Jump to content

Recommended Posts

Hi - Getting very nervous...Whenever I click on a link from a search result using Yahoo Search with Firefox I am getting redirected to various Ad sites. In addition, I ran a Spybot Scan and this resulted in a large number of "Error during Check! Fraud.Sysguard Cannot open File "C:\Windows\System32\Drivers\Etc\Hosts"

I ran MalwareBytes AntiMalware and it found 17 infected items - I removed them and rebooted...same result with the redirects.

I followed the instructions on the "I'm Infected" sticky and here are 2 of the 3 Log Files requested - I tried running GMER (Twice) I walked away and when I got back the program closed...

Malwarebytes' Anti-Malware log file:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4184

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

6/9/2010 10:30:06 PM

mbam-log-2010-06-09 (22-30-06).txt

Scan type: Quick scan

Objects scanned: 136511

Time elapsed: 8 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 2

Folders Infected: 2

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\42e0800a-74cb-4973-afd7-36e4e3e1e60b_33 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pqurmytu (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\PRAGMAuecbdwqppf (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ed Haag\Start Menu\Programs\Protection Center (Rogue.ProtectionCenter) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\Ed Haag\Local Settings\Temporary Internet Files\Content.IE5\2JSTM34V\391-direct[1].ex (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ed Haag\Start Menu\Programs\Protection Center\About.lnk (Rogue.ProtectionCenter) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ed Haag\Start Menu\Programs\Protection Center\Activate.lnk (Rogue.ProtectionCenter) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ed Haag\Start Menu\Programs\Protection Center\Buy.lnk (Rogue.ProtectionCenter) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ed Haag\Start Menu\Programs\Protection Center\Protection Center Support.lnk (Rogue.ProtectionCenter) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ed Haag\Start Menu\Programs\Protection Center\Protection Center.lnk (Rogue.ProtectionCenter) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ed Haag\Start Menu\Programs\Protection Center\Scan.lnk (Rogue.ProtectionCenter) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ed Haag\Start Menu\Programs\Protection Center\Settings.lnk (Rogue.ProtectionCenter) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ed Haag\Start Menu\Programs\Protection Center\Update.lnk (Rogue.ProtectionCenter) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ed Haag\Application Data\Microsoft\Internet Explorer\Quick Launch\Protection Center.LNK (Rogue.ProtectionCenter) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ed Haag\Application Data\42e0800a-74cb-4973-afd7-36e4e3e1e60b_33.avi (Trojan.FakeAlert) -> Quarantined and deleted successfully.

********************************************************************************

*************************************************

DDS Log

DDS (Ver_10-03-17.01) - NTFSx86

Run by Ed Haag at 22:40:33.71 on Wed 06/09/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_19

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1428 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\bmwebcfg.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Dell\MediaDirect\PCMService.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\STacSV.exe

C:\Program Files\DellTPad\Apntex.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Ed Haag\My Documents\My Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.com/

mDefault_Page_URL = hxxp://www.dell.com

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [<NO NAME>]

mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a

mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: bmnet.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxdev.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 84.16.244.15 www.google.com

Hosts: 84.16.244.15 us.

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\edhaag~1\applic~1\mozilla\firefox\profiles\7azokhnv.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2442061&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - SporTV Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-4 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-8-4 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-8-4 144704]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-8-4 105984]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-8-4 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-4 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-4 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-4 40552]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]

S2 SessionLauncher;SessionLauncher;c:\docume~1\edhaag~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\edhaag~1\locals~1\temp\dx9\SessionLauncher.exe [?]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2008-5-23 106496]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-4 34248]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]

S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [2008-1-10 165248]

S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [2008-1-10 142976]

=============== Created Last 30 ================

2010-06-10 02:38:28 0 ----a-w- c:\documents and settings\ed haag\defogger_reenable

2010-06-10 02:19:41 0 d-----w- c:\docume~1\edhaag~1\applic~1\Malwarebytes

2010-06-10 02:19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-10 02:19:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-10 02:19:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-10 02:19:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-10 00:58:32 0 d-----w- c:\program files\Trend Micro

2010-06-09 00:12:16 0 d-----w- C:\VundoFix Backups

==================== Find3M ====================

2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 22:41:20.20 ===============

********************************************************************************

***********************************************

Please don't close this thread - I'll have to continue with any instructions after work tonight.

Thanks!

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • GMER log
  • attach.txt (created by DDS)

Link to post
Share on other sites

Thanks for replying so quickly Elise.

I've actually already downloaded GMER based on directions from the "Sticky" Page - and tried a scan, but the program closed immediately after the scan...so I didn't have the opportunity to save the log.

However I was connected to the internet and Mcafee was running at the time.

I will try again late tonight using your instructions after I get back to my home PC that is infected:

Disconnect from the Internet and close all running programs.

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

Thanks.

Link to post
Share on other sites

Hi Elise - That worked!

Here is the GMER Log having the Sections option Checked.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-11 05:42:58

Windows 5.1.2600 Service Pack 3

Running: xwqvvgeo.exe; Driver: C:\DOCUME~1\EDHAAG~1\LOCALS~1\Temp\kxdoapog.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP A8B137B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A8B1378E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP A8B137CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP A8B137E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83CA 7 Bytes JMP A8B137A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP A8B13714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP A8B13728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE44 5 Bytes JMP A8B13766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP A8B13750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcess 805D11EA 5 Bytes JMP A8B1373C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetContextThread 805D16F4 5 Bytes JMP A8B1377A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP A8B137FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EC 7 Bytes JMP A8B13891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP A8B1387B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnloadKey 80622064 7 Bytes JMP A8B138E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622916 7 Bytes JMP A8B138A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP A8B1384F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 2 Bytes JMP A8B13825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateKey + 3 806237CB 2 Bytes [4F, 28]

PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP A8B13839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP A8B13865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateKey 80624014 7 Bytes JMP A8B138D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062427E 7 Bytes JMP A8B138BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP A8B13811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryKey 80624EE8 7 Bytes JMP A8B1393B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRestoreKey 806251A8 5 Bytes JMP A8B13913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwReplaceKey 8062589C 5 Bytes JMP A8B13927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806259B6 5 Bytes JMP A8B138FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[632] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A2000A

.text C:\WINDOWS\Explorer.EXE[632] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B0000A

.text C:\WINDOWS\Explorer.EXE[632] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A1000C

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 033A0000

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 033A007A

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 033A0069

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 033A0058

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 033A0047

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 033A0036

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 033A00AD

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 033A009C

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 033A0F36

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 033A00D9

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 033A00EA

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 033A0FAF

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 033A0FE5

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 033A008B

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 033A0FCA

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 033A001B

.text C:\WINDOWS\Explorer.EXE[632] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 033A00BE

.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03390040

.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03390FA8

.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0339002F

.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03390FEF

.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03390FC3

.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03390000

.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03390FD4

.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [59, 8B]

.text C:\WINDOWS\Explorer.EXE[632] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0339005B

.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03380F8B

.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!system 77C293C7 5 Bytes JMP 03380F9C

.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03380FC8

.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03380000

.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03380FB7

.text C:\WINDOWS\Explorer.EXE[632] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03380FEF

.text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 03370FD4

.text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 03370FEF

.text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 03370FC3

.text C:\WINDOWS\Explorer.EXE[632] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 0337000A

.text C:\WINDOWS\Explorer.EXE[632] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03360FEF

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0FEF

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD00B6

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD009B

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0FC3

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0076

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD005B

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0F84

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0F95

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD00F1

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0F58

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD0F3D

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0FD4

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD000A

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD0FA6

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0040

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0025

.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F69

.text C:\WINDOWS\system32\services.exe[972] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F30040

.text C:\WINDOWS\system32\services.exe[972] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F30F9E

.text C:\WINDOWS\system32\services.exe[972] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F30FEF

.text C:\WINDOWS\system32\services.exe[972] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F30025

.text C:\WINDOWS\system32\services.exe[972] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F30FAF

.text C:\WINDOWS\system32\services.exe[972] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F3000A

.text C:\WINDOWS\system32\services.exe[972] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F30FD4

.text C:\WINDOWS\system32\services.exe[972] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [13, 89]

.text C:\WINDOWS\system32\services.exe[972] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F30051

.text C:\WINDOWS\system32\services.exe[972] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F2003F

.text C:\WINDOWS\system32\services.exe[972] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F2002E

.text C:\WINDOWS\system32\services.exe[972] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F20FD2

.text C:\WINDOWS\system32\services.exe[972] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20FEF

.text C:\WINDOWS\system32\services.exe[972] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F2001D

.text C:\WINDOWS\system32\services.exe[972] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F2000C

.text C:\WINDOWS\system32\services.exe[972] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00F10FD4

.text C:\WINDOWS\system32\services.exe[972] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00F10FEF

.text C:\WINDOWS\system32\services.exe[972] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00F10FC3

.text C:\WINDOWS\system32\services.exe[972] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00F10FB2

.text C:\WINDOWS\system32\services.exe[972] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00000

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01370FE5

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01370F77

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01370F88

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01370F99

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01370062

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0137003D

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01370F41

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01370089

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013700BC

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013700AB

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01370F08

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01370FC0

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01370000

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01370F52

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01370022

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01370011

.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0137009A

.text C:\WINDOWS\system32\lsass.exe[984] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01360036

.text C:\WINDOWS\system32\lsass.exe[984] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0136007D

.text C:\WINDOWS\system32\lsass.exe[984] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0136001B

.text C:\WINDOWS\system32\lsass.exe[984] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01360FE5

.text C:\WINDOWS\system32\lsass.exe[984] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01360FC0

.text C:\WINDOWS\system32\lsass.exe[984] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01360000

.text C:\WINDOWS\system32\lsass.exe[984] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01360062

.text C:\WINDOWS\system32\lsass.exe[984] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01360047

.text C:\WINDOWS\system32\lsass.exe[984] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01350FAD

.text C:\WINDOWS\system32\lsass.exe[984] msvcrt.dll!system 77C293C7 5 Bytes JMP 01350038

.text C:\WINDOWS\system32\lsass.exe[984] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01350FD2

.text C:\WINDOWS\system32\lsass.exe[984] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0135000C

.text C:\WINDOWS\system32\lsass.exe[984] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01350027

.text C:\WINDOWS\system32\lsass.exe[984] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01350FEF

.text C:\WINDOWS\system32\lsass.exe[984] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01330FEF

.text C:\WINDOWS\system32\lsass.exe[984] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 01340011

.text C:\WINDOWS\system32\lsass.exe[984] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 01340000

.text C:\WINDOWS\system32\lsass.exe[984] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 01340FDB

.text C:\WINDOWS\system32\lsass.exe[984] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 0134002E

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02590FEF

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02590F80

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0259006B

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0259005A

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02590F91

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0259002C

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025900AB

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02590F65

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025900E1

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02590F48

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025900F2

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0259003D

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02590FD4

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02590090

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0259001B

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0259000A

.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025900BC

.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0258001B

.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02580047

.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02580FCA

.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02580000

.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02580F8A

.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02580FEF

.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02580FA5

.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [78, 8A] {JS 0xffffffffffffff8c}

.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0258002C

.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02570051

.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!system 77C293C7 5 Bytes JMP 02570036

.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0257001B

.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02570FE3

.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02570FC6

.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02570000

.text C:\WINDOWS\system32\svchost.exe[1152] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 02560FE5

.text C:\WINDOWS\system32\svchost.exe[1152] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 02560000

.text C:\WINDOWS\system32\svchost.exe[1152] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 0256001B

.text C:\WINDOWS\system32\svchost.exe[1152] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 02560FBE

.text C:\WINDOWS\system32\svchost.exe[1152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0255000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[1208] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0102000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[1208] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0103000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[1208] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0101000C

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01140FEF

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01140F79

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01140F8A

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01140062

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01140FA5

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0114003D

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01140F43

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01140089

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01140F0D

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01140F28

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011400C1

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01140FB6

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01140000

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01140F5E

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0114002C

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01140011

.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011400A6

.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01130FC3

.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01130F8D

.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01130FD4

.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0113000A

.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01130054

.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01130FE5

.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01130FB2

.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [33, 89]

.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0113002F

.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01120F95

.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!system 77C293C7 5 Bytes JMP 01120FA6

.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01120FD2

.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01120000

.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01120FC1

.text C:\WINDOWS\system32\svchost.exe[1240] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01120FE3

.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 01110025

.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 01110000

.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 01110036

.text C:\WINDOWS\system32\svchost.exe[1240] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 01110047

.text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF

.text C:\WINDOWS\System32\svchost.exe[1300] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007F000A

.text C:\WINDOWS\System32\svchost.exe[1300] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0080000A

.text C:\WINDOWS\System32\svchost.exe[1300] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04140000

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04140F7C

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04140F8D

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04140067

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04140F9E

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04140FB9

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 04140F29

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 04140F46

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 04140ED8

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04140EF3

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04140EC7

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04140040

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0414001B

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 04140F57

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04140FD4

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04140FE5

.text C:\WINDOWS\System32\svchost.exe[1300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04140F04

.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 036E0025

.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 036E0F8A

.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 036E0FDE

.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 036E0014

.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 036E0FA5

.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 036E0FEF

.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 036E0047

.text C:\WINDOWS\System32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 036E0036

.text C:\WINDOWS\System32\svchost.exe[1300] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0101000A

.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 036D0058

.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 036D0FCD

.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 036D0FDE

.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 036D0FEF

.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 036D0033

.text C:\WINDOWS\System32\svchost.exe[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 036D0018

.text C:\WINDOWS\System32\svchost.exe[1300] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 036C0FD4

.text C:\WINDOWS\System32\svchost.exe[1300] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 036C0FE5

.text C:\WINDOWS\System32\svchost.exe[1300] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 036C000A

.text C:\WINDOWS\System32\svchost.exe[1300] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 036C0FB7

.text C:\WINDOWS\System32\svchost.exe[1300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 036B0000

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1408] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1408] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008F0FEF

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008F004A

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008F0F55

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008F002F

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008F0F7C

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008F0FA8

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008F0F0C

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008F0F1D

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008F0080

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008F006F

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008F0091

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008F0F8D

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008F0FDE

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008F0F3A

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008F0FB9

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008F0014

.text C:\WINDOWS\system32\svchost.exe[1456] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008F0EFB

.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008E0FCA

.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008E004A

.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008E0FDB

.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008E0011

.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008E0F8D

.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008E0000

.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008E0F9E

.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AE, 88]

.text C:\WINDOWS\system32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008E0FAF

.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_wsystem 77C2931E 1 Byte [E9]

.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00800022

.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!system 77C293C7 5 Bytes JMP 00800FA1

.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00800011

.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00800000

.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00800FB2

.text C:\WINDOWS\system32\svchost.exe[1456] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00800FD7

.text C:\WINDOWS\system32\svchost.exe[1456] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 007F000A

.text C:\WINDOWS\system32\svchost.exe[1456] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 007F0FEF

.text C:\WINDOWS\system32\svchost.exe[1456] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 007F001B

.text C:\WINDOWS\system32\svchost.exe[1456] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 007F0FC8

.text C:\WINDOWS\system32\svchost.exe[1456] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007E0FEF

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30000

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F30086

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30F91

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30075

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F30FAC

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30FDB

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F300B4

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F30F6C

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F30F40

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F300D9

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F300EA

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F30058

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F3001B

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F30097

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F3003D

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F3002C

.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F30F5B

.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F20FB9

.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20F8A

.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F2000A

.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F20FCA

.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F2003D

.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F20FEF

.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F2002C

.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F2001B

.text C:\WINDOWS\system32\svchost.exe[1512] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10F9C

.text C:\WINDOWS\system32\svchost.exe[1512] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F10FB7

.text C:\WINDOWS\system32\svchost.exe[1512] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10FD2

.text C:\WINDOWS\system32\svchost.exe[1512] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10000

.text C:\WINDOWS\system32\svchost.exe[1512] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10027

.text C:\WINDOWS\system32\svchost.exe[1512] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FE3

.text C:\WINDOWS\system32\svchost.exe[1512] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00F00FE5

.text C:\WINDOWS\system32\svchost.exe[1512] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00F00000

.text C:\WINDOWS\system32\svchost.exe[1512] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00F00FCA

.text C:\WINDOWS\system32\svchost.exe[1512] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00F00011

.text C:\WINDOWS\system32\svchost.exe[1512] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EF0000

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007F0FEF

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007F006D

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007F0F78

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007F0F89

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007F0F9A

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007F0FBC

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007F00AA

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007F008F

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007F00CC

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007F0F3D

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007F00DD

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007F0FAB

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007F0FDE

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007F007E

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007F0028

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007F0FCD

.text C:\WINDOWS\system32\svchost.exe[1992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007F00BB

.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00790FA8

.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00790039

.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00790FC3

.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00790FD4

.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00790028

.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00790FEF

.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00790F86

.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [99, 88]

.text C:\WINDOWS\system32\svchost.exe[1992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00790F97

.text C:\WINDOWS\system32\svchost.exe[1992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0078003F

.text C:\WINDOWS\system32\svchost.exe[1992] msvcrt.dll!system 77C293C7 5 Bytes JMP 0078002E

.text C:\WINDOWS\system32\svchost.exe[1992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0078001D

.text C:\WINDOWS\system32\svchost.exe[1992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00780000

.text C:\WINDOWS\system32\svchost.exe[1992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00780FBE

.text C:\WINDOWS\system32\svchost.exe[1992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00780FE3

.text C:\WINDOWS\system32\svchost.exe[1992] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 00770014

.text C:\WINDOWS\system32\svchost.exe[1992] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00770FEF

.text C:\WINDOWS\system32\svchost.exe[1992] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00770025

.text C:\WINDOWS\system32\svchost.exe[1992] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 0077004C

.text C:\WINDOWS\system32\svchost.exe[1992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00760FEF

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FE5

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F66

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB005B

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB004A

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0F8D

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0F9E

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0078

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F30

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0F0B

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB009A

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0EFA

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0025

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0000

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F41

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FB9

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FD4

.text C:\WINDOWS\system32\svchost.exe[2756] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0089

.text C:\WINDOWS\system32\svchost.exe[2756] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00800036

.text C:\WINDOWS\system32\svchost.exe[2756] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00800FA5

.text C:\WINDOWS\system32\svchost.exe[2756] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0080001B

.text C:\WINDOWS\system32\svchost.exe[2756] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0080000A

.text C:\WINDOWS\system32\svchost.exe[2756] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00800062

.text C:\WINDOWS\system32\svchost.exe[2756] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00800FEF

.text C:\WINDOWS\system32\svchost.exe[2756] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00800FB6

.text C:\WINDOWS\system32\svchost.exe[2756] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A0, 88]

.text C:\WINDOWS\system32\svchost.exe[2756] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00800047

.text C:\WINDOWS\system32\svchost.exe[2756] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007F0F9C

.text C:\WINDOWS\system32\svchost.exe[2756] msvcrt.dll!system 77C293C7 5 Bytes JMP 007F0FB7

.text C:\WINDOWS\system32\svchost.exe[2756] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007F001D

.text C:\WINDOWS\system32\svchost.exe[2756] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007F0000

.text C:\WINDOWS\system32\svchost.exe[2756] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007F0FC8

.text C:\WINDOWS\system32\svchost.exe[2756] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007F0FEF

.text C:\WINDOWS\system32\svchost.exe[2756] WININET.dll!InternetOpenW 771BAF49 5 Bytes JMP 007E0011

.text C:\WINDOWS\system32\svchost.exe[2756] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 007E0000

.text C:\WINDOWS\system32\svchost.exe[2756] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 007E0038

.text C:\WINDOWS\system32\svchost.exe[2756] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 007E0049

.text C:\WINDOWS\system32\SearchIndexer.exe[3012] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hello again,

Could you please also post attach.txt (created by DDS, no need to post DDS.txt)?

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Please follow the steps to boot in safe mode, then run Combofix again, as instructed earlier.

REBOOT IN SAFE MODE

-------------------------------

Now reboot into Safe Mode.

  • This can be done tapping the F8 key as soon as you start your computer.
  • You will be brought to a menu where you can choose to boot into safe mode.
  • Make sure you choose the option without networking support.
  • Please see here for additional details.

Link to post
Share on other sites

OK - Back on the Infected PC...

I received a message saying Combofix found root actvity and must reboot.

I clicked OK and let Windows start normally.

Combo fix finished and here is the log:

ComboFix 10-06-10.04 - Ed Haag 06/11/2010 6:56.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1531 [GMT -4:00]

Running from: c:\documents and settings\Ed Haag\My Documents\My Downloads\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\st325602.dll

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PRAGMAuecbdwqppf

-------\Service_PRAGMAuecbdwqppf

((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))

.

2010-06-10 02:19 . 2010-06-10 02:19 -------- d-----w- c:\documents and settings\Ed Haag\Application Data\Malwarebytes

2010-06-10 02:19 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-10 02:19 . 2010-06-10 02:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-10 02:19 . 2010-06-10 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-10 02:19 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-10 00:58 . 2010-06-10 00:58 388096 ----a-r- c:\documents and settings\Ed Haag\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-06-10 00:58 . 2010-06-10 00:58 -------- d-----w- c:\program files\Trend Micro

2010-06-09 00:12 . 2010-06-09 00:12 -------- d-----w- C:\VundoFix Backups

2010-06-08 22:34 . 2010-06-08 22:34 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-06-04 21:25 . 2010-06-04 21:25 -------- d-----w- c:\documents and settings\Ed Haag\Local Settings\Application Data\ewklaxors

2010-05-23 19:50 . 2010-05-23 19:50 503808 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3019a702-n\msvcp71.dll

2010-05-23 19:50 . 2010-05-23 19:50 499712 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3019a702-n\jmc.dll

2010-05-23 19:50 . 2010-05-23 19:50 348160 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3019a702-n\msvcr71.dll

2010-05-23 19:50 . 2010-05-23 19:50 61440 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d9d6a33-n\decora-sse.dll

2010-05-23 19:50 . 2010-05-23 19:50 12800 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d9d6a33-n\decora-d3d.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-07 10:27 . 2009-08-17 11:01 -------- d-----w- c:\documents and settings\Ed Haag\Application Data\vlc

2010-05-31 15:05 . 2009-08-05 01:30 -------- d-----w- c:\program files\McAfee

2010-05-01 22:52 . 2010-05-01 22:52 -------- d-----w- c:\program files\iTunes

2010-05-01 22:52 . 2010-05-01 22:52 -------- d-----w- c:\program files\iPod

2010-05-01 22:52 . 2009-08-05 00:56 -------- d-----w- c:\program files\Common Files\Apple

2010-05-01 22:48 . 2010-05-01 22:47 -------- d-----w- c:\program files\Bonjour

2010-05-01 22:31 . 2010-05-01 22:31 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-04-25 13:54 . 2010-04-25 13:54 -------- d-----w- c:\program files\PC Inspector File Recovery

2010-04-25 13:54 . 2009-08-04 23:30 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-25 13:53 . 2009-08-17 10:21 -------- d-----w- c:\program files\Common Files\InstallShield

2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-02 10:20 . 2010-04-02 10:20 503808 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-535a7034-n\msvcp71.dll

2010-04-02 10:20 . 2010-04-02 10:20 499712 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-535a7034-n\jmc.dll

2010-04-02 10:20 . 2010-04-02 10:20 348160 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-535a7034-n\msvcr71.dll

2010-04-02 10:20 . 2010-04-02 10:20 61440 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1b359ac5-n\decora-sse.dll

2010-04-02 10:20 . 2010-04-02 10:20 12800 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1b359ac5-n\decora-d3d.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-30 1182088]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-09-30 15:40 1182088 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-30 1182088]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-30 1182088]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-03-19 167936]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2008-03-19 405504]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-19 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-19 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-19 137752]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-17 2289664]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-12-10 1228800]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-06-10 33280]

"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-06-29 827904]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-14 244208]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-8-4 50688]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/4/2009 9:31 PM 93320]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [8/4/2009 12:45 AM 105984]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/14/2008 11:32 AM 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/14/2008 11:32 AM 166384]

S2 SessionLauncher;SessionLauncher;c:\docume~1\EDHAAG~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\EDHAAG~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [5/23/2008 5:01 PM 106496]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/14/2008 11:31 AM 1120752]

S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [1/10/2008 4:58 PM 165248]

S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [1/10/2008 4:59 PM 142976]

.

Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-05 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-05 16:22]

2009-08-05 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-05 16:22]

2010-06-11 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2009-09-30 15:40]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.dell.com/

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

LSP: bmnet.dll

FF - ProfilePath - c:\documents and settings\Ed Haag\Application Data\Mozilla\Firefox\Profiles\7azokhnv.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2442061&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - SporTV Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-pqurmytu - c:\documents and settings\Ed Haag\Local Settings\Application Data\ewklaxors\uyhjxeatssd.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-11 07:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(812)

c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(4012)

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\system32\bmwebcfg.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\McAfee\MSK\MskSrver.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\system32\STacSV.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\DellTPad\HidFind.exe

c:\program files\DellTPad\Apntex.exe

c:\program files\iPod\bin\iPodService.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

.

**************************************************************************

.

Completion time: 2010-06-11 07:06:47 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-11 11:06

Pre-Run: 246,247,092,224 bytes free

Post-Run: 246,493,110,272 bytes free

- - End Of File - - 94397CA362ADA28E0E8E154F26CF29CB

Link to post
Share on other sites

Hello again, that were two nasty rootkits you had. Before continuing, please read the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please post me attach.txt

Rerun GMER, check ONLY the services option and run the scan. Post me the resulting log please.

Last of all, let me know how things are running now :P

Link to post
Share on other sites

Hi Elise - I tried doing a search and everything is working fine.

I don't do any banking from my PC, the only thing I've done in the past is use my Credit Card to buy things from Secure Sites - so hopefully I'm OK.

I think I would like to proceed with the cleanup...

I tried re-running GMER with the Services box checked, but I get a message that says "GMER hasn't found any system modification".

Here is the attach.txt log:

Please let me know what my next steps are.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 8/4/2009 7:38:07 PM

System Uptime: 6/9/2010 10:31:42 PM (0 hours ago)

Motherboard: Dell Inc. | | 0U990C

Processor: Intel® Core2 Duo CPU T8300 @ 2.40GHz | Microprocessor | 2370/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 286 GiB total, 229.236 GiB free.

D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP80: 2/14/2010 4:42:11 PM - System Checkpoint

RP81: 2/18/2010 6:41:24 PM - System Checkpoint

RP82: 2/20/2010 6:27:57 PM - System Checkpoint

RP83: 2/24/2010 7:43:35 AM - Software Distribution Service 3.0

RP84: 2/26/2010 5:24:01 PM - System Checkpoint

RP85: 2/27/2010 7:14:47 PM - System Checkpoint

RP86: 3/6/2010 7:43:34 AM - System Checkpoint

RP87: 3/11/2010 6:12:07 AM - Software Distribution Service 3.0

RP88: 3/13/2010 2:51:08 PM - System Checkpoint

RP89: 3/14/2010 5:05:53 PM - System Checkpoint

RP90: 3/15/2010 8:06:52 PM - Installed Roxio Update Manager

RP91: 3/20/2010 8:55:19 AM - System Checkpoint

RP92: 3/21/2010 2:29:47 PM - System Checkpoint

RP93: 3/24/2010 5:53:47 PM - System Checkpoint

RP94: 3/28/2010 5:19:07 PM - System Checkpoint

RP95: 3/29/2010 6:02:40 PM - System Checkpoint

RP96: 3/31/2010 6:03:39 PM - System Checkpoint

RP97: 3/31/2010 8:02:13 PM - Software Distribution Service 3.0

RP98: 4/2/2010 6:19:06 AM - Installed Java 6 Update 19

RP99: 4/4/2010 12:30:37 PM - System Checkpoint

RP100: 4/9/2010 6:55:01 PM - System Checkpoint

RP101: 4/12/2010 5:30:15 PM - System Checkpoint

RP102: 4/13/2010 8:48:22 PM - Software Distribution Service 3.0

RP103: 4/20/2010 8:18:57 PM - System Checkpoint

RP104: 4/22/2010 6:18:28 PM - System Checkpoint

RP105: 4/25/2010 9:54:26 AM - Installed PC Inspector File Recovery

RP106: 4/29/2010 7:47:28 PM - System Checkpoint

RP107: 5/1/2010 1:46:35 PM - System Checkpoint

RP108: 5/3/2010 6:56:20 PM - System Checkpoint

RP109: 5/8/2010 10:22:02 AM - System Checkpoint

RP110: 5/9/2010 10:41:12 AM - System Checkpoint

RP111: 5/10/2010 7:15:21 PM - System Checkpoint

RP112: 5/12/2010 9:44:16 PM - Software Distribution Service 3.0

RP113: 5/15/2010 7:55:50 AM - System Checkpoint

RP114: 5/23/2010 3:06:56 PM - System Checkpoint

RP115: 5/26/2010 6:16:54 AM - Software Distribution Service 3.0

RP116: 6/1/2010 8:36:11 PM - System Checkpoint

RP117: 6/9/2010 8:58:32 PM - Installed HiJackThis

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.3

Advanced Security for Outlook

Advertising Center

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Ask Toolbar

AT&T Communication Manager

Banctec Service Agreement

Bonjour

Compatibility Pack for the 2007 Office system

Conexant HDA D330 MDC V.92 Modem

ConvertHelper 2.2

Dell Touchpad

Dell Wireless WLAN Card Utility

Digital Line Detect

DirectXInstallService

Driver Installer

DVD Shrink 3.2

DVD43 v4.4.1

Garmin Communicator Plugin

Garmin USB Drivers

Garmin WebUpdater

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB953955)

Hotfix for Windows XP (KB954434)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB958347)

Hotfix for Windows XP (KB959252)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

Intel® Graphics Media Accelerator Driver

iTunes

Java Auto Updater

Java 6 Update 19

Malwarebytes' Anti-Malware

McAfee SecurityCenter

MediaDirect

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office XP Professional with FrontPage

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Modem Diagnostic Tool

Motorola Driver Installation

Mozilla Firefox (3.6.3)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB927977)

Nero 9 Lite

Nero ControlCenter

Nero Installer

Nero Online Upgrade

Nero StartSmart

neroxml

NetWaiting

Nokia Connectivity Adapter Cable DKU-5

NTFS Undelete v0.94

OutlookAddinSetup

PC Inspector File Recovery

Pod to PC 2.6

QuickSet

QuickTime

Roxio Activation Module

Roxio CinePlayer Decoder Pack

Roxio Creator Audio

Roxio Creator Copy

Roxio Creator Data

Roxio Creator Premier

Roxio Creator Premier 10

Roxio Creator Tools

Roxio Express Labeler

Roxio Update Manager

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB979402)

Security Update for Windows Search 4 - KB963093

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB963027)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974455)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976325)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB981349)

Spybot - Search & Destroy

The Extractor

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB898461)

Update for Windows XP (KB951618-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB976749)

Update for Windows XP (KB978207)

Update for Windows XP (KB980182)

VLC media player 1.0.1

WebFldrs XP

Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)

Windows Genuine Advantage Notifications (KB905474)

Windows Media Format Runtime

Windows Presentation Foundation

Windows Search 4.0

XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

6/3/2010 8:10:17 PM, error: Dhcp [1002] - The IP address lease 192.168.3.102 for the Network Card with network address 00242B71B2BF has been denied by the DHCP server 192.168.3.1 (The DHCP Server sent a DHCPNACK message).

6/2/2010 9:34:00 PM, error: Service Control Manager [7000] - The SessionLauncher service failed to start due to the following error: The system cannot find the path specified.

==== End Of File ===========================

Link to post
Share on other sites

Thats good news :P

Please uninstall Ask Toolbar using Add/Remove programs.

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

MALWAREBYTES ANTIMALWARE

-------------------------------------------

Please launch MBAM and update the program before performing a scan.

  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Link to post
Share on other sites

I didn't find the Ask Toolbar in the program list of add/programs...?

I unistalled old versions of Jave and installed the new version as instructed.

I ran MMBAM and here is the log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4184

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

6/11/2010 10:15:16 AM

mbam-log-2010-06-11 (10-15-16).txt

Scan type: Full scan (C:\|)

Objects scanned: 182038

Time elapsed: 46 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP116\A0024049.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP116\A0024050.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP116\A0024058.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Thats strange, it is in your Installed Programs list. Anyway, lets just remove it manually then :P

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
[-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

Folder::
c:\program files\Ask.com

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Ok here is that Log:

ComboFix 10-06-10.04 - Ed Haag 06/11/2010 10:48:39.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1481 [GMT -4:00]

Running from: c:\documents and settings\Ed Haag\My Documents\My Downloads\ComboFix.exe

Command switches used :: c:\documents and settings\Ed Haag\My Documents\My Downloads\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Ask.com

c:\program files\Ask.com\cobrand.ico

c:\program files\Ask.com\config.xml

c:\program files\Ask.com\favicon.ico

c:\program files\Ask.com\GenericAskToolbar.dll

c:\program files\Ask.com\mupcfg.xml

c:\program files\Ask.com\SaUpdate.exe

c:\program files\Ask.com\UpdateTask.exe

.

((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))

.

2010-06-11 13:18 . 2010-06-11 13:18 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-10 02:19 . 2010-06-10 02:19 -------- d-----w- c:\documents and settings\Ed Haag\Application Data\Malwarebytes

2010-06-10 02:19 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-10 02:19 . 2010-06-10 02:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-10 02:19 . 2010-06-10 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-10 02:19 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-10 00:58 . 2010-06-10 00:58 388096 ----a-r- c:\documents and settings\Ed Haag\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-06-10 00:58 . 2010-06-10 00:58 -------- d-----w- c:\program files\Trend Micro

2010-06-09 00:12 . 2010-06-09 00:12 -------- d-----w- C:\VundoFix Backups

2010-06-08 22:34 . 2010-06-08 22:34 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-06-04 21:25 . 2010-06-04 21:25 -------- d-----w- c:\documents and settings\Ed Haag\Local Settings\Application Data\ewklaxors

2010-05-23 19:50 . 2010-05-23 19:50 503808 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3019a702-n\msvcp71.dll

2010-05-23 19:50 . 2010-05-23 19:50 499712 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3019a702-n\jmc.dll

2010-05-23 19:50 . 2010-05-23 19:50 348160 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3019a702-n\msvcr71.dll

2010-05-23 19:50 . 2010-05-23 19:50 61440 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d9d6a33-n\decora-sse.dll

2010-05-23 19:50 . 2010-05-23 19:50 12800 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d9d6a33-n\decora-d3d.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-07 10:27 . 2009-08-17 11:01 -------- d-----w- c:\documents and settings\Ed Haag\Application Data\vlc

2010-05-31 15:05 . 2009-08-05 01:30 -------- d-----w- c:\program files\McAfee

2010-05-01 22:52 . 2010-05-01 22:52 -------- d-----w- c:\program files\iTunes

2010-05-01 22:52 . 2010-05-01 22:52 -------- d-----w- c:\program files\iPod

2010-05-01 22:52 . 2009-08-05 00:56 -------- d-----w- c:\program files\Common Files\Apple

2010-05-01 22:48 . 2010-05-01 22:47 -------- d-----w- c:\program files\Bonjour

2010-05-01 22:31 . 2010-05-01 22:31 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-04-25 13:54 . 2010-04-25 13:54 -------- d-----w- c:\program files\PC Inspector File Recovery

2010-04-25 13:54 . 2009-08-04 23:30 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-25 13:53 . 2009-08-17 10:21 -------- d-----w- c:\program files\Common Files\InstallShield

2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-02 10:20 . 2010-04-02 10:20 503808 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-535a7034-n\msvcp71.dll

2010-04-02 10:20 . 2010-04-02 10:20 499712 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-535a7034-n\jmc.dll

2010-04-02 10:20 . 2010-04-02 10:20 348160 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-535a7034-n\msvcr71.dll

2010-04-02 10:20 . 2010-04-02 10:20 61440 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1b359ac5-n\decora-sse.dll

2010-04-02 10:20 . 2010-04-02 10:20 12800 ----a-w- c:\documents and settings\Ed Haag\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1b359ac5-n\decora-d3d.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-06-11_11.03.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-11 14:46 . 2010-06-11 14:46 16384 c:\windows\Temp\Perflib_Perfdata_274.dat

- 2009-08-04 23:34 . 2010-06-11 09:38 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-08-04 23:34 . 2010-06-11 14:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-08-04 23:34 . 2010-06-11 09:38 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-08-04 23:34 . 2010-06-11 14:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-06-11 14:12 . 2010-06-11 14:12 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2010-04-02 10:19 . 2010-03-09 08:28 153376 c:\windows\system32\javaws.exe

+ 2010-06-11 13:18 . 2010-06-11 13:18 153376 c:\windows\system32\javaws.exe

+ 2010-06-11 13:18 . 2010-06-11 13:18 145184 c:\windows\system32\javaw.exe

- 2010-04-02 10:19 . 2010-03-09 08:28 145184 c:\windows\system32\javaw.exe

- 2010-04-02 10:19 . 2010-03-09 08:28 145184 c:\windows\system32\java.exe

+ 2010-06-11 13:18 . 2010-06-11 13:18 145184 c:\windows\system32\java.exe

+ 2010-06-11 13:18 . 2010-06-11 13:18 577536 c:\windows\Installer\8f076.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-03-19 167936]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2008-03-19 405504]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-19 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-19 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-19 137752]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-17 2289664]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-12-10 1228800]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-06-10 33280]

"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-06-29 827904]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-14 244208]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-8-4 50688]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/4/2009 9:31 PM 93320]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [8/4/2009 12:45 AM 105984]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/14/2008 11:32 AM 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/14/2008 11:32 AM 166384]

S2 SessionLauncher;SessionLauncher;c:\docume~1\EDHAAG~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\EDHAAG~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [5/23/2008 5:01 PM 106496]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/14/2008 11:31 AM 1120752]

S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [1/10/2008 4:58 PM 165248]

S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [1/10/2008 4:59 PM 142976]

.

Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-05 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-05 16:22]

2009-08-05 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-05 16:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.dell.com/

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

LSP: bmnet.dll

FF - ProfilePath - c:\documents and settings\Ed Haag\Application Data\Mozilla\Firefox\Profiles\7azokhnv.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2442061&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - SporTV Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-11 10:52

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(996)

c:\windows\system32\bmnet.dll

.

Completion time: 2010-06-11 10:54:03

ComboFix-quarantined-files.txt 2010-06-11 14:54

ComboFix2.txt 2010-06-11 11:06

Pre-Run: 246,775,271,424 bytes free

Post-Run: 246,731,042,816 bytes free

- - End Of File - - FC71C4779A436ADC6ACC37F26FF4B256

Link to post
Share on other sites

Hello again,

Do you have any problems left?

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

ESET Log:

C:\Documents and Settings\Ed Haag\Application Data\Sun\Java\Deployment\cache\6.0\28\5b194b5c-6aa9e5f1 multiple threats

C:\Documents and Settings\Ed Haag\Application Data\Sun\Java\Deployment\cache\6.0\38\10f24666-44933de4 OSX/Exploit.Smid.B trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mouclass.sys.vir Win32/Olmarik.ZC trojan

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP117\A0028220.sys Win32/Olmarik.ZC trojan

Link to post
Share on other sites

Hello there,

That looks awesome, no serious threats found, which means you are good to go (unless of course you have any problem left).

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :P

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS and GMER (this is a random named file).

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.