Google Redirect Problem -shovel?[RESOLVED]


Recommended Posts

Thanks in advance for the help. I have been trying for two days to fix this. Think I am getting close.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:21:34 PM, on 1/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\McAfee\MBK\MBackMonitor.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\MsiExec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webkinz.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061115

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1232852851046

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.22/ttinst.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel NCS NetService (NetSvc) - IntelĀ® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--

End of file - 10495 bytes

Link to post
Share on other sites

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3

X86-based PC ( Multiprocessor Free : IntelĀ® PentiumĀ® D CPU 2.66GHz )

BIOS : Phoenix ROM BIOS PLUS Version 1.10 A05

USER : Brendan and Ryan ( Administrator )

BOOT : Normal boot

Thanks for the response / help. Here is the notepad result.

Antivirus : McAfee VirusScan (Activated)

Firewall : McAfee Personal Firewall (Activated)

C:\ (Local Disk) - NTFS - Total:71 Go (Free:45 Go)

D:\ (CD or DVD)

Thu 01/29/2009|18:36

----------------------\\ Search..

No infections found !

1 - "C:\Rooter$\Rooter_1.txt" - Thu 01/29/2009|18:37

----------------------\\ Scan completed at 18:37

Link to post
Share on other sites

hello

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Link to post
Share on other sites

Here you go: Thank you.

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-29 21:29:15

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF5608F20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF55109AA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF5510A41]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF5510958]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF551096C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF5510A55]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF5510A81]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF5510AEF]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF5510AD9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF55109EA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF5510B1B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF5510A2D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF5510930]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF5510944]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF55109BE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF5510B57]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF5510AC3]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF5510AAD]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF5510A6B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF5510B43]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF5510B2F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF5510996]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF5510982]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF5510A97]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF5510A19]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF5510B05]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF5510A00]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF55109D4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP F55109D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP F55109AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP F55109EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP F5510A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP F55109C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP F5510934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP F5510948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP F5510986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP F5510970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP F551095C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP F551099A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP F5510A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP F5510AB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP F5510A9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP F5510B09 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP F5510AC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP F5510A6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP F5510A45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP F5510A59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP F5510A85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 7 Bytes JMP F5510AF3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP F5510ADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP F5510A31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP F5510B5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP F5510B33 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP F5510B47 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP F5510B1F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

.text w_mj32.dll F8827280 6 Bytes [ 00, 00, 00, 00, 00, 00 ]

.text w_mj32.dll F8827289 3 Bytes [ 00, 00, 00 ]

.text w_mj32.dll F8827290 3 Bytes [ 00, 00, 00 ]

.text w_mj32.dll F8827297 3 Bytes [ 00, 00, 00 ]

.text w_mj32.dll F882729E 30 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]

.text ...

? C:\Program Files\Common Files\System\w_mj32.dll The process cannot access the file because it is being used by another process.

.text ntkrnlpa.exe!ZwYieldExecution + 37F4 80504AE8 7 Bytes JMP F55109D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP F55109AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP F55109EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!MmUnmapViewOfSection + 1C 805B2E14 5 Bytes JMP F5510A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtFreeVirtualMemory + 5468 805B83E6 7 Bytes JMP F55109C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP F5510934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP F5510948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP F5510986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!PsCreateSystemThread + 3C 805D1142 7 Bytes JMP F5510970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!PsCreateSystemProcess + 2A 805D11F8 5 Bytes JMP F551095C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!PsSetContextThread + 1A4 805D1702 5 Bytes JMP F551099A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!PsGetProcessExitTime + A68 805D29AA 5 Bytes JMP F5510A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + 9350 806219CA 7 Bytes JMP F5510AB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + 969E 80621D18 7 Bytes JMP F5510A9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + 99C8 80622042 7 Bytes JMP F5510B09 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + A266 806228E0 7 Bytes JMP F5510AC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + AB3A 806231B4 7 Bytes JMP F5510A6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ...

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[132] Explorer.EXE 0101A55F 5 Bytes JMP 00090000

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D8000A

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D80093

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D80F9E

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D80FAF

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80062

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D80FCA

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D800BF

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D800AE

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D80F37

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D800D0

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D80F1C

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D80051

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D8001B

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D80F8D

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D80FE5

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D8002C

.text C:\WINDOWS\Explorer.EXE[132] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D80F5C

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D60FDB

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D60FA5

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D6002C

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D6001B

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D60062

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D60000

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D60047

.text C:\WINDOWS\Explorer.EXE[132] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D60FCA

.text C:\WINDOWS\Explorer.EXE[132] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00D70FE5

.text C:\WINDOWS\Explorer.EXE[132] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00D70000

.text C:\WINDOWS\Explorer.EXE[132] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00D7001B

.text C:\WINDOWS\Explorer.EXE[132] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00D7002C

.text C:\WINDOWS\Explorer.EXE[132] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D40FEF

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0FEF

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE006B

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE005A

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE003D

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0F80

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0FAF

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE00BE

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0097

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE00EA

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F51

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CE0F2C

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CE002C

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CE0000

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CE007C

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CE001B

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CE0FCA

.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CE00CF

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CD0FB9

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CD002F

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CD0FCA

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CD000A

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CD0F72

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CD0FEF

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00CD0F83

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ ED, 88 ]

.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CD0F9E

.text C:\WINDOWS\system32\lsass.exe[856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CB000A

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D40000

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D400B5

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D4009A

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D4007D

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D4006C

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D40051

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D40F80

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D400D2

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D40119

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D400FE

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D4012A

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D40FCA

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D40FE5

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D40F9B

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D40036

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D4001B

.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D400ED

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D30FCA

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D30F8A

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D30025

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D3000A

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D30FA5

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D30FEF

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D30047

.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D30036

.text C:\WINDOWS\system32\svchost.exe[1048] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10FEF

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FE5

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C9009A

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90F9B

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90075

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90058

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FB6

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C900C1

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90F79

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90F39

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C90F54

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C900ED

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C9003D

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C90000

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C90F8A

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C90022

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C90011

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C900D2

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C80FB9

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C80F97

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C80FCA

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C80FEF

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C80054

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C80000

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C8002F

.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C80FA8

.text C:\WINDOWS\system32\svchost.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03120FEF

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03120091

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03120080

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03120065

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0312004A

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03120FB9

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03120F5A

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03120F81

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 031200DF

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 031200CE

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 03120F35

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 03120FA8

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03120FDE

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 031200AC

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 03120025

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateNamedPipeA 7C860B7C 3 Bytes JMP 03120014

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!CreateNamedPipeA + 4 7C860B80 1 Byte [ 86 ]

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!WinExec 7C8623AD 3 Bytes JMP 031200BD

.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!WinExec + 4 7C8623B1 1 Byte [ 86 ]

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02CF0FDE

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02CF0FB2

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02CF0FEF

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02CF0025

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02CF0FC3

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02CF000A

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 02CF005B

.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02CF004A

.text C:\WINDOWS\System32\svchost.exe[1152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02B3000A

.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 03110FE5

.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 03110FD4

.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 03110FC3

.text C:\WINDOWS\System32\svchost.exe[1152] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 03110FB2

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800FEF

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00800F7C

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800071

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800056

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800F8D

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800FC3

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008000BA

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008000A9

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008000F0

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00800F57

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00800F3C

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00800FA8

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00800014

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0080008C

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00800FD4

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00800025

.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 008000D5

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007F0FB9

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007F0051

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007F000A

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007F0FD4

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007F0040

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007F0FEF

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 007F0F9E

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 9F, 88 ]

.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007F0025

.text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0FEF

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA000A

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0F4B

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0F70

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0F8D

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0F9E

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA004A

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA0067

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA0F1F

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA00A7

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA0F04

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CA00B8

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CA0FC3

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CA0FE5

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CA0F3A

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CA002F

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CA0FD4

.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CA0082

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C8000A

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C80036

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C80FC3

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C80FD4

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C80F83

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C80FE5

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00C80F9E

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes CALL C89FEDB5

.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C80025

.text C:\WINDOWS\system32\svchost.exe[1308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C6000A

.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00C90FEF

.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C9000A

.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C90FD4

.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00C90025

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1540] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1540] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F5E

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0053

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0042

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0025

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0F9E

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A007A

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F28

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0ED7

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0EFC

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0EBC

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0F8D

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FD4

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F39

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FB9

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A000A

.text C:\WINDOWS\system32\svchost.exe[2752] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F0D

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290039

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290F7C

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FDE

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290014

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290F97

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FEF

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FB2

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 88 ]

.text C:\WINDOWS\system32\svchost.exe[2752] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FC3

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F55

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F66

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F81

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F9E

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A002F

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A007B

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F33

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F07

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F18

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00C5

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0040

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FDE

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F44

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FCD

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0014

.text C:\WINDOWS\System32\svchost.exe[3852] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0096

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290036

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290087

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290025

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FEF

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290FC0

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0029000A

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00290062

.text C:\WINDOWS\System32\svchost.exe[3852] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290047

.text C:\WINDOWS\System32\svchost.exe[3852] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.14 ----

Service C:\Program Files\Common Files\System\w_mj32.dll (*** hidden *** ) [sYSTEM] w_mj <-- ROOTKIT !!!

---- Files - GMER 1.0.14 ----

File C:\Program Files\Common Files\System\w_mj32.dll 52480 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites

some fun here

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Some Fun!? I truly appreciate the help. Not sure how it happened.

SDFix: Version 1.240

Run by Brendan and Ryan on Fri 01/30/2009 at 10:27 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Link to post
Share on other sites

I already had Combo Fix on this machine, not sure why, but it told me it was expired and could only run in reduced funcionality mode, so I went ahead. Hopefully that was the right choice.

ComboFix 09-01-21.04 - Brendan and Ryan 2009-01-30 23:03:44.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.199 [GMT -5:00]

Running from: c:\documents and settings\Brendan and Ryan\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

FW: McAfee Personal Firewall *disabled*

.

- REDUCED FUNCTIONALITY MODE -

.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))

.

2009-01-30 22:26 . 2009-01-30 22:26 578,560 --a------ c:\windows\system32\dllcache\user32.dll

2009-01-30 22:23 . 2009-01-30 22:23 <DIR> d-------- c:\windows\ERUNT

2009-01-30 22:13 . 2009-01-30 22:37 <DIR> d-------- C:\SDFix

2009-01-29 20:56 . 2009-01-29 21:20 250 --a------ c:\windows\gmer.ini

2009-01-29 18:35 . 2009-01-29 18:40 <DIR> d-------- C:\Rooter$

2009-01-28 18:29 . 2009-01-28 18:29 <DIR> d-------- c:\program files\Comodo

2009-01-28 18:29 . 2009-01-28 20:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\BOC427

2009-01-28 18:29 . 2008-07-14 05:09 212,728 --a------ c:\windows\CMDLIC.DLL

2009-01-28 18:29 . 2008-07-14 05:09 205,560 --a------ c:\windows\UNBOC.EXE

2009-01-28 18:29 . 2008-04-13 19:12 22,528 --a------ c:\windows\system32\wsock32.dlb

2009-01-28 18:29 . 2009-01-30 22:46 11,962 --a------ c:\windows\BOC427.INI

2009-01-28 16:20 . 2009-01-28 16:20 <DIR> d-------- c:\program files\Trend Micro

2009-01-28 15:56 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2009-01-28 15:56 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2009-01-28 15:16 . 2009-01-28 15:16 <DIR> d-------- C:\fsaua.data

2009-01-28 14:20 . 2009-01-28 14:20 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-28 14:20 . 2009-01-28 14:20 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\SUPERAntiSpyware.com

2009-01-28 14:20 . 2009-01-28 14:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-28 12:35 . 2009-01-28 12:35 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\McAfee

2009-01-25 05:20 . 2008-12-13 01:40 3,593,216 --a------ c:\windows\system32\SETC4.tmp

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\system32\scripting

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\system32\en

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\system32\bits

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\l2schemas

2009-01-24 23:24 . 2009-01-24 23:28 <DIR> d-------- c:\windows\ServicePackFiles

2009-01-24 23:17 . 2009-01-24 23:17 <DIR> d-------- c:\windows\EHome

2009-01-24 22:47 . 2008-10-16 15:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll

2009-01-24 22:47 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat

2009-01-24 22:47 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui

2009-01-24 22:47 . 2008-10-16 15:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll

2009-01-24 22:47 . 2008-10-16 15:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll

2009-01-24 22:47 . 2008-10-16 15:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll

2009-01-24 22:47 . 2008-10-16 15:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll

2009-01-24 22:47 . 2008-10-16 15:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll

2009-01-24 22:47 . 2008-10-16 08:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe

2009-01-24 21:39 . 2009-01-24 21:39 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\Malwarebytes

2009-01-24 21:38 . 2009-01-24 21:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-24 21:38 . 2009-01-24 21:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-24 21:38 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-24 21:38 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-01 17:42 . 2009-01-01 17:42 <DIR> d-------- c:\program files\iToys

2008-12-31 17:58 . 2008-12-31 17:58 <DIR> d-------- c:\program files\Unity

2008-12-21 11:04 . 2008-12-21 11:04 <DIR> d-------- c:\windows\system32\AGEIA

2008-12-21 11:04 . 2008-12-21 11:04 <DIR> d-------- c:\program files\AGEIA Technologies

2008-12-21 11:03 . 2009-01-28 14:19 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-21 10:55 . 2008-12-21 10:55 <DIR> d-------- c:\program files\UBISOFT

2008-12-21 10:50 . 2008-12-21 10:50 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\InstallShield

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-31 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-01-28 17:35 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-01-28 14:34 --------- d-----w c:\program files\Microsoft Silverlight

2009-01-28 14:11 --------- d-----w c:\program files\Microsoft Works

2009-01-25 02:03 --------- d-----w c:\program files\McAfee

2008-12-21 15:55 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2008-11-09 21:12 107,888 ----a-w c:\windows\system32\CmdLineExt.dll

2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe

2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll

2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-16 18:03 348,160 ----a-w c:\windows\system32\msvcr71.dll

2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll

2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe

2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll

2006-12-29 20:01 563,712 ----a-w c:\documents and settings\Brendan and Ryan\gotomypc_370.exe

2007-05-15 10:57 135,168 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2007-11-23 15:44 88 --sh--r c:\windows\system32\3AF0639BEE.sys

2007-11-23 15:44 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( snapshot@2009-01-28_12.45.16.00 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-02-27 20:59:28 290,816 ----a-w c:\windows\Downloaded Program Files\auc_lib.dll

+ 2008-02-27 20:59:28 495,616 ----a-w c:\windows\Downloaded Program Files\daas_s.dll

+ 2008-02-27 21:00:12 262,144 ----a-w c:\windows\Downloaded Program Files\fscax.dll

+ 2008-02-27 20:59:16 588,392 ----a-w c:\windows\Downloaded Program Files\gatelauncher.exe

+ 2007-09-04 20:59:42 380,144 ----a-w c:\windows\Downloaded Program Files\sabspx.dll

+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE

+ 2009-01-31 03:23:47 3,383,296 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT

+ 2009-01-31 03:23:47 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat

+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE

+ 2009-01-31 03:23:30 3,383,296 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT

+ 2009-01-31 03:23:30 8,192 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat

+ 2009-01-30 01:56:38 884,736 ----a-w c:\windows\gmer.dll

+ 2009-01-30 01:56:24 811,008 ----a-w c:\windows\gmer.exe

- 2009-01-28 14:16:04 12,288 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2009-01-28 21:22:03 12,288 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2009-01-28 14:16:04 135,168 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2009-01-28 21:22:03 135,168 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2009-01-28 14:16:04 11,264 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2009-01-28 21:22:03 11,264 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2009-01-28 14:16:04 27,136 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2009-01-28 21:22:03 27,136 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2009-01-28 14:16:04 4,096 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2009-01-28 21:22:03 4,096 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2009-01-28 14:16:04 794,624 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2009-01-28 21:22:03 794,624 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2009-01-28 14:16:04 249,856 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2009-01-28 21:22:03 249,856 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2009-01-28 14:16:04 61,440 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2009-01-28 21:22:03 61,440 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe

- 2009-01-28 14:16:04 23,040 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2009-01-28 21:22:03 23,040 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2009-01-28 14:16:04 286,720 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2009-01-28 21:22:03 286,720 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2009-01-28 14:16:03 409,600 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2009-01-28 21:22:03 409,600 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2009-01-28 19:20:20 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

+ 2009-01-28 19:20:21 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

- 2009-01-28 17:28:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-01-30 23:56:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-01-28 17:28:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-01-30 23:56:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-01-28 17:28:24 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-30 23:56:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-30 01:56:38 85,969 ----a-w c:\windows\system32\drivers\gmer.sys

+ 2005-03-21 16:00:24 4,096 ----a-w c:\windows\system32\sabprocenum.sys

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-01 68856]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-15 1831936]

"DellHelp"="c:\dell\DellHelp\DellHelp.exe" [2004-04-01 1589248]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-16 185896]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]

"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]

"BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]

"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-16 136768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-15 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=

"c:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2_dedicated.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R1 w_mj;w_mj;c:\program files\Common Files\System\w_mj32.dll [2009-01-21 52480]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

R4 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCore.exe [2009-01-28 73464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9dbbdcae-d81d-11dd-a297-0014bf7ac4c5}]

\Shell\AutoRun\command - E:\AutoRun.EXE

.

Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-15 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-01 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.webkinz.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\Brendan and Ryan\Application Data\Mozilla\Firefox\Profiles\qzahyiau.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-30 23:04:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-01-30 23:05:36

ComboFix-quarantined-files.txt 2009-01-31 04:05:33

ComboFix2.txt 2009-01-28 17:46:15

Pre-Run: 48,346,423,296 bytes free

Post-Run: 48,362,708,992 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

279 --- E O F --- 2009-01-28 21:22:18

Link to post
Share on other sites

OK, seems to have run. As always, we truly appreciate your time and help.

ComboFix 09-01-31.01 - Brendan and Ryan 2009-01-31 21:20:01.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.244 [GMT -5:00]

Running from: c:\documents and settings\Brendan and Ryan\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *enabled*

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))

.

2009-01-30 22:26 . 2009-01-30 22:26 578,560 --a------ c:\windows\system32\dllcache\user32.dll

2009-01-30 22:23 . 2009-01-30 22:23 <DIR> d-------- c:\windows\ERUNT

2009-01-30 22:13 . 2009-01-30 22:37 <DIR> d-------- C:\SDFix

2009-01-29 20:56 . 2009-01-29 21:20 250 --a------ c:\windows\gmer.ini

2009-01-29 18:35 . 2009-01-29 18:40 <DIR> d-------- C:\Rooter$

2009-01-28 18:29 . 2009-01-28 18:29 <DIR> d-------- c:\program files\Comodo

2009-01-28 18:29 . 2009-01-28 20:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\BOC427

2009-01-28 18:29 . 2008-07-14 05:09 212,728 --a------ c:\windows\CMDLIC.DLL

2009-01-28 18:29 . 2008-07-14 05:09 205,560 --a------ c:\windows\UNBOC.EXE

2009-01-28 18:29 . 2008-04-13 19:12 22,528 --a------ c:\windows\system32\wsock32.dlb

2009-01-28 18:29 . 2009-01-30 22:46 11,962 --a------ c:\windows\BOC427.INI

2009-01-28 16:20 . 2009-01-28 16:20 <DIR> d-------- c:\program files\Trend Micro

2009-01-28 15:56 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2009-01-28 15:56 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2009-01-28 15:16 . 2009-01-28 15:16 <DIR> d-------- C:\fsaua.data

2009-01-28 14:20 . 2009-01-28 14:20 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-28 14:20 . 2009-01-28 14:20 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\SUPERAntiSpyware.com

2009-01-28 14:20 . 2009-01-28 14:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-28 12:35 . 2009-01-28 12:35 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\McAfee

2009-01-25 05:20 . 2008-12-13 01:40 3,593,216 --a------ c:\windows\system32\SETC4.tmp

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\system32\scripting

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\system32\en

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\system32\bits

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\l2schemas

2009-01-24 23:24 . 2009-01-24 23:28 <DIR> d-------- c:\windows\ServicePackFiles

2009-01-24 23:17 . 2009-01-24 23:17 <DIR> d-------- c:\windows\EHome

2009-01-24 22:47 . 2008-10-16 15:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll

2009-01-24 22:47 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat

2009-01-24 22:47 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui

2009-01-24 22:47 . 2008-10-16 15:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll

2009-01-24 22:47 . 2008-10-16 15:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll

2009-01-24 22:47 . 2008-10-16 15:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll

2009-01-24 22:47 . 2008-10-16 15:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll

2009-01-24 22:47 . 2008-10-16 15:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll

2009-01-24 22:47 . 2008-10-16 08:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe

2009-01-24 21:39 . 2009-01-24 21:39 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\Malwarebytes

2009-01-24 21:38 . 2009-01-24 21:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-24 21:38 . 2009-01-24 21:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-24 21:38 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-24 21:38 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-01 17:42 . 2009-01-01 17:42 <DIR> d-------- c:\program files\iToys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-31 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-01-28 19:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-28 17:35 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-01-28 14:34 --------- d-----w c:\program files\Microsoft Silverlight

2009-01-28 14:11 --------- d-----w c:\program files\Microsoft Works

2009-01-25 02:03 --------- d-----w c:\program files\McAfee

2008-12-31 22:58 --------- d-----w c:\program files\Unity

2008-12-21 16:04 --------- d-----w c:\program files\AGEIA Technologies

2008-12-21 15:55 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-21 15:55 --------- d-----w c:\program files\UBISOFT

2008-12-21 15:50 --------- d-----w c:\documents and settings\Brendan and Ryan\Application Data\InstallShield

2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2008-11-09 21:12 107,888 ----a-w c:\windows\system32\CmdLineExt.dll

2006-12-29 20:01 563,712 ----a-w c:\documents and settings\Brendan and Ryan\gotomypc_370.exe

2007-05-15 10:57 135,168 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2007-11-23 15:44 88 --sh--r c:\windows\system32\3AF0639BEE.sys

2007-11-23 15:44 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-01 68856]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-15 1831936]

"DellHelp"="c:\dell\DellHelp\DellHelp.exe" [2004-04-01 1589248]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-16 185896]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]

"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]

"BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]

"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-16 136768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-15 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=

"c:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2_dedicated.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R1 w_mj;w_mj;c:\program files\Common Files\System\w_mj32.dll [2009-01-21 52480]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

R4 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCore.exe [2009-01-28 73464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9dbbdcae-d81d-11dd-a297-0014bf7ac4c5}]

\Shell\AutoRun\command - E:\AutoRun.EXE

.

Contents of the 'Scheduled Tasks' folder

2009-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-15 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-01 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.webkinz.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\Brendan and Ryan\Application Data\Mozilla\Firefox\Profiles\qzahyiau.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-31 21:22:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-01-31 21:24:12

ComboFix-quarantined-files.txt 2009-02-01 02:24:09

Pre-Run: 48,343,707,648 bytes free

Post-Run: 48,347,881,472 bytes free

193 --- E O F --- 2009-01-28 21:22:18

Link to post
Share on other sites

hello

Open notepad and copy/paste the text in the quotebox below into it:

http://www.besttechie.net/forums/index.php?showtopic=15665

Collect::

c:\windows\system32\SETC4.tmp

c:\program files\Common Files\System\w_mj32.dll

Driver::

w_mj

KillAll::

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9dbbdcae-d81d-11dd-a297-0014bf7ac4c5}]

Suspect::

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

Here is the log that ComboFix produced. Thanks.

ComboFix 09-01-31.03 - Brendan and Ryan 2009-02-01 9:48:35.4 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.252 [GMT -5:00]

Running from: c:\documents and settings\Brendan and Ryan\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Brendan and Ryan\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *enabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common Files\System\w_mj32.dll

c:\windows\system32\SETC4.tmp

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_W_MJ

-------\Service_w_mj

((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))

.

2009-01-30 22:26 . 2009-01-30 22:26 578,560 --a------ c:\windows\system32\dllcache\user32.dll

2009-01-30 22:23 . 2009-01-30 22:23 <DIR> d-------- c:\windows\ERUNT

2009-01-30 22:13 . 2009-01-30 22:37 <DIR> d-------- C:\SDFix

2009-01-29 20:56 . 2009-01-29 21:20 250 --a------ c:\windows\gmer.ini

2009-01-29 18:35 . 2009-01-29 18:40 <DIR> d-------- C:\Rooter$

2009-01-28 18:29 . 2009-01-28 18:29 <DIR> d-------- c:\program files\Comodo

2009-01-28 18:29 . 2009-01-28 20:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\BOC427

2009-01-28 18:29 . 2008-07-14 05:09 212,728 --a------ c:\windows\CMDLIC.DLL

2009-01-28 18:29 . 2008-07-14 05:09 205,560 --a------ c:\windows\UNBOC.EXE

2009-01-28 18:29 . 2008-04-13 19:12 22,528 --a------ c:\windows\system32\wsock32.dlb

2009-01-28 18:29 . 2009-02-01 09:54 11,964 --a------ c:\windows\BOC427.INI

2009-01-28 16:20 . 2009-01-28 16:20 <DIR> d-------- c:\program files\Trend Micro

2009-01-28 15:56 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2009-01-28 15:56 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2009-01-28 15:16 . 2009-01-28 15:16 <DIR> d-------- C:\fsaua.data

2009-01-28 14:20 . 2009-01-28 14:20 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-28 14:20 . 2009-01-28 14:20 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\SUPERAntiSpyware.com

2009-01-28 14:20 . 2009-01-28 14:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-28 12:35 . 2009-01-28 12:35 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\McAfee

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\system32\scripting

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\system32\en

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\system32\bits

2009-01-24 23:28 . 2009-01-24 23:28 <DIR> d-------- c:\windows\l2schemas

2009-01-24 23:24 . 2009-01-24 23:28 <DIR> d-------- c:\windows\ServicePackFiles

2009-01-24 23:17 . 2009-01-24 23:17 <DIR> d-------- c:\windows\EHome

2009-01-24 22:47 . 2008-10-16 15:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll

2009-01-24 22:47 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat

2009-01-24 22:47 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui

2009-01-24 22:47 . 2008-10-16 15:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll

2009-01-24 22:47 . 2008-10-16 15:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll

2009-01-24 22:47 . 2008-10-16 15:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll

2009-01-24 22:47 . 2008-10-16 15:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll

2009-01-24 22:47 . 2008-10-16 15:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll

2009-01-24 22:47 . 2008-10-16 08:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe

2009-01-24 21:39 . 2009-01-24 21:39 <DIR> d-------- c:\documents and settings\Brendan and Ryan\Application Data\Malwarebytes

2009-01-24 21:38 . 2009-01-24 21:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-24 21:38 . 2009-01-24 21:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-24 21:38 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-24 21:38 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-01 17:42 . 2009-01-01 17:42 <DIR> d-------- c:\program files\iToys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-01 03:46 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-01-28 19:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-28 17:35 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-01-28 14:34 --------- d-----w c:\program files\Microsoft Silverlight

2009-01-28 14:11 --------- d-----w c:\program files\Microsoft Works

2009-01-25 02:03 --------- d-----w c:\program files\McAfee

2008-12-31 22:58 --------- d-----w c:\program files\Unity

2008-12-21 16:04 --------- d-----w c:\program files\AGEIA Technologies

2008-12-21 15:55 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-21 15:55 --------- d-----w c:\program files\UBISOFT

2008-12-21 15:50 --------- d-----w c:\documents and settings\Brendan and Ryan\Application Data\InstallShield

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2006-12-29 20:01 563,712 ----a-w c:\documents and settings\Brendan and Ryan\gotomypc_370.exe

2007-05-15 10:57 135,168 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2007-11-23 15:44 88 --sh--r c:\windows\system32\3AF0639BEE.sys

2007-11-23 15:44 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( snapshot@2009-01-31_21.23.19.37 )))))))))))))))))))))))))))))))))))))))))

.

- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

- 2009-02-01 00:18:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-02-01 14:01:00 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-02-01 00:18:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-02-01 14:01:00 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-01 68856]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-15 1831936]

"DellHelp"="c:\dell\DellHelp\DellHelp.exe" [2004-04-01 1589248]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-16 185896]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]

"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]

"BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]

"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-16 136768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-15 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=

"c:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2_dedicated.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCore.exe [2009-01-28 73464]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

.

Contents of the 'Scheduled Tasks' folder

2009-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-15 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-02-01 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.webkinz.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\Brendan and Ryan\Application Data\Mozilla\Firefox\Profiles\qzahyiau.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll

FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-01 09:57:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

c:\program files\McAfee\MBK\MBackMonitor.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\Common Files\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\MPF\MpfSrv.exe

c:\windows\system32\wdfmgr.exe

c:\program files\iPod\bin\iPodService.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\progra~1\McAfee\MSC\mcuimgr.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-02-01 10:00:18 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-01 15:00:14

ComboFix2.txt 2009-02-01 02:24:13

Pre-Run: 48,318,455,808 bytes free

Post-Run: 48,227,958,784 bytes free

231 --- E O F --- 2009-01-28 21:22:18

Link to post
Share on other sites

hello

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Link to post
Share on other sites

here is the first log.

Malwarebytes' Anti-Malware 1.33

Database version: 1717

Windows 5.1.2600 Service Pack 3

2/2/2009 5:23:21 PM

mbam-log-2009-02-02 (17-23-21).txt

Scan type: Quick Scan

Objects scanned: 52140

Time elapsed: 4 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

OK. Thanks.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:35:08 PM, on 2/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Comodo\CBOClean\BOCORE.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\MBK\MBackMonitor.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\PROGRA~1\Comodo\CBOClean\BOC427.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webkinz.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061115

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe

O4 - HKLM\..\Run: [bOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1232852851046

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.22/ttinst.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel NCS NetService (NetSvc) - IntelĀ® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--

End of file - 11224 bytes

Link to post
Share on other sites

your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Cleanup.png

Download ToolsCleaner2 to your desktop and run it ( by de A.Rothstein & Dj Quiou )

  • Click the Pt. Restauration button and press OK to the prompts.
  • Click the Corbeille button and press OK to the prompt.
  • Click the Fichiers temp button and press OK to the prompt.
  • Click the Recherche button and let it run ( it may look like it freezes but let it continue )
  • Once it is done click the Suppression button and let it remove anything it finds.
  • Close the program

Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :

http://www.adobe.com/products/acrobat/readstep2.html

Below I have included a number of recommendations for how to protect your computer against malware infections.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

    [*]ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

    [*]MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

    [*]Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more

    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up

    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from

    Here

    If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.

    • NoScript - for blocking ads and other potential website attacks
    • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling

    [*]Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

    [*]ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

    [*] Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

    [*]Please read my guide on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.