1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Is my computer infected?

Discussion in 'Malware and Virus Removal Archive' started by cbmaster, 2009/09/12.

  1. 2009/09/12
    cbmaster

    cbmaster Inactive Thread Starter

    Joined:
    2009/09/06
    Messages:
    55
    Likes Received:
    0
    [Resolved] Is my computer infected?

    Hello,

    After having such an awesome experience even though it was frustrating at times (on the part of the laptop) I have decided to have my main system checked to see if I am infected in any way.

    Thanks in advance for your assistance.

    Here are the logs as instructed:


    DDS (Ver_09-07-30.01) - NTFSx86
    Run by Len at 1:05:36.74 on Sat 09/12/2009
    Internet Explorer: 6.0.2800.5512

    ============== Running Processes ===============


    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    uInternet Settings,ProxyServer = http=PopupsNuker:8100
    uInternet Settings,ProxyOverride = local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: FG2CatchUrl: {1f364306-aa45-47b5-9f9d-39a8b94e7ef1} - c:\program files\flashget network\flashget universal\comdlls\bhoCATCH.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\virusscan\scriptsn.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: WebFerret: {a58686ed-fc46-44c3-95c6-4a812ab776f1} - c:\program files\ferretsoft\webferret\FerretBand.dll
    TB: {860C2F6B-CA82-4282-9187-BECCBB66F0AF} - No File
    EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [SNPT513] c:\windows\vsnpt513.exe
    mRun: [VTTrayp] VTtrayp.exe
    mRun: [Ad Muncher] "c:\program files\ad muncher\AdMunch.exe" /bt
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [VTTimer] VTTimer.exe
    mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe "
    mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    mRun: [CountrySelection] pctptt.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\len~1.owe\startm~1\programs\startup\tv timer.lnk - c:\program files\tuner application\TVTimer.exe
    StartupFolder: c:\docume~1\len~1.owe\startm~1\programs\startup\winrescue.lnk - c:\program files\winrescue xp\RescueXP.exe
    IE: &Download All by FlashGet - c:\program files\flashget network\flashget universal\comdlls\Bhoall.htm
    IE: &Download by FlashGet - c:\program files\flashget network\flashget universal\comdlls\Bholink.htm
    IE: Download with USDownloader - c:\program files\universal share downloader\ext\downloadie.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142370903289
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186074050953
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5192/mcfscan.cab
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============


    =============== Created Last 30 ================

    2009-09-11 09:23 103 a------- C:\MemZilla2.dat
    2009-09-11 09:23 274 a------- C:\MemZilla1.dat
    2009-09-03 10:51 <DIR> --d----- c:\program files\ESTsoft
    2009-09-03 10:51 <DIR> --d----- c:\docume~1\len~1.owe\applic~1\ESTsoft
    2009-08-30 15:04 <DIR> --d----- c:\docume~1\len~1.owe\applic~1\Camfrog
    2009-08-29 16:22 14,287,996 a------- c:\windows\registry.daz
    2009-08-29 16:16 47 a------- C:\rsqXPdir.ini
    2009-08-24 13:12 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
    2009-08-24 13:12 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
    2009-08-24 13:12 2,066,176 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
    2009-08-24 13:07 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
    2009-08-24 13:05 361,600 -c------ c:\windows\system32\dllcache\tcpip.sys
    2009-08-24 13:04 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
    2009-08-24 11:55 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\IObit
    2009-08-23 01:55 <DIR> --d----- c:\program files\ratDVD
    2009-08-22 18:09 <DIR> --d----- c:\program files\Realtek AC97
    2009-08-20 04:31 <DIR> --d----- c:\docume~1\len~1.owe\applic~1\Blitware
    2009-08-19 16:12 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
    2009-08-19 16:10 26,112 ac------ c:\windows\system32\dllcache\EXCH_seos.dll
    2009-08-19 16:09 37,888 ac------ c:\windows\system32\dllcache\md5filt.dll
    2009-08-19 16:08 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
    2009-08-19 16:07 218,112 ac------ c:\windows\system32\dllcache\c_g18030.dll
    2009-08-19 16:06 147,513 ac------ c:\windows\system32\dllcache\fp4apws.dll
    2009-08-19 16:03 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
    2009-08-19 16:03 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
    2009-08-19 16:03 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2009-08-19 16:03 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2009-08-19 16:01 488 a---hr-- c:\windows\system32\logonui.exe.manifest
    2009-08-19 16:01 749 a---hr-- c:\windows\WindowsShell.Manifest
    2009-08-19 16:01 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
    2009-08-19 16:01 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
    2009-08-19 16:01 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
    2009-08-19 16:01 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
    2009-08-19 15:59 7,680 ac------ c:\windows\system32\dllcache\migregdb.exe
    2009-08-19 15:57 266,240 a------- c:\windows\system32\s3iset32_2_00_64.dll
    2009-08-19 15:49 34 a------- c:\windows\system\oeminfo.ini
    2009-08-19 15:49 3,018 a------- c:\windows\system32\PerfStringBackup.TMP
    2009-08-19 15:47 16,535 a----r-- c:\windows\SETE3.tmp
    2009-08-19 15:47 1,089,593 a----r-- c:\windows\SETD7.tmp
    2009-08-19 15:47 1,296,669 a----r-- c:\windows\SETD4.tmp
    2009-08-19 02:57 248 a------- c:\windows\system32\secustat.dat
    2009-08-19 02:57 305 a------- c:\windows\system32\secushr.dat
    2009-08-17 00:20 922,112 -------- c:\windows\system32\imapi2fs.dll
    2009-08-17 00:20 426,496 -------- c:\windows\system32\imapi2.dll

    ==================== Find3M ====================

    2009-08-11 11:00 411,368 a------- c:\windows\system32\deploytk.dll
    2009-07-16 12:32 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
    2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
    2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
    2009-04-18 22:52 990,208 a------- c:\windows\inf\syssbck.dll
    2008-12-11 03:27 61,224 a------- c:\documents and settings\len.owesherry\GoToAssistDownloadHelper.exe
    2008-11-09 22:05 87,608 a------- c:\docume~1\len~1.owe\applic~1\inst.exe
    2008-11-09 22:05 47,360 a------- c:\docume~1\len~1.owe\applic~1\pcouffin.sys
    2008-10-14 16:35 81,920 a------- c:\docume~1\len~1.owe\applic~1\ezpinst.exe
    2006-04-16 12:45 24,472 a------- c:\docume~1\len~1.owe\applic~1\GDIPFONTCACHEV1.DAT
    2009-06-11 22:31 245,760 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat
    2008-04-03 18:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008040320080404\index.dat
    2007-02-28 06:58 32 a--sh--- c:\windows\system32\drivers\fidbox.dat
    2007-02-28 06:58 32 a--sh--- c:\windows\system32\drivers\fidbox2.dat

    ============= FINISH: 1:07:07.84 ===============




    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-07-30.01)


    ==== Disk Partitions =========================


    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    ABBYY FineReader 8.0 Professional Edition
    Ad Muncher
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.6
    Adobe® Photoshop® Album Starter Edition 3.0
    Advanced Uninstaller PRO - Version 9
    Auslogics Disk Defrag
    Bejeweled 2 Deluxe 1.0
    CDRoller version 8.00
    Choice Guard
    ConvertXtoDVD 3.2.0.52
    Dr.Salman's Window Power Tools 5.0-2005
    DVD Shrink 3.2
    FlashGet 2.0
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    hp deskjet 8?0c series (Remove only)
    HSP56 MR Drivers
    Java(TM) 6 Update 15
    Junk Mail filter update
    K-Lite Codec Pack 5.0.0 (Full)
    McAfee SecurityCenter
    Messenger Plus! Live
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    MidiNotate Player
    Motorola Software Update
    MSN Music Assistant
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    My Drivers 3.31
    NeoDownloader 2.02
    Nero 6 Ultra Edition
    Opera 10.00
    PC Camera (6005 CIF & 6025 VGA)
    PG Music DirectX Plugins 1.3.4.1
    QuickTime Alternative 2.9.2
    ratDVD 0.78.1444
    Real Alternative 1.9.0
    Realtek AC'97 Audio
    Registry Fast v2.0
    Registry First Aid
    RSD_LITE_2_7
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB973346)
    Segoe UI
    SendPhotos Gold
    SiS 900 PCI Fast Ethernet Adapter Driver
    Sony USB Driver
    Spelling Dictionaries Support For Adobe Reader 8
    Universal Share Downloader
    Unlocker 1.8.7
    VIA Platform Device Manager
    VIA Rhine-Family Fast-Ethernet Adapter
    VIA/S3G UniChrome Family Win2K/XP/Server2003 Display 6.14.10.0380
    VIA/S3G UniChrome Family Win2K/XP/Server2003 Display 6.14.10.0407
    VLC media player 1.0.1
    WebFerret
    WinAVI Video Converter 9.0
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live OneCare safety scanner
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Connect
    Windows Media Format 11 runtime
    Windows Media Player 11
    WinRAR archiver
    WinRescue XP
    WinUndelete
    Yahoo! Messenger
    Zumma deluxe

    ==== End Of File ===========================
     
    cbmaster,
    #1
  2. 2009/09/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/09/13
    cbmaster

    cbmaster Inactive Thread Starter

    Joined:
    2009/09/06
    Messages:
    55
    Likes Received:
    0
    I have just completed all the scans. I never knew these scans would take so long on my system, well here are the logs created:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 09/12/2009 at 02:07 PM

    Application Version : 4.28.1010

    Core Rules Database Version : 4096
    Trace Rules Database Version: 2036

    Scan type : Complete Scan
    Total Scan Time : 02:31:15

    Memory items scanned : 260
    Memory threats detected : 0
    Registry items scanned : 6385
    Registry threats detected : 1
    File items scanned : 79295
    File threats detected : 11

    Trojan.Media-Codec
    HKU\S-1-5-21-606747145-152049171-1202660629-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{860C2F6B-CA82-4282-9187-BECCBB66F0AF}

    Trojan.SVCHost/Fake
    C:\DOCUMENTS AND SETTINGS\LEN.OWESHERRY\APPLICATION DATA\THINSTALL\ADVANCED SYSTEMCARE 3\1000000600002I\SVCHOST.EXE
    C:\DOCUMENTS AND SETTINGS\LEN.OWESHERRY\APPLICATION DATA\THINSTALL\AUSLOGICS BOOSTSPEED\1000000600002I\SVCHOST.EXE
    C:\DOCUMENTS AND SETTINGS\LEN.OWESHERRY\APPLICATION DATA\THINSTALL\DRIVER GENIUS PROFESSIONAL EDITION\1000000600002I\SVCHOST.EXE
    C:\DOCUMENTS AND SETTINGS\LEN.OWESHERRY\APPLICATION DATA\THINSTALL\LIMEWIRE PRO 5.2.8\1000000600002I\SVCHOST.EXE
    C:\DOCUMENTS AND SETTINGS\LEN.OWESHERRY\APPLICATION DATA\THINSTALL\TUNEUP UTILITIES 2009\1000000600002I\SVCHOST.EXE
    C:\DOCUMENTS AND SETTINGS\LEN.OWESHERRY\APPLICATION DATA\THINSTALL\XP TOOLS PRO 9.98.11\1000000600002I\SVCHOST.EXE
    C:\DOWNLOADS\PORTABLE APPLICATIONS\DIVXPRO 7.2.0 PORTABLE\DIVX PRO\1000000600002I\SVCHOST.EXE
    C:\DOWNLOADS\PORTABLE APPLICATIONS\USB DISK SECURITY 5.1.0.15\USB DISK SECURITY 5.1.0.15\1000000600002I\SVCHOST.EXE

    Trojan.Dropper/SVCHost-Fake
    C:\DOCUMENTS AND SETTINGS\LEN.OWESHERRY\LOCAL SETTINGS\APPLICATION DATA\THINSTALL\CACHE\STUBS\33909F15ABE4B02D1682B36E012556A104A7A3D\SVCHOST.EXE
    C:\DOCUMENTS AND SETTINGS\LEN.OWESHERRY\LOCAL SETTINGS\APPLICATION DATA\THINSTALL\CACHE\STUBS\877C3C7A14440849CCE5131DEFB5222EA9C1B\SVCHOST.EXE

    Trojan.Agent/Gen-Keygen
    C:\DOWNLOADS\CONVERTX TO DVD 3.8.0.193F\KEYGEN.EXE



    Malwarebytes' Anti-Malware 1.41
    Database version: 2787
    Windows 5.1.2600 Service Pack 3

    9/13/2009 12:12:03 AM
    mbam-log-2009-09-13 (00-12-03).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 190199
    Time elapsed: 1 hour(s), 24 minute(s), 12 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Downloads\Camtasia Studio 5.1.0\keygen.exe (Malware.Tool) -> Quarantined and deleted successfully.
    C:\Downloads\CryptLoad\router\FRITZ!Box\nc.exe (PUP.KeyLogger) -> Quarantined and deleted successfully.
    C:\Downloads\Malwarebytes' Anti-Malware 1.40\Keygen 1.exe (Dont.Steal.Our.Software.A) -> Quarantined and deleted successfully.
    C:\Downloads\Spyware Ceaser 4.5\SpywareCease_Setup.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
    C:\Downloads\SuperAntiSpyware Professional 4.27.1002\Keygen-CRD\keygen.exe (Dont.Steal.Our.Software.A) -> Quarantined and deleted successfully.





    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:05:56 AM, on 9/13/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 SP3 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\vsnpt513.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Program Files\Tuner Application\TVTimer.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=PopupsNuker:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O1 - Hosts: 195.122.131.3 dl1cg.rapidshare.com
    O1 - Hosts: 195.122.131.3 dl1tl.rapidshare.com
    O1 - Hosts: 195.122.131.39 dl19cg.rapidshare.com
    O1 - Hosts: 195.122.131.65 dl32cg.rapidshare.com
    O1 - Hosts: 195.122.131.65 dl32cg2.rapidshare.com
    O1 - Hosts: 195.122.131.65 dl32tl.rapidshare.com
    O1 - Hosts: 195.122.131.65 dl32tl2.rapidshare.com
    O1 - Hosts: 195.122.131.67 dl33l32.rapidshare.com
    O1 - Hosts: 195.122.131.67 dl33cg.rapidshare.com
    O1 - Hosts: 195.122.131.67 dl33cg2.rapidshare.com
    O1 - Hosts: 195.122.131.67 dl33tl.rapidshare.com
    O1 - Hosts: 195.122.131.67 dl33tl2.rapidshare.com
    O1 - Hosts: 195.122.131.69 dl34l32.rapidshare.com
    O1 - Hosts: 195.122.131.69 dl34cg.rapidshare.com
    O1 - Hosts: 195.122.131.69 dl34cg2.rapidshare.com
    O1 - Hosts: 195.122.131.69 dl34tl.rapidshare.com
    O1 - Hosts: 195.122.131.69 dl34tl2.rapidshare.com
    O1 - Hosts: 195.122.131.71 dl35l32.rapidshare.com
    O1 - Hosts: 195.122.131.71 dl35cg.rapidshare.com
    O1 - Hosts: 195.122.131.71 dl35cg2.rapidshare.com
    O1 - Hosts: 195.122.131.71 dl35tl.rapidshare.com
    O1 - Hosts: 195.122.131.71 dl35tl2.rapidshare.com
    O1 - Hosts: 195.122.131.73 dl36l32.rapidshare.com
    O1 - Hosts: 195.122.131.73 dl36cg.rapidshare.com
    O1 - Hosts: 195.122.131.73 dl36cg2.rapidshare.com
    O1 - Hosts: 195.122.131.73 dl36tl.rapidshare.com
    O1 - Hosts: 195.122.131.73 dl36tl2.rapidshare.com
    O1 - Hosts: 195.122.131.75 dl37l32.rapidshare.com
    O1 - Hosts: 195.122.131.75 dl37cg.rapidshare.com
    O1 - Hosts: 195.122.131.75 dl37cg2.rapidshare.com
    O1 - Hosts: 195.122.131.75 dl37tl.rapidshare.com
    O1 - Hosts: 195.122.131.75 dl37tl2.rapidshare.com
    O1 - Hosts: 195.122.131.77 dl38l32.rapidshare.com
    O1 - Hosts: 195.122.131.77 dl38cg.rapidshare.com
    O1 - Hosts: 195.122.131.77 dl38cg2.rapidshare.com
    O1 - Hosts: 195.122.131.77 dl38tl.rapidshare.com
    O1 - Hosts: 195.122.131.77 dl38tl2.rapidshare.com
    O1 - Hosts: 195.122.131.79 dl39l32.rapidshare.com
    O1 - Hosts: 195.122.131.79 dl39cg.rapidshare.com
    O1 - Hosts: 195.122.131.79 dl39cg2.rapidshare.com
    O1 - Hosts: 195.122.131.79 dl39tl.rapidshare.com
    O1 - Hosts: 195.122.131.79 dl39tl2.rapidshare.com
    O1 - Hosts: 195.122.131.81 dl40l32.rapidshare.com
    O1 - Hosts: 195.122.131.81 dl40cg.rapidshare.com
    O1 - Hosts: 195.122.131.81 dl40cg2.rapidshare.com
    O1 - Hosts: 195.122.131.81 dl40tl.rapidshare.com
    O1 - Hosts: 195.122.131.81 dl40tl2.rapidshare.com
    O1 - Hosts: 195.122.131.83 dl41l32.rapidshare.com
    O1 - Hosts: 195.122.131.83 dl41cg.rapidshare.com
    O1 - Hosts: 195.122.131.83 dl41cg2.rapidshare.com
    O1 - Hosts: 195.122.131.83 dl41tl.rapidshare.com
    O1 - Hosts: 195.122.131.83 dl41tl2.rapidshare.com
    O1 - Hosts: 195.122.131.85 dl42l32.rapidshare.com
    O1 - Hosts: 195.122.131.85 dl42cg.rapidshare.com
    O1 - Hosts: 195.122.131.85 dl42cg2.rapidshare.com
    O1 - Hosts: 195.122.131.85 dl42tl.rapidshare.com
    O1 - Hosts: 195.122.131.85 dl42tl2.rapidshare.com
    O1 - Hosts: 195.122.131.87 dl43l32.rapidshare.com
    O1 - Hosts: 195.122.131.87 dl43cg.rapidshare.com
    O1 - Hosts: 195.122.131.87 dl43cg2.rapidshare.com
    O1 - Hosts: 195.122.131.87 dl43tl.rapidshare.com
    O1 - Hosts: 195.122.131.87 dl43tl2.rapidshare.com
    O1 - Hosts: 195.122.131.89 dl44l32.rapidshare.com
    O1 - Hosts: 195.122.131.89 dl44cg.rapidshare.com
    O1 - Hosts: 195.122.131.89 dl44cg2.rapidshare.com
    O1 - Hosts: 195.122.131.89 dl44tl.rapidshare.com
    O1 - Hosts: 195.122.131.89 dl44tl2.rapidshare.com
    O1 - Hosts: 195.122.131.91 dl45l32.rapidshare.com
    O1 - Hosts: 195.122.131.91 dl45cg.rapidshare.com
    O1 - Hosts: 195.122.131.91 dl45cg2.rapidshare.com
    O1 - Hosts: 195.122.131.91 dl45tl.rapidshare.com
    O1 - Hosts: 195.122.131.91 dl45tl2.rapidshare.com
    O1 - Hosts: 195.122.131.93 dl46l32.rapidshare.com
    O1 - Hosts: 195.122.131.93 dl46cg.rapidshare.com
    O1 - Hosts: 195.122.131.93 dl46cg2.rapidshare.com
    O1 - Hosts: 195.122.131.93 dl46tl.rapidshare.com
    O1 - Hosts: 195.122.131.93 dl46tl2.rapidshare.com
    O1 - Hosts: 195.122.131.95 dl47l32.rapidshare.com
    O1 - Hosts: 195.122.131.95 dl47cg.rapidshare.com
    O1 - Hosts: 195.122.131.95 dl47cg2.rapidshare.com
    O1 - Hosts: 195.122.131.95 dl47tl.rapidshare.com
    O1 - Hosts: 195.122.131.95 dl47tl2.rapidshare.com
    O1 - Hosts: 195.122.131.97 dl48l32.rapidshare.com
    O1 - Hosts: 195.122.131.97 dl48cg.rapidshare.com
    O1 - Hosts: 195.122.131.97 dl48cg2.rapidshare.com
    O1 - Hosts: 195.122.131.97 dl48tl.rapidshare.com
    O1 - Hosts: 195.122.131.97 dl48tl2.rapidshare.com
    O1 - Hosts: 195.122.131.99 dl49l32.rapidshare.com
    O1 - Hosts: 195.122.131.99 dl49cg.rapidshare.com
    O1 - Hosts: 195.122.131.99 dl49cg2.rapidshare.com
    O1 - Hosts: 195.122.131.99 dl49tl.rapidshare.com
    O1 - Hosts: 195.122.131.99 dl49tl2.rapidshare.com
    O1 - Hosts: 195.122.131.101 dl50l32.rapidshare.com
    O1 - Hosts: 195.122.131.101 dl50cg.rapidshare.com
    O1 - Hosts: 195.122.131.101 dl50cg2.rapidshare.com
    O1 - Hosts: 195.122.131.101 dl50tl.rapidshare.com
    O1 - Hosts: 195.122.131.101 dl50tl2.rapidshare.com
    O1 - Hosts: 195.122.131.103 dl51l32.rapidshare.com
    O1 - Hosts: 195.122.131.103 dl51cg.rapidshare.com
    O1 - Hosts: 195.122.131.103 dl51cg2.rapidshare.com
    O1 - Hosts: 195.122.131.103 dl51tl.rapidshare.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\virusscan\scriptsn.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
    O4 - HKLM\..\Run: [SNPT513] C:\WINDOWS\vsnpt513.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-21-606747145-152049171-1202660629-1003\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
    O4 - HKUS\S-1-5-21-606747145-152049171-1202660629-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-606747145-152049171-1202660629-1003\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - S-1-5-21-606747145-152049171-1202660629-1003 Startup: TV Timer.lnk = C:\Program Files\Tuner Application\TVTimer.exe (User '?')
    O4 - S-1-5-21-606747145-152049171-1202660629-1003 Startup: WinRescue.lnk = C:\Program Files\WinRescue XP\RescueXP.exe (User '?')
    O4 - Startup: TV Timer.lnk = C:\Program Files\Tuner Application\TVTimer.exe
    O4 - Startup: WinRescue.lnk = C:\Program Files\WinRescue XP\RescueXP.exe
    O8 - Extra context menu item: &Download All by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
    O8 - Extra context menu item: &Download by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
    O8 - Extra context menu item: Download with USDownloader - C:\Program Files\Universal Share Downloader\Ext\downloadie.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O15 - Trusted Zone: http://*.mcafee.com
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142370903289
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186074050953
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5192/mcfscan.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Downloads\Portable Applications\CachemanXP\CachemanXP.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

    --
    End of file - 13785 bytes
     
    cbmaster,
    #3
  5. 2009/09/13
    cbmaster

    cbmaster Inactive Thread Starter

    Joined:
    2009/09/06
    Messages:
    55
    Likes Received:
    0
    Had to Split up the Gmer Log

    GMER 1.0.15.15077 [h3iemezl.exe] - http://www.gmer.net
    Rootkit scan 2009-09-13 06:56:06
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB7E624EA]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB7E62581]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB7E62498]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB7E624AC]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB7E62595]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB7E625C1]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB7E6262F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB7E62619]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB7E6252A]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB7E6265B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB7E6256D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB7E62470]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB7E62484]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB7E624FE]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB7E62697]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB7E62603]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB7E625ED]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB7E625AB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB7E62683]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB7E6266F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB7E624D6]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB7E624C2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB7E625D7]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB7E62559]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB7E62645]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB7E62540]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB7E62514]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
     
    cbmaster,
    #4
  6. 2009/09/13
    cbmaster

    cbmaster Inactive Thread Starter

    Joined:
    2009/09/06
    Messages:
    55
    Likes Received:
    0
    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B7E62518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B7E624EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2032 7 Bytes JMP B7E6252E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E40 1 Byte [E9]
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E40 5 Bytes JMP B7E62544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B8412 7 Bytes JMP B7E62502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenProcess 805CB438 5 Bytes JMP B7E62474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenThread 805CB6C4 5 Bytes JMP B7E62488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE82 5 Bytes JMP B7E624C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1172 7 Bytes JMP B7E624B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcess 805D1228 5 Bytes JMP B7E6249C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetContextThread 805D1732 5 Bytes JMP B7E624DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29DA 5 Bytes JMP B7E6255D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryValueKey 80621A18 7 Bytes JMP B7E625F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetValueKey 80621D66 7 Bytes JMP B7E625DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnloadKey 80622090 7 Bytes JMP B7E62649 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8062292E 7 Bytes JMP B7E62607 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 80623202 7 Bytes JMP B7E625AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateKey 806237E0 5 Bytes JMP B7E62585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteKey 80623C70 7 Bytes JMP B7E62599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E40 7 Bytes JMP B7E625C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwEnumerateKey 80624020 7 Bytes JMP B7E62633 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062428A 7 Bytes JMP B7E6261D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 80624BB2 5 Bytes JMP B7E62571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryKey 80624ED8 7 Bytes JMP B7E6269B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRestoreKey 80625198 5 Bytes JMP B7E62673 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwReplaceKey 8062588C 5 Bytes JMP B7E62687 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806259A6 5 Bytes JMP B7E6265F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
     
    cbmaster,
    #5
  7. 2009/09/13
    cbmaster

    cbmaster Inactive Thread Starter

    Joined:
    2009/09/06
    Messages:
    55
    Likes Received:
    0
    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 09F90FEF
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 09F90073
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 09F90062
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 09F90F94
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 09F90051
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 09F90036
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 09F900B5
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 09F90F63
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 09F900E1
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 09F900D0
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 09F90F2D
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 09F90FAF
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 09F90FDE
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 09F90084
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 09F90025
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 09F9000A
    .text C:\WINDOWS\Explorer.EXE[636] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 09F90F52
    .text C:\WINDOWS\Explorer.EXE[636] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03AC0FD4
    .text C:\WINDOWS\Explorer.EXE[636] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03AC007D
    .text C:\WINDOWS\Explorer.EXE[636] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03AC0025
    .text C:\WINDOWS\Explorer.EXE[636] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03AC0FE5
    .text C:\WINDOWS\Explorer.EXE[636] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03AC006C
    .text C:\WINDOWS\Explorer.EXE[636] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03AC0000
    .text C:\WINDOWS\Explorer.EXE[636] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03AC0051
    .text C:\WINDOWS\Explorer.EXE[636] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03AC0040
    .text C:\WINDOWS\Explorer.EXE[636] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03AB0064
    .text C:\WINDOWS\Explorer.EXE[636] msvcrt.dll!system 77C293C7 5 Bytes JMP 03AB0053
    .text C:\WINDOWS\Explorer.EXE[636] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03AB002E
    .text C:\WINDOWS\Explorer.EXE[636] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03AB000C
    .text C:\WINDOWS\Explorer.EXE[636] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03AB0FE3
    .text C:\WINDOWS\Explorer.EXE[636] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03AB001D
    .text C:\WINDOWS\Explorer.EXE[636] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 03A90FEF
    .text C:\WINDOWS\Explorer.EXE[636] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 03A90FDE
    .text C:\WINDOWS\Explorer.EXE[636] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 03A90014
    .text C:\WINDOWS\Explorer.EXE[636] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 03A9002F
    .text C:\WINDOWS\Explorer.EXE[636] SHELL32.dll!SHFileOperationW 7CA70AA8 5 Bytes JMP 00FF1102 C:\Program Files\Unlocker\UnlockerHook.dll
    .text C:\WINDOWS\Explorer.EXE[636] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03AA0FEF
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F6D
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F88
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070062
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FA5
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FC0
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070087
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F4B
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F0C
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F1D
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070EFB
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070047
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0007001B
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F5C
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 0007002C
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00070FE5
    .text C:\WINDOWS\system32\services.exe[940] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00070F2E
    .text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FCD
    .text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F86
    .text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FDE
    .text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060014
    .text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060FA1
    .text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
    .text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060FB2
    .text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
    .text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060039
    .text C:\WINDOWS\system32\services.exe[940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050027
    .text C:\WINDOWS\system32\services.exe[940] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050F9C
    .text C:\WINDOWS\system32\services.exe[940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FC8
    .text C:\WINDOWS\system32\services.exe[940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
    .text C:\WINDOWS\system32\services.exe[940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FB7
    .text C:\WINDOWS\system32\services.exe[940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FE3
    .text C:\WINDOWS\system32\services.exe[940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C50FEF
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C50FA5
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C5009A
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C50089
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50FC0
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C50051
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C50F6D
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C50F7E
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C500FC
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C500E1
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C5010D
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50062
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C5000A
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C500B5
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00C50036
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00C50025
    .text C:\WINDOWS\system32\lsass.exe[952] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00C500D0
    .text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C4002C
    .text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C40F8A
    .text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C4001B
    .text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C40FEF
    .text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40FA5
    .text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C40000
    .text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C40FB6
    .text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E4, 88] {IN AL, 0x88}
    .text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C4003D
    .text C:\WINDOWS\system32\lsass.exe[952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30F89
    .text C:\WINDOWS\system32\lsass.exe[952] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30F9A
    .text C:\WINDOWS\system32\lsass.exe[952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C30FC6
    .text C:\WINDOWS\system32\lsass.exe[952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30000
    .text C:\WINDOWS\system32\lsass.exe[952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30FB5
    .text C:\WINDOWS\system32\lsass.exe[952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C30FD7
    .text C:\WINDOWS\system32\lsass.exe[952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20000
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FE5
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40F79
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F4006E
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40051
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40036
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F40025
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F400B0
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F68
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40F39
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F400D2
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F40F14
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F40F9E
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F40000
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F40093
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00F40FB9
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00F40FCA
    .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00F400C1
    .text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30FDB
    .text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F30FA5
    .text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F3002C
    .text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F3001B
    .text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30062
    .text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F30000
    .text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F30047
    .text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30FC0
    .text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F20038
    .text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F20FAD
    .text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F20FD2
    .text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20000
    .text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F2001D
    .text C:\WINDOWS\system32\svchost.exe[1144] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F20FE3
    .text C:\WINDOWS\system32\svchost.exe[1144] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F10FEF
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C50FEF
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C500B8
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C50093
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C50FB9
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50076
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C50040
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C50F86
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C50F97
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C50F5A
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C500F3
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C50F49
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50051
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C5000A
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C50FA8
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00C50FDE
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00C50025
    .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00C50F75
    .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C4002C
    .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C40F83
    .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C4001B
    .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C40FE5
    .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40F9E
    .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C40000
    .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C40FAF
    .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E4, 88] {IN AL, 0x88}
    .text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C40FC0
    .text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30069
    .text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30FDE
    .text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C30033
    .text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30000
    .text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C3004E
    .text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C30FEF
    .text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20FEF
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02BA0000
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02BA004E
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02BA0F59
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02BA0F80
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02BA0F91
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02BA0FC7
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02BA0081
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02BA0070
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02BA00BE
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02BA00AD
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02BA0F0A
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02BA0FB6
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02BA0011
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02BA005F
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 02BA003D
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 02BA002C
    .text C:\WINDOWS\System32\svchost.exe[1308] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 02BA0092
    .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02B90FC0
    .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02B90F6F
    .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02B90011
    .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02B90000
    .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02B90F8A
    .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02B90FE5
    .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02B90F9B
    .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D9, 8A]
    .text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02B9002C
    .text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02B80F90
    .text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!system 77C293C7 5 Bytes JMP 02B8001B
    .text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02B80FC6
    .text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02B80FEF
    .text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02B80FAB
    .text C:\WINDOWS\System32\svchost.exe[1308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02B80000
    .text C:\WINDOWS\System32\svchost.exe[1308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02B70FE5
    .text C:\WINDOWS\System32\svchost.exe[1308] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 02680000
    .text C:\WINDOWS\System32\svchost.exe[1308] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 02680011
    .text C:\WINDOWS\System32\svchost.exe[1308] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 02680FD1
    .text C:\WINDOWS\System32\svchost.exe[1308] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 02680022
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660000
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660040
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660F4B
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660F68
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660F83
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660F9E
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00660089
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00660078
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00660EFA
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00660F15
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00660EDF
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00660025
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00660FEF
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0066005B
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00660FB9
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00660FD4
    .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00660F26
    .text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00650040
    .text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00650FB9
    .text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00650025
    .text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00650014
    .text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0065006C
    .text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00650FEF
    .text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00650051
    .text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00650FD4
    .text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0064004C
    .text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!system 77C293C7 5 Bytes JMP 00640FC1
    .text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640027
    .text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640000
    .text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640FD2
    .text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640FEF
    .text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00630FEF
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40FEF
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C40F68
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C40F8D
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40F9E
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C4005B
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40FB9
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C40F3A
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C40F57
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C400A7
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C40F0E
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C400B8
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C40036
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C40000
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C40082
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 00C40FD4
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 00C4001B
    .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 00C40F1F
    .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30047
    .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30FAF
    .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30036
    .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C3001B
    .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30FC0
    .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30000
    .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C30062
    .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FDB
    .text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20049
    .text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C2002E
    .text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C2001D
    .text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20FEF
    .text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20FC8
    .text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20000
    .text C:\WINDOWS\system32\svchost.exe[1532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10000
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] kernel32.dll!LoadResource 7C80A055 7 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] kernel32.dll!FindResourceExW 7C80AD28 7 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] kernel32.dll!FindResourceW 7C80BC6E 7 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] kernel32.dll!SizeofResource 7C80BD09 7 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] kernel32.dll!FindResourceA 7C80BF29 7 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] kernel32.dll!LockResource 7C80CD37 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] kernel32.dll!CreateEventA 7C830885 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] kernel32.dll!FindResourceExA 7C835F78 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] USER32.dll!GetWindowLongW 7E4188A6 7 Bytes JMP 28006A70 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 28004640 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] USER32.dll!SetWindowPlacement 7E41DE46 5 Bytes JMP 28005E10 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] USER32.dll!CreateDialogParamW 7E41EA3B 5 Bytes JMP 28006090 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] USER32.dll!LoadImageW 7E427B97 5 Bytes JMP 280066E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 28003C70 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] USER32.dll!SetWindowRgn 7E42E528 7 Bytes JMP 28005F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] USER32.dll!LoadIconW 7E42E8BC 5 Bytes JMP 280068D0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 28006280 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] USER32.dll!TrackPopupMenuEx 7E46CF62 5 Bytes JMP 28004F20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2800B7A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2800B380 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2800B160 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2800AFC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2800B560 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] SHELL32.dll!Shell_NotifyIconW 7CA2391C 5 Bytes JMP 280033C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] ole32.dll!CoCreateInstance 774FF1C4 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] ole32.dll!CoInitializeEx 7750148B 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] ole32.dll!CoRegisterClassObject 775179E8 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] WININET.dll!HttpOpenRequestA 630187BC 5 Bytes JMP 28009E90 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] WININET.dll!InternetReadFile 6301AC9D 5 Bytes JMP 2800A020 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] WININET.dll!InternetCloseHandle 63020A61 5 Bytes JMP 2800A1D0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2568] WININET.dll!HttpSendRequestA 6302E822 5 Bytes JMP 2800A100 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F73
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F84
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F95
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FB2
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FC3
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0083
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F47
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F0C
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00AF
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00C0
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A004A
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0014
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F58
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!CreateNamedPipeW 7C82F0AD 5 Bytes JMP 001A0FD4
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!CreateNamedPipeA 7C8612BC 5 Bytes JMP 001A002F
    .text C:\WINDOWS\system32\svchost.exe[3116] kernel32.dll!WinExec 7C862AED 5 Bytes JMP 001A009E
    .text C:\WINDOWS\system32\svchost.exe[3116] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FDB
    .text C:\WINDOWS\system32\svchost.exe[3116] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F79
    .text C:\WINDOWS\system32\svchost.exe[3116] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290036
    .text C:\WINDOWS\system32\svchost.exe[3116] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290025
    .text C:\WINDOWS\system32\svchost.exe[3116] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290F94
    .text C:\WINDOWS\system32\svchost.exe[3116] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
    .text C:\WINDOWS\system32\svchost.exe[3116] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290FA5
    .text C:\WINDOWS\system32\svchost.exe[3116] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
    .text C:\WINDOWS\system32\svchost.exe[3116] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FCA
    .text C:\WINDOWS\system32\svchost.exe[3116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0F9C
    .text C:\WINDOWS\system32\svchost.exe[3116] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FAD
    .text C:\WINDOWS\system32\svchost.exe[3116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E000C
    .text C:\WINDOWS\system32\svchost.exe[3116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FE3
    .text C:\WINDOWS\system32\svchost.exe[3116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0027
    .text C:\WINDOWS\system32\svchost.exe[3116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FD2

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\htafile\CLSID@ {3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}

    ---- EOF - GMER 1.0.15 ----
     
    cbmaster,
    #6
  8. 2009/09/13
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download HostsXpert ( http://www.majorgeeks.com/Hoster_d4626.html ) and then follow the steps below:

    * Unzip HostsXpert.zip
    * It will create a folder named HostsXpert in whatever folder you extract it to.
    * Run HostsXpert.exe by double clicking on it.
    * click Restore MS Hosts File and then click OK.
    * Click the X to exit the program

    Restart computer.

    Post fresh HJT log.
     
    broni,
    #7
  9. 2009/09/13
    cbmaster

    cbmaster Inactive Thread Starter

    Joined:
    2009/09/06
    Messages:
    55
    Likes Received:
    0
    I got an error saying "Cannot create file c:\WINDOWS\system32\DRIVERS\ETC\hosts and then the program closes off.
     
    cbmaster,
    #8
  10. 2009/09/13
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #9
  11. 2009/09/13
    cbmaster

    cbmaster Inactive Thread Starter

    Joined:
    2009/09/06
    Messages:
    55
    Likes Received:
    0
    The file was still in read only state so I just had to uncheck it.

    Here is the new hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:49:24 PM, on 9/13/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 SP3 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\vsnpt513.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Program Files\Tuner Application\TVTimer.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
    C:\Program Files\Ad Muncher\AdMunch.exe
    C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
    C:\Program Files\Opera\opera.exe
    c:\PROGRA~1\mcafee\virusscan\mcvsshld.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=PopupsNuker:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\virusscan\scriptsn.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
    O4 - HKLM\..\Run: [SNPT513] C:\WINDOWS\vsnpt513.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-21-606747145-152049171-1202660629-1003\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
    O4 - HKUS\S-1-5-21-606747145-152049171-1202660629-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-606747145-152049171-1202660629-1003\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - S-1-5-21-606747145-152049171-1202660629-1003 Startup: TV Timer.lnk = C:\Program Files\Tuner Application\TVTimer.exe (User '?')
    O4 - S-1-5-21-606747145-152049171-1202660629-1003 Startup: WinRescue.lnk = C:\Program Files\WinRescue XP\RescueXP.exe (User '?')
    O4 - Startup: TV Timer.lnk = C:\Program Files\Tuner Application\TVTimer.exe
    O4 - Startup: WinRescue.lnk = C:\Program Files\WinRescue XP\RescueXP.exe
    O8 - Extra context menu item: &Download All by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
    O8 - Extra context menu item: &Download by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
    O8 - Extra context menu item: Download with USDownloader - C:\Program Files\Universal Share Downloader\Ext\downloadie.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O15 - Trusted Zone: http://*.mcafee.com
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142370903289
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186074050953
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5192/mcfscan.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Downloads\Portable Applications\CachemanXP\CachemanXP.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

    --
    End of file - 8780 bytes
     
    cbmaster,
    #10
  12. 2009/09/13
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very good :)

    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, select Complete scan.
    • Click the green arrow [​IMG] at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

    NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.


    Post fresh HijackThis log as well.
     
    broni,
    #11
  13. 2009/09/14
    cbmaster

    cbmaster Inactive Thread Starter

    Joined:
    2009/09/06
    Messages:
    55
    Likes Received:
    0
    Here is the log from Dr.Web Cureit:

    activate.dll;C:\Downloads\Portable Applications\Portable PC Tools File Recover 7.5.0.15\PC.Tools.File.Recover.7.5.0.15.Portable.by_zulkani;Trojan.Touch.205;Deleted.;
    WordWeb Pro v5.5.exe\data007;C:\Downloads\Portable Applications\WordWeb Pro 5.5\WordWeb Pro v5.5.exe;Probably MULDROP.Trojan;;
    WordWeb Pro v5.5.exe;C:\Downloads\Portable Applications\WordWeb Pro 5.5;Container contains infected objects;Moved.;
    XP Tools Pro.exe\data051;C:\Downloads\Portable Applications\XP Tools Pro 9.98.11\XP Tools Pro.exe;Win32.Induc;;
    XP Tools Pro.exe\data053;C:\Downloads\Portable Applications\XP Tools Pro 9.98.11\XP Tools Pro.exe;Win32.Induc;;
    XP Tools Pro.exe\data062;C:\Downloads\Portable Applications\XP Tools Pro 9.98.11\XP Tools Pro.exe;Win32.Induc;;
    XP Tools Pro.exe;C:\Downloads\Portable Applications\XP Tools Pro 9.98.11;Container contains infected objects;Moved.;
    Setup.exe\data009;C:\Downloads\RealSpy Monitor 2.85\Setup.exe;Trojan.RealSpy;;
    Setup.exe\data016;C:\Downloads\RealSpy Monitor 2.85\Setup.exe;Trojan.RealSpy;;
    Setup.exe;C:\Downloads\RealSpy Monitor 2.85;Archive contains infected objects;Moved.;
    RegistryEasy.exe\data001;C:\Downloads\Registry Easy 5.6\RegistryEasy.exe;Win32.Induc;;
    RegistryEasy.exe\data004;C:\Downloads\Registry Easy 5.6\RegistryEasy.exe;Win32.Induc;;
    RegistryEasy.exe;C:\Downloads\Registry Easy 5.6;Archive contains infected objects;Moved.;
    ComboFix.exe\32788R22FWJFW\c.bat;C:\Downloads\Tools\ComboFix.exe;Probably BATCH.Virus;;
    ComboFix.exe;C:\Downloads\Tools;Archive contains infected objects;Moved.;
    Preview-T-4144950-[iTunes] globe and laurel(long edition).mp3;C:\Len\MP3s\Incomplete;Trojan.WMALoader;Cured.;
    registrywasher-setup.exe\data008;C:\Len\Software\Registry\Registry Washer 3.55\registrywasher-setup.exe;Trojan.Mycentria.origin;;
    registrywasher-setup.exe;C:\Len\Software\Registry\Registry Washer 3.55;Archive contains infected objects;Moved.;
    Magic Waterfall Screensaver.exe/data012\data001;C:\Len\Software\Screen Savers\Magic Waterfall Screensaver.exe/data012;Adware.Gator;;
    data012;C:\Len\Software\Screen Savers;Container contains infected objects;;
    Magic Waterfall Screensaver.exe\data014;C:\Len\Software\Screen Savers\Magic Waterfall Screensaver.exe;Adware.Gator;;
    Magic Waterfall Screensaver.exe\data015;C:\Len\Software\Screen Savers\Magic Waterfall Screensaver.exe;Adware.Gator;;
    Magic Waterfall Screensaver.exe\data016;C:\Len\Software\Screen Savers\Magic Waterfall Screensaver.exe;Adware.Gator;;
    Magic Waterfall Screensaver.exe;C:\Len\Software\Screen Savers;Archive contains infected objects;Moved.;



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:32:59 AM, on 9/14/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 SP3 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\vsnpt513.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\Tuner Application\TVTimer.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=PopupsNuker:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\virusscan\scriptsn.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
    O4 - HKLM\..\Run: [SNPT513] C:\WINDOWS\vsnpt513.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-21-606747145-152049171-1202660629-1003\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
    O4 - HKUS\S-1-5-21-606747145-152049171-1202660629-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-606747145-152049171-1202660629-1003\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - S-1-5-21-606747145-152049171-1202660629-1003 Startup: TV Timer.lnk = C:\Program Files\Tuner Application\TVTimer.exe (User '?')
    O4 - S-1-5-21-606747145-152049171-1202660629-1003 Startup: WinRescue.lnk = C:\Program Files\WinRescue XP\RescueXP.exe (User '?')
    O4 - Startup: TV Timer.lnk = C:\Program Files\Tuner Application\TVTimer.exe
    O4 - Startup: WinRescue.lnk = C:\Program Files\WinRescue XP\RescueXP.exe
    O8 - Extra context menu item: &Download All by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
    O8 - Extra context menu item: &Download by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
    O8 - Extra context menu item: Download with USDownloader - C:\Program Files\Universal Share Downloader\Ext\downloadie.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O15 - Trusted Zone: http://*.mcafee.com
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142370903289
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186074050953
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5192/mcfscan.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Downloads\Portable Applications\CachemanXP\CachemanXP.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

    --
    End of file - 8672 bytes
     
    cbmaster,
    #12
  14. 2009/09/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    - R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [SNPT513] C:\WINDOWS\vsnpt513.exe
    - O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    - O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
    - O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    - O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    - O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript (leave this one alone, if you have paid version)
    - O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray (leave this one alone, if you have paid version)
    - O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    - O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    - O4 - HKUS\S-1-5-21-606747145-152049171-1202660629-1003\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
    - O4 - HKUS\S-1-5-21-606747145-152049171-1202660629-1003\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
    - O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
    broni,
    #13
  15. 2009/09/14
    cbmaster

    cbmaster Inactive Thread Starter

    Joined:
    2009/09/06
    Messages:
    55
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:12:27 AM, on 9/14/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 SP3 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Tuner Application\TVTimer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo

    .com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

    = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

    http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo

    .com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyServer = http=PopupsNuker:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyOverride = local
    O2 - BHO: Adobe PDF Reader Link Helper -

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

    Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} -

    C:\Program Files\FlashGet Network\FlashGet

    universal\ComDlls\bhoCATCH.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

    c:\PROGRA~1\mcafee\virusscan\scriptsn.dll
    O2 - BHO: Windows Live Sign-in Helper -

    {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

    Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper -

    {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

    Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl -

    {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

    Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} -

    C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program

    Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program

    Files\Unlocker\UnlockerAssistant.exe "
    O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad

    Muncher\AdMunch.exe" /bt
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-21-606747145-152049171-1202660629-1003\..\Run:

    [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32

    advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32

    advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - S-1-5-21-606747145-152049171-1202660629-1003 Startup: TV Timer.lnk

    = C:\Program Files\Tuner Application\TVTimer.exe (User '?')
    O4 - S-1-5-21-606747145-152049171-1202660629-1003 Startup:

    WinRescue.lnk = C:\Program Files\WinRescue XP\RescueXP.exe (User '?')
    O4 - Startup: TV Timer.lnk = C:\Program Files\Tuner

    Application\TVTimer.exe
    O4 - Startup: WinRescue.lnk = C:\Program Files\WinRescue

    XP\RescueXP.exe
    O8 - Extra context menu item: &Download All by FlashGet - C:\Program

    Files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
    O8 - Extra context menu item: &Download by FlashGet - C:\Program

    Files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
    O8 - Extra context menu item: Download with USDownloader - C:\Program

    Files\Universal Share Downloader\Ext\downloadie.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

    C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

    C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

    {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

    Diagnostic\xpnetdiag.exe
    O15 - Trusted Zone: http://*.mcafee.com
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation

    Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

    -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w

    uweb_site.cab?1142370903289
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

    -

    http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/cl

    ient/muweb_site.cab?1186074050953
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

    Object) -

    http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

    http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5192/mcfscan.ca

    b
    O23 - Service: CachemanXP (CachemanXPService) - Outertech -

    C:\Downloads\Portable Applications\CachemanXP\CachemanXP.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

    Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

    Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program

    Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -

    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. -

    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -

    C:\PROGRA~1\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -

    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -

    C:\PROGRA~1\McAfee\VirusScan\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -

    C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee,

    Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. -

    C:\WINDOWS\system32\pctspk.exe

    --
    End of file - 7270 bytes
     
    cbmaster,
    #14
  16. 2009/09/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    In the future, make sure, "word wrap" is disabled in Notepad, because the log is hard to read.


    Your computer is clean :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    3. Restart computer.

    4. Turn System Restore on.

    5. Make sure, Windows Updates are current.

    [SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    8. Run defrag at your convenience.

    9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    10. Please, let me know, how is your computer doing.
     
    broni,
    #15
  17. 2009/09/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    In the future, make sure, "word wrap" is disabled in Notepad, because the log is hard to read.


    Your computer is clean :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    3. Restart computer.

    4. Turn System Restore on.

    5. Make sure, Windows Updates are current.

    [SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    8. Run defrag at your convenience.

    9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    10. Please, let me know, how is your computer doing.
     
    broni,
    #16
  18. 2009/09/15
    cbmaster

    cbmaster Inactive Thread Starter

    Joined:
    2009/09/06
    Messages:
    55
    Likes Received:
    0
    Thanks very much.
     
    cbmaster,
    #17
  19. 2009/09/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)
     
    broni,
    #18

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...