 . 2009-08-05 03:05 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-04 06:26 . 2009-08-04 06:26 552 ----a-w- c:\windows\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 04:05 . 2009-01-28 12:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 14:19 . 2006-07-16 13:51 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-11 13:21 . 2007-01-24 21:21 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
2009-08-11 13:12 . 2007-03-14 03:48 -------- d-----w- c:\program files\DivX
2009-08-11 12:28 . 2009-01-28 13:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 01:39 . 2007-02-19 19:14 -------- d-----w- c:\program files\McAfee
2009-08-05 11:41 . 2005-09-02 17:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-03 18:36 . 2009-01-28 12:46 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-01-28 12:46 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 14:01 . 2008-06-24 21:24 -------- d-----w- c:\program files\Musicnotes
2009-07-28 20:59 . 2006-07-07 01:46 -------- d-----w- c:\program files\Common Files\AOL
2009-07-28 20:59 . 2006-07-07 01:46 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AOL
2009-07-05 20:45 . 2009-07-05 20:45 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-07-05 20:45 . 2009-07-05 20:44 -------- d-----w- c:\program files\AIM Toolbar
2009-07-05 20:44 . 2009-07-05 20:44 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AIM Toolbar
2009-07-05 20:44 . 2009-07-05 20:44 -------- d-----w- c:\program files\AIM Search
2009-06-26 16:18 . 2004-08-04 12:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-13 17:31 . 2009-06-13 17:31 35568 ----a-w- c:\documents and settings\pie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-04-06 77824]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\repair\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dla"=c:\windows\system32\dla\tfswctrl.exe
"SoundMAXPnP"=c:\program files\Analog Devices\Core\smax4pnp.exe
"IPHSend"=c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
"HostManager"=c:\program files\Common Files\AOL\1152236799\ee\AOLSoftware.exe
"MSxmlHpr"=RUNDLL32.EXE c:\windows\system32\msxm192z.dll,w

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_09\\jre\\bin\\java.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\HP Photosmart\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP Photosmart\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP Photosmart\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [9/23/2007 6:20 PM 6097]
R2 Finnigan Security Server;Finnigan Security Server;c:\xcalibur\system\programs\finSS_Server.exe [11/13/2005 12:30 AM 53248]
S2 gjjjovr;gjjjovr;c:\windows\system32\drivers\oiladxpj.sys --> c:\windows\system32\drivers\oiladxpj.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [9/23/2007 6:20 PM 299923]
.
- - - - ORPHANS REMOVED - - - -

Notify-SensLogn - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mLocal Page = hxxp://www.google.com/
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 08:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\AppID\ Héwˆø*÷wàÕöwÿÿÿÿ²õw¬Âw]
"AppId"="{63F05342-C5D2-11D2-9960-0000C0EB84F5}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2184)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\windows\system32\msiexec.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-13 8:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 13:27

Pre-Run: 115,331,346,432 bytes free
Post-Run: 115,897,090,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

206 --- E O F --- 2009-08-11 13:32

 

[Shaba]

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  Driver::
  gjjjovr

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

[john butler]

conbifix log

ComboFix 09-08-10.06 - repair 08/13/2009 20:35.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.603 [GMT -5:00]
Running from: c:\documents and settings\repair\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\repair\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gjjjovr


((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.

2009-08-13 12:49 . 2009-08-13 12:49 -------- d-----w- c:\documents and settings\repair\Application Data\Malwarebytes
2009-08-11 13:30 . 2009-08-14 01:41 -------- d-----w- c:\program files\Spybot - Search & Destroy bak
2009-08-11 01:57 . 2009-08-11 01:57 -------- d-----w- c:\program files\ERUNT
2009-08-11 01:50 . 2009-08-11 01:50 -------- d-s---w- c:\documents and settings\repair\UserData
2009-08-11 01:42 . 2009-07-13 06:42 286880 ----a-r- c:\documents and settings\repair\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-08-11 01:39 . 2009-08-11 01:39 -------- d-----w- c:\documents and settings\repair\Application Data\McAfee
2009-08-11 01:39 . 2009-08-11 01:39 49152 ----a-r- c:\documents and settings\repair\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-08-11 01:39 . 2009-08-11 01:39 49152 ----a-r- c:\documents and settings\repair\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-08-09 23:25 . 2009-08-09 23:25 -------- d-----w- c:\documents and settings\JB\.housecall6.6
2009-08-07 22:23 . 2009-08-07 22:23 -------- d-----w- c:\program files\CDBurnerXP
2009-08-07 03:05 . 2009-08-07 03:05 -------- d-----w- c:\documents and settings\THE PRESIDENT BUTLER\Application Data\Malwarebytes
2009-08-07 03:04 . 2009-08-07 03:04 -------- d-s---w- c:\documents and settings\THE PRESIDENT BUTLER\UserData
2009-08-05 12:25 . 2009-08-05 12:25 -------- d-s---w- c:\documents and settings\New User\UserData
2009-08-05 11:43 . 2009-08-05 11:43 -------- d-----w- c:\documents and settings\New User\Local Settings\Application Data\AIM Toolbar
2009-08-05 11:39 . 2009-08-05 11:39 -------- d-----w- c:\documents and settings\New User\Application Data\Malwarebytes
2009-08-05 03:04 . 2009-08-05 03:05 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-04 06:26 . 2009-08-04 06:26 552 ----a-w- c:\windows\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 14:18 . 2006-07-16 13:51 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-08-13 04:05 . 2009-01-28 12:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 13:21 . 2007-01-24 21:21 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
2009-08-11 13:12 . 2007-03-14 03:48 -------- d-----w- c:\program files\DivX
2009-08-11 12:28 . 2009-01-28 13:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 01:39 . 2007-02-19 19:14 -------- d-----w- c:\program files\McAfee
2009-08-05 11:41 . 2005-09-02 17:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-03 18:36 . 2009-01-28 12:46 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-01-28 12:46 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 14:01 . 2008-06-24 21:24 -------- d-----w- c:\program files\Musicnotes
2009-07-28 20:59 . 2006-07-07 01:46 -------- d-----w- c:\program files\Common Files\AOL
2009-07-28 20:59 . 2006-07-07 01:46 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AOL
2009-07-05 20:45 . 2009-07-05 20:45 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-07-05 20:45 . 2009-07-05 20:44 -------- d-----w- c:\program files\AIM Toolbar
2009-07-05 20:44 . 2009-07-05 20:44 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AIM Toolbar
2009-07-05 20:44 . 2009-07-05 20:44 -------- d-----w- c:\program files\AIM Search
2009-06-26 16:18 . 2004-08-04 12:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-13 17:31 . 2009-06-13 17:31 35568 ----a-w- c:\documents and settings\pie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-13_13.24.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-14 01:47 . 2009-08-14 01:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-09-02 16:51 . 2009-08-13 12:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-09-02 16:51 . 2009-08-14 01:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-09-02 16:51 . 2009-08-13 12:47 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-09-02 16:51 . 2009-08-14 01:47 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-08-14 01:40 . 2009-08-14 01:40 8192 c:\windows\ERDNT\subs\Users\00000008\ntuser.dat
+ 2009-08-14 01:40 . 2009-08-14 01:40 106496 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-14 01:40 . 2009-08-14 01:40 4042752 c:\windows\ERDNT\subs\Users\00000014\NTUSER.DAT
+ 2009-08-14 01:40 . 2009-08-14 01:40 4644864 c:\windows\ERDNT\subs\Users\00000013\ntuser.dat
+ 2009-08-14 01:40 . 2009-08-14 01:40 4296704 c:\windows\ERDNT\subs\Users\00000012\NTUSER.DAT
+ 2009-08-14 01:40 . 2009-08-14 01:40 5844992 c:\windows\ERDNT\subs\Users\00000011\NTUSER.DAT
+ 2009-08-14 01:40 . 2009-08-14 01:40 6000640 c:\windows\ERDNT\subs\Users\00000010\NTUSER.DAT
+ 2009-08-14 01:40 . 2009-08-14 01:40 4321280 c:\windows\ERDNT\subs\Users\00000009\ntuser.dat
+ 2009-08-14 01:40 . 2009-08-14 01:40 3932160 c:\windows\ERDNT\subs\Users\00000007\ntuser.dat
+ 2009-08-14 01:40 . 2009-08-14 01:40 4079616 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2009-08-14 01:40 . 2009-08-14 01:40 3297280 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-13 13:21 . 2009-08-13 13:21 1388544 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-14 01:40 . 2009-08-14 01:40 1388544 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-14 01:40 . 2009-08-14 01:40 3297280 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2009-08-13 13:21 . 2009-08-13 13:21 1388544 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-14 01:40 . 2009-08-14 01:40 1388544 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-04-06 77824]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\repair\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dla"=c:\windows\system32\dla\tfswctrl.exe
"SoundMAXPnP"=c:\program files\Analog Devices\Core\smax4pnp.exe
"IPHSend"=c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
"HostManager"=c:\program files\Common Files\AOL\1152236799\ee\AOLSoftware.exe
"MSxmlHpr"=RUNDLL32.EXE c:\windows\system32\msxm192z.dll,w

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_09\\jre\\bin\\java.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\HP Photosmart\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP Photosmart\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP Photosmart\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [9/23/2007 6:20 PM 6097]
R2 Finnigan Security Server;Finnigan Security Server;c:\xcalibur\system\programs\finSS_Server.exe [11/13/2005 12:30 AM 53248]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [9/23/2007 6:20 PM 299923]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mLocal Page = hxxp://www.google.com/
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 20:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\AppID\ Héwˆø*÷wàÕöwÿÿÿÿ²õw¬Âw]
"AppId"="{63F05342-C5D2-11D2-9960-0000C0EB84F5}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2168)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
c:\progra~1\SPYBOT~2\SDHelper.dll
c:\windows\system32\dla\tfswshx.dll
c:\windows\system32\tfswapi.dll
c:\windows\system32\dla\tfswcres.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-14 20:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-14 01:56
ComboFix2.txt 2009-08-13 13:28

Pre-Run: 115,834,208,256 bytes free
Post-Run: 115,772,710,912 bytes free

178 --- E O F --- 2009-08-11 13:32

 

[Shaba]

Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.
Note: You - will - need to use Internet Explorer for this scan!

1. Check the box next to "YES, I accept the Terms of Use."
2. Click "Start"
3. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
   Once installed, the scanner will be initialized.
4. Click "Start". Make sure that the options:
   • Remove found threats is UNCHECKED
   • Scan unwanted applications is CHECKED
5. Click "Scan"
6. Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
7. Use Notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
8. Copy and paste the contents of log.txt in your next reply.

 

[john butler]

ESET scan

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6048
# api_version=3.0.2
# EOSSerial=05d9c6af2e07994e92ed243f488761e3
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-14 01:17:44
# local_time=2009-08-14 08:17:44 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=5121 37 83 88 490770544531250
# scanned=64924
# found=4
# cleaned=0
# scan_time=2157
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC15.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentieu.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\WINDOWS\Downloaded Program Files\start.INF INF/Dagonit trojan 00000000000000000000000000000000 I