Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby kstubbs » December 12th, 2008, 4:19 pm

My PC was infected by Spyware Guard 2008 about 10 days ago (at least Spyware Guard 2008 was the first one I noticed). The malware persistently pops up fake scan result windows & Windows Security Center windows & repairs registry entries & program files quicker than I can regedit & delete. It blocks my access to security websites & intercepts outgoing mail to those sites while falsely making Outlook appear to have sent the messages.

I tried to install Spyware Doctor, but couldn't register it to activate its repair facilities because http://www.pctools.com was blocked. I was able to run a Spyware Doctor full scan with rootkit checking on, which indicates extensive infection by Virtumonde, Mebroot, TDSServ, Spyware Guard 2008, and several trojan downloaders (Small.BUY, VB.AWJ, xpre). The scan also lists unnamed hidden files in c:\windows, c:\windows\system32, c:\windows\Temp, and c:\Documents and Settings\[user]\Local Settings\Temp. The registry entries for TDSServ seem to indicate that it disallows common tools like combofix.exe, mbam.exe, mbam-setup.exe, gmer.exe, and lots of others.

I'm awaiting a workaround from Spyware Doctor tech support, but after a week I still can't register it & use it to fight the malware.

I've had the PC in Safe Mode with Networking for the past week, with McAfee's firewall locked down except when I need to email out a log file (to a third party to evade the email blocks).

Here's my HijackThis log. Hope it's okay that I ran it in Safe Mode with Networking. I can try to rerun it in normal mode if you need that, but I've had some trouble rebooting & the malware seems to dig in deeper every time I go to normal mode.

I can also send the Spyware Doctor scan history log if that would help.

Thanks in advance for your assistance.

======================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:59 PM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Keith\Desktop\HJTInstall.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Keith\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {05c9fc96-07d0-4145-83aa-72345f97b4dc} - C:\WINDOWS\system32\veseyusi.dll (file missing)
O2 - BHO: (no name) - {2ef3bdbc-41a5-4537-aa79-170ea073d0ba} - C:\WINDOWS\system32\kmfppw.dll (file missing)
O2 - BHO: (no name) - {3f72a4a8-b97a-43fc-a5b3-aee19ee92c8a} - (no file)
O2 - BHO: (no name) - {41f7b255-a777-4405-b40b-7cc10320c89c} - C:\WINDOWS\system32\wobezozu.dll (file missing)
O2 - BHO: (no name) - {476be1a6-f725-4afc-b8ad-7eb10a449963} - C:\WINDOWS\system32\zafusiyo.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\iiffCTJC.dll
O2 - BHO: (no name) - {8D632AD5-B856-4782-A19C-6944FF12C8CB} - C:\WINDOWS\system32\ljJDSMfG.dll (file missing)
O2 - BHO: (no name) - {c9ef7147-8988-4da0-9836-fc6c163feffe} - C:\WINDOWS\system32\veseyusi.dll (file missing)
O2 - BHO: banners4u browser enhancer - {CB23E2CF-C270-8518-E3B0-41CFDE2048FF} - C:\WINDOWS\system32\gpermphniidu.dll (file missing)
O2 - BHO: (no name) - {d0926b67-2e2c-43ae-8c0f-c320c5e8f982} - C:\WINDOWS\system32\cmvcop.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [CPMf321b403] Rundll32.exe "c:\windows\system32\dotevumo.dll",a
O4 - HKLM\..\Run: [fuveputoho] Rundll32.exe "C:\WINDOWS\system32\kofelabe.dll",s
O4 - HKLM\..\Run: [f012879f] rundll32.exe "C:\WINDOWS\system32\furutedu.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKUS\S-1-5-19\..\Run: [fuveputoho] Rundll32.exe "C:\WINDOWS\system32\kofelabe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fuveputoho] Rundll32.exe "C:\WINDOWS\system32\kofelabe.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: M-Audio Transit USB Control Panel Launcher.lnk = C:\Program Files\M-Audio Transit USB\TUSBTask.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O20 - AppInit_DLLs: pibhdr.dll kmfppw.dll cmvcop.dll c:\windows\system32\dotevumo.dll,C:\WINDOWS\system32\navolawe.dll
O20 - Winlogon Notify: iiffCTJC - C:\WINDOWS\SYSTEM32\iiffCTJC.dll
O21 - SSODL: OLESys - {86460DFF-ED6F-4554-B2DF-761DC409EEC7} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\OLESys.dll (file missing)
O21 - SSODL: Explorer - {DB905DDF-1F52-40A2-8F17-C01206515967} - C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\wrdasdikvv.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dotevumo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dotevumo.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Transit USB Installer (Transit USBInstallerService) - Nemesis - C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe

--
End of file - 12919 bytes
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm
Advertisement
Register to Remove

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby Odd dude » December 13th, 2008, 6:24 am

Hello and welcome to the forums!

I'm Odd dude, pleased to meet you; if it helps, you can call me OD ;). I will be helping you with your infection. However, it is important to take note of the following - quite the wall of text, I know, but please bear with me:

  • Logs from malware removal programs (Hijackthis is one of them) can take some time to analyze. I need you to be patient whilst I analyze any logs you post.
  • Please carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Only YOU must use these instructions, they are not suitable for any other computer with similar problems.
  • Do not do things I do not ask for, such as running a spyware scan. The one thing you should always do, though, is making sure that your antivirus definitions are up-to-date!
  • If I tell you to download a tool which you already have, please re-download it and do not use the copy you already have. This is because the tools are updated regularly.
  • In Windows Vista, all tools need to be started by right clicking and selecting Run as administrator!
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you were to do the same. From this point, we're in this together ;)
  • As I am still in training at the Malware Removal University, anything I do must be checked by an experienced malware fighter. This means there might be a slight delay in my answers.
  • Lastly, I am no magican. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system. Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

I am now analyzing your situation and hope to be back with you soon. While I am reviewing your situation, could you please do the following for me:

Make an Uninstall List
I need you to create an uninstall list so I can further analyze your situation.

  • Start HijackThis.
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save list...
  • Save the list to your desktop, or any other convenient place.

Please post back:
  • Uninstall list
  • New hijackthis log
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby kstubbs » December 13th, 2008, 2:07 pm

Thanks for the quick response, OD.

Below are the uninstall list & new HijackThis log you requested.

I forgot to mention a few things in my previous message that may or may not matter.
1) I couldn't run HJTInstall.exe; I think TDSServ has it blocked. So I had to use other means to get HijackThis running. I'm not sure if it's appropriate to describe them on a public forum that the bad guys might be reading.
2) I have 2 external drives attached to my PC, with my only 2 copies of 280Gb of music & years of photos & documents. I shut down one of the drives, about 5 days after I noticed the infection, to reduce the odds of losing it all. The other drive is still mounted & neither McAfee nor Spyware Doctor found infections on it, for whatever that's worth. Let me know if you need me to remount one external drive and/or shut down the other at any point in the process.
3) McAfee's virus definitions are not up-to-date because I have had the McAfee firewall locked down for the last week, except for brief windows when I send out email.
4) Spyware Doctor is resident & running daily scans, although I'm blocked from registering it or downloading data file updates.

Thanks again for your help.
kstubbs

================================================

7-Zip 4.32
AbcNavigator 2.0
Adobe Flash Player Plugin
Adobe Photoshop Elements 3.0
Adobe Reader 7.0.9
Advertisement Service
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOLIcon
APC PowerChute Personal Edition
Apple Mobile Device Support
Apple Software Update
Banctec Service Agreement
BK ReplaceEm 2.0
Bonjour
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
Corel Paint Shop Pro X
Corel Photo Album 6
Creative MediaSource
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
DellSupport
Digital Content Portal
Documents To Go
EarthLink setup files
Easy Thumbnails (Remove only)
EducateU
ELIcon
ESPNMotion
Exact Audio Copy v0.9 beta 4
FastStone Image Viewer 2.30
GemMaster Mystic
Get High Speed Internet!
Google AFE
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
HP Image Zone 4.7
HP Image Zone Express
HP PSC & OfficeJet 4.7
HP Software Update
Intel Matrix Storage Manager
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Intel(R) Quick Resume Technology Drivers
Intel(R) Quick Resume Technology Drivers
Intel® Viiv™
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
Legacy 6.0
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
McAfee SecurityCenter
McAfee Uninstaller
MCU
MD Simple Burner 2.0.05
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Robocopy GUI
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (3.0.4)
Mp3tag v2.35
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
NetZeroInstallers
Norton Ghost 10.0
NVIDIA Drivers
OpenMG Limited Patch 4.4-06-13-19-01
OpenMG Secure Module 4.4.00
Otto
Palm
Palm-DB-Tools 0.3.6
Pilot-DB 1.1.3
PowerDVD 5.5
QuickTime
RealPlayer
RON Tool Banners4u
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SonicStage 3.4
Sony Sound Forge Audio Studio 8.0a
Sound Blaster X-Fi
Spyware Doctor 6.0
Spyware Guard 2008
Transit USB 1.0.2.2
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WildTangent Web Driver
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Media Center Edition 2005 KB908246
Windows XP Service Pack 3
Wise-FTP
Xenu's Link Sleuth

==========================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:18 PM, on 12/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Keith\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {05c9fc96-07d0-4145-83aa-72345f97b4dc} - C:\WINDOWS\system32\veseyusi.dll (file missing)
O2 - BHO: (no name) - {2ef3bdbc-41a5-4537-aa79-170ea073d0ba} - C:\WINDOWS\system32\kmfppw.dll (file missing)
O2 - BHO: (no name) - {3f72a4a8-b97a-43fc-a5b3-aee19ee92c8a} - (no file)
O2 - BHO: (no name) - {41f7b255-a777-4405-b40b-7cc10320c89c} - C:\WINDOWS\system32\wobezozu.dll (file missing)
O2 - BHO: (no name) - {476be1a6-f725-4afc-b8ad-7eb10a449963} - C:\WINDOWS\system32\zafusiyo.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\iiffCTJC.dll
O2 - BHO: (no name) - {8D632AD5-B856-4782-A19C-6944FF12C8CB} - C:\WINDOWS\system32\ljJDSMfG.dll (file missing)
O2 - BHO: (no name) - {c9ef7147-8988-4da0-9836-fc6c163feffe} - C:\WINDOWS\system32\veseyusi.dll (file missing)
O2 - BHO: banners4u browser enhancer - {CB23E2CF-C270-8518-E3B0-41CFDE2048FF} - C:\WINDOWS\system32\gpermphniidu.dll (file missing)
O2 - BHO: (no name) - {d0926b67-2e2c-43ae-8c0f-c320c5e8f982} - C:\WINDOWS\system32\cmvcop.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [CPMf321b403] Rundll32.exe "c:\windows\system32\dotevumo.dll",a
O4 - HKLM\..\Run: [fuveputoho] Rundll32.exe "C:\WINDOWS\system32\kofelabe.dll",s
O4 - HKLM\..\Run: [f012879f] rundll32.exe "C:\WINDOWS\system32\furutedu.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKUS\S-1-5-19\..\Run: [fuveputoho] Rundll32.exe "C:\WINDOWS\system32\kofelabe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fuveputoho] Rundll32.exe "C:\WINDOWS\system32\kofelabe.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: M-Audio Transit USB Control Panel Launcher.lnk = C:\Program Files\M-Audio Transit USB\TUSBTask.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O20 - AppInit_DLLs: pibhdr.dll kmfppw.dll cmvcop.dll c:\windows\system32\dotevumo.dll,C:\WINDOWS\system32\navolawe.dll
O20 - Winlogon Notify: iiffCTJC - C:\WINDOWS\SYSTEM32\iiffCTJC.dll
O21 - SSODL: OLESys - {86460DFF-ED6F-4554-B2DF-761DC409EEC7} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\OLESys.dll (file missing)
O21 - SSODL: Explorer - {DB905DDF-1F52-40A2-8F17-C01206515967} - C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\wrdasdikvv.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dotevumo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dotevumo.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Transit USB Installer (Transit USBInstallerService) - Nemesis - C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe

--
End of file - 12831 bytes
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby Odd dude » December 14th, 2008, 8:34 am

Download ComboFix from here and save it to your desktop.
Download SmitfraudFix, save it to your desktop.
Download The MBR Rootkit Detector by GMER and save it to your desktop.
Download gmer.zip by GMER and save it to your desktop.

Before we begin I want to warn you not to run smitfraudfix if combofix doesn't run correctly. You have an infection which will cause batch programs like Combofix and Smitfraudfix to run veeeery slow.
Combofix can fix it, which will also speed it up of course, however if it doesn't fix it smitfraudfix will take FOREVER to run, and interrupting it would not be a good idea.
It's fine to run GMER and MBR.exe though. So only skip smitfraudfix if combofix failed to run.

ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without expert guidance.

ComboFix uses very brute tactics to rip malware off your system. Do not panic if your antivirus software warns you about the file.

:!: Please disable all your antivirus software, firewalls, and antispyware software BEFORE running ComboFix!! :!:



  • Disable ALL antivirus/antimalware programs before proceeding!
  • Now start ComboFix
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running!
  • When finished, the report will open. Reenable your protection software and post the log in your next reply

Disconnect from the internet now, as Safe Mode with networking is far from safe.

SmitfraudFix
Start Smitfraudfix. Select option 1 - Search by typing 1 and then pressing Enter. The tool will then begin to scan your computer. When it finishes, it creates a log in the root of your drive, with a name of Rapport.txt This report is accessible by clicking Start > Run, then entering the following and pressing Enter:
Code: Select all
\rapport.txt


Please post the contents of rapport.txt in your next reply.

GMER
Do not touch the computer while GMER is running! If you do, it'll go completely unresponsive and you'll have to shut it down using the power switch. Just don't touch the PC while GMER is working.

  • Right click gmer.zip and choose Extract all
  • Click Next
  • Click Browse
  • Click the + next to My Computer
  • Click Local Disk (C:)
  • Click Make new folder
  • Enter GMER
  • Click OK, then Next
  • Check Show extracted files and click Finish
  • Double click on GMER.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the GMER scan log and post it in your next reply.
  • Close GMER.

MBR Rootkit Detector
Launch mbr.exe. A log will be generated called MBR.txt. Post it in your next reply.

Post back:
- Combofix log (if Combofix didn't run correctly, skip this and tell me)
- Smitfraudfix log (if Combofix or Smitfraudfix didn't run correctly, skip this and tell me)
- GMER log
- MBR log
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby kstubbs » December 14th, 2008, 3:49 pm

Thanks for another quick reply.

I downloaded ComboFix, SmitfraudFix, MBR, and GMER to a clean laptop & transported them on CD to my infected PC. I disabled McAfee virus & firewall and Spyware Doctor.

FYI, McAfee on the laptop warns of a "potentially unwanted program" RemAdm-ProcLaunch!171 in CombiFix.exe. Can I safely ignore that?

ComboFix will not run on the infected PC. It loads & I can see it as a process in Task Manager, but it doesn't use any CPU and memory usage never changes. It never prompts for Recovery Console or anything else. Per your instructions, I did not try to run SmitfraudFix.

GMER installs OK, but it will not run either. Same symptoms as ComboFix.

MBR Rootkit Detector runs & produces a log (see below).

According to the Spyware Doctor scan I ran last week, registry entries imply thatTDSServ disallows ComboFix, SmitfraudFix, and GMER, but not MBR. It also disallows lots of other spyware fighting tools such as SuperAntiSpyware, SpySweeper, mbam, and vundofixsvc. Would you like me to send you the full list? An example of the registry entries reported:

HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, gmer.exe

Do you think I could get around it by simply renaming ComboFix or GMER before running them?

One other question. I disconnected from the Internet by physically pulling the Ethernet cable. What's the best way to get future logs to you? Should I reconnect to the Internet for a moment & send email, or should I burn the logs to CD & transport them to a clean laptop (I don't know if a CD I burned could be a vector for infecting the laptop)?

Here's the MBR log, followed by a new HijackThis log.

==================================================

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 62 !

==================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:34 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Keith\Desktop\ComboFix.exe
C:\WINDOWS\system32\taskmgr.exe
C:\GMER\gmer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Keith\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {05c9fc96-07d0-4145-83aa-72345f97b4dc} - C:\WINDOWS\system32\veseyusi.dll (file missing)
O2 - BHO: (no name) - {2ef3bdbc-41a5-4537-aa79-170ea073d0ba} - C:\WINDOWS\system32\kmfppw.dll (file missing)
O2 - BHO: (no name) - {3f72a4a8-b97a-43fc-a5b3-aee19ee92c8a} - (no file)
O2 - BHO: (no name) - {41f7b255-a777-4405-b40b-7cc10320c89c} - C:\WINDOWS\system32\wobezozu.dll (file missing)
O2 - BHO: (no name) - {476be1a6-f725-4afc-b8ad-7eb10a449963} - C:\WINDOWS\system32\zafusiyo.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\iiffCTJC.dll
O2 - BHO: (no name) - {8D632AD5-B856-4782-A19C-6944FF12C8CB} - C:\WINDOWS\system32\ljJDSMfG.dll (file missing)
O2 - BHO: (no name) - {c9ef7147-8988-4da0-9836-fc6c163feffe} - C:\WINDOWS\system32\veseyusi.dll (file missing)
O2 - BHO: banners4u browser enhancer - {CB23E2CF-C270-8518-E3B0-41CFDE2048FF} - C:\WINDOWS\system32\gpermphniidu.dll (file missing)
O2 - BHO: (no name) - {d0926b67-2e2c-43ae-8c0f-c320c5e8f982} - C:\WINDOWS\system32\cmvcop.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKLM\..\Run: [CPMf321b403] Rundll32.exe "c:\windows\system32\dotevumo.dll",a
O4 - HKLM\..\Run: [fuveputoho] Rundll32.exe "C:\WINDOWS\system32\kofelabe.dll",s
O4 - HKLM\..\Run: [f012879f] rundll32.exe "C:\WINDOWS\system32\furutedu.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKUS\S-1-5-19\..\Run: [fuveputoho] Rundll32.exe "C:\WINDOWS\system32\kofelabe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fuveputoho] Rundll32.exe "C:\WINDOWS\system32\kofelabe.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: M-Audio Transit USB Control Panel Launcher.lnk = C:\Program Files\M-Audio Transit USB\TUSBTask.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O20 - AppInit_DLLs: pibhdr.dll kmfppw.dll cmvcop.dll c:\windows\system32\dotevumo.dll,C:\WINDOWS\system32\navolawe.dll
O20 - Winlogon Notify: iiffCTJC - C:\WINDOWS\SYSTEM32\iiffCTJC.dll
O21 - SSODL: OLESys - {86460DFF-ED6F-4554-B2DF-761DC409EEC7} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\OLESys.dll (file missing)
O21 - SSODL: Explorer - {DB905DDF-1F52-40A2-8F17-C01206515967} - C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\wrdasdikvv.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dotevumo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dotevumo.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Transit USB Installer (Transit USBInstallerService) - Nemesis - C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe

--
End of file - 12855 bytes
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby Odd dude » December 14th, 2008, 4:47 pm

FYI, McAfee on the laptop warns of a "potentially unwanted program" RemAdm-ProcLaunch!171 in CombiFix.exe. Can I safely ignore that?

Yes, it's expected. ComboFix uses aggressive techniques and will be flagged.

There is another way to disable tdssserv, let's try that first, then retry the procedures I outlined.

One other question. I disconnected from the Internet by physically pulling the Ethernet cable. What's the best way to get future logs to you? Should I reconnect to the Internet for a moment & send email, or should I burn the logs to CD & transport them to a clean laptop (I don't know if a CD I burned could be a vector for infecting the laptop)?

It's not likely for a CD to infect other computers. However I think it's best if you just use the infected computer's internet connection. I cannot tell 100% certainly what infections are present without the GMER log, but your hijackthis log does not indicate any infections which could download more crap onto your computer, so you should be fine.

If you still want to use the CD that's more than fine, however as a precaution create a folder named autorun.inf in the root of the drive. While I have never ever seen malware infect cd's, it's theoretically possible, but that autorun.inf folder will prevent it.

Please post next the report from Spyware Doctor where Trojan.Mebroot was found.
Reason for asking is that you do not seem to be infected with it. (There is however a chance you have been infected with it, this is why I need the report. Did you have Spyware Doctor fix anything?)

MBR.exe can be deleted.

Try this tdssserv workaround first:
Click Start>Run, enter devmgmt.msc and click ok.
Under View, click show hidden devices
Click non plug and play devices and locate tdssserv.sys
Right click it and choose disable.

Reboot the machine and then try to rerun the procedures I outlined in my previous post.

If still no go try the following:

Rename combofix.exe to obmoc-xif.pif
Rename gmer.exe to remg.pif
Rename smitfraudfix.exe to smtfix.pif

Then retry

If still no go please inform me.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby kstubbs » December 14th, 2008, 11:06 pm

Thanks, OD. I think we're making progress.

The devmvmt.msc instructions look like they worked on TDSServ. After that, I was able to run combofix, smitfraudfix, and gmer without renaming them. Here are the logs. In case you need another HijackThis log, that's included too. I'll put the Spyware Doctor scan log in a separate message since it's a bit long. Now that TDSServ is gone & I should be able to update Spyware Doctor's data files, should I do that and run a fresh scan?

==================================================================

ComboFix 08-12-14.01 - Keith 2008-12-14 19:48:05.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.780 [GMT -5:00]
Running from: c:\documents and settings\Keith\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\uninstall.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\temp\PRE45
c:\windows\IE4 Error Log.txt
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\av.dat
c:\windows\system32\av.exe
c:\windows\system32\dotevumo.dll
c:\windows\system32\Drivers\TDSSxeuu.sys
c:\windows\system32\ekaluyif.ini
c:\windows\system32\esezeguh.ini
c:\windows\system32\furutedu.dll
c:\windows\system32\gawokire.dll
c:\windows\system32\GfMSDJjl.ini
c:\windows\system32\GfMSDJjl.ini2
c:\windows\system32\hugezese.dll
c:\windows\system32\iiffCTJC.dll
c:\windows\system32\IN
c:\windows\system32\kofelabe.dll
c:\windows\system32\lijujuto.dll
c:\windows\system32\lqqttsve.ini
c:\windows\system32\navolawe.dll
c:\windows\system32\op8
c:\windows\system32\pac.txt
c:\windows\system32\shxcmaea.ini
c:\windows\system32\suukjtov.ini
c:\windows\system32\sX3i19
c:\windows\system32\TDSSirxy.dll
c:\windows\system32\TDSSktao.dll
c:\windows\system32\TDSSocun.dll
c:\windows\system32\TDSSqqon.dll
c:\windows\system32\TDSSravu.dll
c:\windows\system32\TDSSwrhd.log
c:\windows\system32\TDSSwupe.dat
c:\windows\system32\TEC
c:\windows\system32\udeturuf.ini
c:\windows\system32\vapozoki.exe
c:\windows\system32\vi
c:\windows\system32\wakuribi.dll
c:\windows\system32\yotogewo.dll
c:\windows\system32\yudxvdls.ini
c:\windows\system32\zafusiyo.dll
c:\windows\system32\zozefebe.dll
c:\windows\Tasks\ciyvlzhg.job
c:\windows\vmreg.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-14 19:46 . 2008-12-14 19:46 302,592 --a------ c:\windows\system32\awtUKabx.dll
2008-12-14 14:22 . 2008-12-14 14:22 <DIR> d-------- C:\GMER
2008-12-14 07:13 . 2008-12-14 07:13 2,713 --ahs---- c:\windows\system32\sufabuwu.exe
2008-12-13 13:13 . 2008-12-13 13:13 2,713 --ahs---- c:\windows\system32\tipenuno.exe
2008-12-12 19:11 . 2008-12-12 19:11 2,713 --ahs---- c:\windows\system32\hisakite.exe
2008-12-09 15:20 . 2008-12-09 15:20 2,713 --ahs---- c:\windows\system32\fibunihu.exe
2008-12-08 07:16 . 2008-12-08 07:16 2,713 --ahs---- c:\windows\system32\nulapawa.exe
2008-12-07 13:16 . 2008-12-07 13:16 2,713 --ahs---- c:\windows\system32\bikabufe.exe
2008-12-06 19:15 . 2008-12-06 19:15 2,713 --ahs---- c:\windows\system32\jehuzuru.exe
2008-12-06 01:14 . 2008-12-06 01:14 2,713 --ahs---- c:\windows\system32\zotemiso.exe
2008-12-03 19:43 . 2008-12-04 11:47 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-03 19:43 . 2008-12-03 19:43 <DIR> d-------- c:\documents and settings\Keith\Application Data\PC Tools
2008-12-03 19:43 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-03 19:43 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-03 19:43 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-03 19:43 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-03 16:31 . 2008-12-14 14:12 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 14:53 . 2008-12-14 19:52 2,206 --a------ c:\windows\system32\wpa.dbl
2008-12-01 11:03 . 2008-12-05 11:22 64,988 --a------ c:\windows\system32\DVCState-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
2008-12-01 11:03 . 2008-12-05 11:22 55,168 --a------ c:\windows\system32\BMXStateBkp-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
2008-12-01 11:03 . 2008-12-05 11:22 55,168 --a------ c:\windows\system32\BMXState-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
2008-12-01 11:03 . 2008-12-05 11:22 1,080 --a------ c:\windows\system32\settingsbkup.sfm
2008-12-01 11:03 . 2008-12-05 11:22 1,080 --a------ c:\windows\system32\settings.sfm
2008-12-01 11:02 . 2008-12-14 19:50 17,630 --a------ c:\windows\system32\Config.MPF
2008-12-01 04:32 . 2008-12-14 19:46 6,456 --ah----- c:\windows\system32\fabidadu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 22:09 --------- d-----w c:\program files\Legacy
2008-12-01 19:53 --------- d-----w c:\program files\McAfee
2008-11-08 21:23 --------- d-----w c:\program files\Palm
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 03:33 112 ----a-w c:\documents and settings\Keith\delself.bat
2008-09-01 14:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090120080902\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-08-16 1531904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"CTHelper"="CTHELPER.EXE" [2005-09-20 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-11-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-02-27 221295]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-04-06 28672]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]
M-Audio Transit USB Control Panel Launcher.lnk - c:\program files\M-Audio Transit USB\TUSBTask.exe [2003-04-28 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\AceBIT\\WISE-FTP\\wise_ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
R2 Transit USBInstallerService;Transit USB Installer;c:\program files\M-Audio Transit USB\Install\TUSBInst.exe [2006-04-25 49152]
S1 cbidf2kk;cbidf2kk;c:\windows\system32\drivers\cbidf2kk.sys []
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};\??\c:\windows\TEMP\43D.tmp []
S3 ma763006;M-Audio Transit USB;c:\windows\system32\drivers\MA763006.sys [2006-04-25 41216]
S3 MADFU006;MADFU006;c:\windows\system32\DRIVERS\MADFU006.sys [2006-04-25 16512]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-03 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{05c9fc96-07d0-4145-83aa-72345f97b4dc} - c:\windows\system32\veseyusi.dll
BHO-{2ef3bdbc-41a5-4537-aa79-170ea073d0ba} - c:\windows\system32\kmfppw.dll
BHO-{3f72a4a8-b97a-43fc-a5b3-aee19ee92c8a} - (no file)
BHO-{41f7b255-a777-4405-b40b-7cc10320c89c} - c:\windows\system32\wobezozu.dll
BHO-{476be1a6-f725-4afc-b8ad-7eb10a449963} - c:\windows\system32\zafusiyo.dll
BHO-{8D632AD5-B856-4782-A19C-6944FF12C8CB} - c:\windows\system32\ljJDSMfG.dll
BHO-{c9ef7147-8988-4da0-9836-fc6c163feffe} - c:\windows\system32\veseyusi.dll
BHO-{CB23E2CF-C270-8518-E3B0-41CFDE2048FF} - c:\windows\system32\gpermphniidu.dll
BHO-{d0926b67-2e2c-43ae-8c0f-c320c5e8f982} - c:\windows\system32\cmvcop.dll
HKLM-Run-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe
HKLM-Run-CTXFIREG - CTxfiReg.exe
HKLM-Run-Wise-FTP Scheduler - (no file)
SSODL-OLESys-{86460DFF-ED6F-4554-B2DF-761DC409EEC7} - c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\OLESys.dll
SSODL-Explorer-{DB905DDF-1F52-40A2-8F17-C01206515967} - c:\documents and settings\All Users\Application Data\Microsoft\Protect\wrdasdikvv.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Keith\Application Data\Mozilla\Firefox\Profiles\y0qka3c9.default\
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 19:51:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\c:\windows\TEMP\43D.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\gearsec.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Sony\MD Simple Burner\NetMDSB.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\CTXFISPI.EXE
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcupdmgr.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
c:\progra~1\McAfee\MSC\mcupdui.exe
c:\windows\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-12-14 19:58:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-15 00:58:12

Pre-Run: 37,254,447,104 bytes free
Post-Run: 36,228,390,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

299 --- E O F --- 2008-11-13 08:04:38

=========================================================================

SmitFraudFix v2.385

Scan done at 20:03:57.34, Sun 12/14/2008
Run from C:\Documents and Settings\Keith\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\M-Audio Transit USB\TUSBTask.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Keith


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Keith\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Keith\Application Data

C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\conf.sys FOUND !
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe FOUND !
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Keith\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS2\Services\Tcpip\..\{3A4FE5F9-869C-4694-B1D3-1CAAAA09A6A9}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

================================================================================

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-14 21:12:24
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB015C9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB015CA41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB015C958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB015C96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB015CA55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB015CA81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB015CAEF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB015CAD9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB015C9EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB015CB1B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB015CA2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB015C930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB015C944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB015C9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB015CB57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB015CAC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB015CAAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB015CA6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB015CB43]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB015CB2F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB015C996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB015C982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB015CA97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB015CA19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB015CB05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB015CA00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB015C9D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B015C9D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B015C9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B015C9EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B015CA04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B015C9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B015C934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B015C948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B015C986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP B015C970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP B015C95C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B015C99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B015CA1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP B015CAB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP B015CA9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP B015CB09 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP B015CAC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP B015CA6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP B015CA45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP B015CA59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP B015CA85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 7 Bytes JMP B015CAF3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP B015CADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP B015CA31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP B015CB5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP B015CB33 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP B015CB47 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP B015CB1F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F3A
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F4B
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F5C
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F79
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070EF8
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070087
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00070098
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070F1F
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[852] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060069
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060058
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\services.exe[852] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[852] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40089
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40078
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E4005B
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E40F9E
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40FB9
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40F77
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E400BF
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E400EE
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E40F4B
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E400FF
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E40040
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E400AE
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E4002F
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E40FD4
.text C:\WINDOWS\system32\lsass.exe[864] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E40F5C
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E30FB2
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E30043
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E30FCD
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E30FDE
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E30F86
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E30028
.text C:\WINDOWS\system32\lsass.exe[864] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E30FA1
.text C:\WINDOWS\system32\lsass.exe[864] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02420FEF
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02420F8A
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0242007F
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0242006E
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02420051
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02420FAF
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02420F52
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024200A4
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024200D0
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02420F37
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 024200EB
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02420036
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02420FDE
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02420F79
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02420025
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02420014
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 024200B5
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02410FD4
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02410FA8
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02410FE5
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0241001B
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0241005B
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02410000
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02410FC3
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 61, 8A ]
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0241004A
.text C:\WINDOWS\system32\svchost.exe[1064] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10089
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10F94
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D1006E
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10FAF
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10051
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D100C1
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D100A4
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10F43
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F5E
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D100F7
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D10FCA
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D1000A
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D10F79
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D10036
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D10025
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D100D2
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00D00FB2
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00D0004A
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00D00FC3
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00D00FDE
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00D00F8D
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00D0002F
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00D0001E
.text C:\WINDOWS\system32\svchost.exe[1112] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE000A
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02A40FEF
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02A40F3A
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02A40F55
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02A40F72
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02A40F8D
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02A40FA8
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02A40F0E
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02A40F1F
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02A40EBD
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02A40ED8
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02A40EAC
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02A4002F
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02A4000A
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02A4004A
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02A40FB9
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02A40FD4
.text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02A40EE9
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02A20FB2
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02A2004A
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02A20FC3
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02A20FD4
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02A20039
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02A20FE5
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 02A20028
.text C:\WINDOWS\System32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02A20FA1
.text C:\WINDOWS\System32\svchost.exe[1208] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03330000
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02A3000A
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02A3001B
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02A30FEF
.text C:\WINDOWS\System32\svchost.exe[1208] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02A30FDE
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0080007D
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0080006C
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0080005B
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0080004A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800FA8
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00800F46
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00800F63
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008000C4
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008000A9
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 008000D5
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00800039
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0080000A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0080008E
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00800FC3
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00800F2B
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007F0FCA
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007F0F79
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007F0FDB
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007F0011
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007F002C
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 007F0F94
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 9F, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007F0FA5
.text C:\WINDOWS\system32\svchost.exe[1300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1324] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CC0F6D
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CC0F88
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CC0062
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CC0FA5
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CC0FC0
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CC008E
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CC0F52
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CC00CE
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CC00B3
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CC00E9
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CC0051
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CC007D
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CC0036
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CC001B
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CC0F2B
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CA0036
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CA0F80
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CA001B
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CA0FE5
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CA0047
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00CA0FA5
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes JMP 50C03388
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CA0FC0
.text C:\WINDOWS\system32\svchost.exe[1400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00CB0FDB
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00CB0FC0
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00CB0FAF
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F68
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A005D
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0042
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F83
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F3A
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0082
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0EF3
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F04
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00A7
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0025
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F57
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A000A
.text C:\WINDOWS\system32\dllhost.exe[1412] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F29
.text C:\WINDOWS\system32\dllhost.exe[1412] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\system32\dllhost.exe[1412] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002A0087
.text C:\WINDOWS\system32\dllhost.exe[1412] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002A002F
.text C:\WINDOWS\system32\dllhost.exe[1412] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[1412] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002A006C
.text C:\WINDOWS\system32\dllhost.exe[1412] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\dllhost.exe[1412] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002A005B
.text C:\WINDOWS\system32\dllhost.exe[1412] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002A0040
.text C:\WINDOWS\system32\dllhost.exe[1412] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C10071
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10F86
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10054
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10FA1
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10FC3
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10F50
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10F61
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C10F1D
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C10F2E
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C10F02
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C10FB2
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C1001B
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C10082
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C10FDE
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[2608] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C10F3F
.text C:\WINDOWS\system32\svchost.exe[2608] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C00FCD
.text C:\WINDOWS\system32\svchost.exe[2608] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C0005E
.text C:\WINDOWS\system32\svchost.exe[2608] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C0001E
.text C:\WINDOWS\system32\svchost.exe[2608] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[2608] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C00FA1
.text C:\WINDOWS\system32\svchost.exe[2608] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[2608] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00C00FBC
.text C:\WINDOWS\system32\svchost.exe[2608] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ E0, 88 ]
.text C:\WINDOWS\system32\svchost.exe[2608] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C00039
.text C:\WINDOWS\system32\svchost.exe[2608] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CD0F5C
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CD0051
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CD0F79
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CD0F94
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CD0FA5
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CD0093
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CD0F41
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CD0F30
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CD00C9
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CD0F0B
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CD002C
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CD0FCA
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CD006C
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CD0011
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\svchost.exe[2652] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CD00AE
.text C:\WINDOWS\system32\svchost.exe[2652] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CC0FE5
.text C:\WINDOWS\system32\svchost.exe[2652] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CC0FB2
.text C:\WINDOWS\system32\svchost.exe[2652] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CC002C
.text C:\WINDOWS\system32\svchost.exe[2652] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CC001B
.text C:\WINDOWS\system32\svchost.exe[2652] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CC0FC3
.text C:\WINDOWS\system32\svchost.exe[2652] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CC000A
.text C:\WINDOWS\system32\svchost.exe[2652] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00CC0065
.text C:\WINDOWS\system32\svchost.exe[2652] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CC0FD4
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F61
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0060
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F86
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0043
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0098
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F46
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F24
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F35
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0F13
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0F97
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0071
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0014
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\System32\svchost.exe[3864] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00A9
.text C:\WINDOWS\System32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290FB9
.text C:\WINDOWS\System32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290065
.text C:\WINDOWS\System32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290FA8
.text C:\WINDOWS\System32\svchost.exe[3864] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FE5
.text C:\WINDOWS\System32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00290040
.text C:\WINDOWS\System32\svchost.exe[3864] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0029002F
.text C:\WINDOWS\System32\svchost.exe[3864] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B000A
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0094
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0079
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0068
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FAB
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0028
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F67
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F78
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F42
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00DB
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00F6
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0043
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A00AF
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FBC
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FCD
.text C:\WINDOWS\explorer.exe[5276] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00CA
.text C:\WINDOWS\explorer.exe[5276] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0029002F
.text C:\WINDOWS\explorer.exe[5276] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0029006C
.text C:\WINDOWS\explorer.exe[5276] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FDE
.text C:\WINDOWS\explorer.exe[5276] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[5276] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290FAF
.text C:\WINDOWS\explorer.exe[5276] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290000
.text C:\WINDOWS\explorer.exe[5276] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00290051
.text C:\WINDOWS\explorer.exe[5276] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290040
.text C:\WINDOWS\explorer.exe[5276] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\explorer.exe[5276] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002C000A
.text C:\WINDOWS\explorer.exe[5276] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\explorer.exe[5276] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 002C001B
.text C:\WINDOWS\explorer.exe[5276] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E10000
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0FA3
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B008E
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0FB4
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B007D
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0051
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F46
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F6D
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00DF
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00C4
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B0F2B
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B0062
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B0F88
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[5408] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B00A9
.text C:\WINDOWS\system32\wuauclt.exe[5408] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[5408] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B0047
.text C:\WINDOWS\system32\wuauclt.exe[5408] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FDB
.text C:\WINDOWS\system32\wuauclt.exe[5408] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B0011
.text C:\WINDOWS\system32\wuauclt.exe[5408] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B0F8A
.text C:\WINDOWS\system32\wuauclt.exe[5408] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[5408] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 002B0F9B
.text C:\WINDOWS\system32\wuauclt.exe[5408] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4B, 88 ]
.text C:\WINDOWS\system32\wuauclt.exe[5408] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B002C

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat AA209D20

AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.14 ----

============================================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:41:50, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\M-Audio Transit USB\TUSBTask.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Keith\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: M-Audio Transit USB Control Panel Launcher.lnk = C:\Program Files\M-Audio Transit USB\TUSBTask.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O23 - Service: McAfee Application Installer Cleanup (0105711229302727) (0105711229302727mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\010571~1.EXE
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Transit USB Installer (Transit USBInstallerService) - Nemesis - C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe

--
End of file - 13816 bytes
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby kstubbs » December 14th, 2008, 11:22 pm

Here's the Spyware Doctor log from Dec. 8. I omitted several dozen cookie entries labeled low-risk to save space, but I can provide them if you want them. (I also added hxxp:// to www. entries in the log to disable the links the forum adds.)

As I said in previous message, with TDSServ neutralized, I can probably update Spyware Doctor's data files & provide a fresh log if that would help you.

============================================================

12/8/2008 6:11:19 PM:468 Scan Started
Scan Type - Full Scan

12/8/2008 6:11:22 PM:375 Infection was detected on this computer
Threat Name - Spyware.Known_Bad_Sites
Type - Cookie
Risk Level - High
Infection - adserver.easyad.info/ adserver.easyad.info

12/8/2008 6:11:22 PM:515 Infection was detected on this computer
Threat Name - RogueAntiSpyware.XPAntispyware
Type - Cookie
Risk Level - High
Infection - antispyware-xp2009.com/ antispyware-xp2009.com

12/8/2008 6:11:22 PM:734 Infection was detected on this computer
Threat Name - Spyware.Known_Bad_Sites
Type - Cookie
Risk Level - High
Infection - cc-dt.com/ cc-dt.com

12/8/2008 6:11:22 PM:953 Infection was detected on this computer
Threat Name - Spyware.Known_Bad_Sites
Type - Cookie
Risk Level - High
Infection - directleads.com/ directleads.com

12/8/2008 6:11:23 PM:93 Infection was detected on this computer
Threat Name - Trojan-Downloader.VB.AXA
Type - Cookie
Risk Level - High
Infection - gomyhit.com/ gomyhit.com

12/8/2008 6:11:23 PM:93 Infection was detected on this computer
Threat Name - Trojan-Downloader.VB.AXA
Type - Cookie
Risk Level - High
Infection - gomyhit.com/ gomyhit.com

12/8/2008 6:11:23 PM:812 Infection was detected on this computer
Threat Name - Hijacker.Specific911_Hijack
Type - Cookie
Risk Level - High
Infection - search123.com/ search123.com

12/8/2008 6:11:23 PM:812 Infection was detected on this computer
Threat Name - Trojan.CWS
Type - Cookie
Risk Level - High
Infection - searchfeed.com/ searchfeed.com

12/8/2008 6:11:31 PM:953 Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - creative hxxp://www.registrydefender.com

12/8/2008 6:11:31 PM:953 Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - keyword hxxp://www.registrydefender.com

12/8/2008 6:11:31 PM:984 Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - medium hxxp://www.registrydefender.com

12/8/2008 6:11:31 PM:984 Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - source hxxp://www.registrydefender.com

12/8/2008 6:11:31 PM:984 Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - campaign hxxp://www.registrydefender.com

12/8/2008 6:11:31 PM:984 Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - __utma registrydefender.com

12/8/2008 6:11:31 PM:984 Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - __utmz registrydefender.com

12/8/2008 6:11:31 PM:984 Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - __utmv registrydefender.com

12/8/2008 6:11:39 PM:15 Infection was detected on this computer
Threat Name - Spyware.Known_Bad_Sites
Type - Cookie
Risk Level - High
Infection - hxxp://www.dawnsearch.com

12/8/2008 6:11:39 PM:890 Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - hxxp://www.registrydefender.com

12/8/2008 6:11:41 PM:125 Infection was detected on this computer
Threat Name - Trojan.CWS
Type - Cookie
Risk Level - High
Infection - hxxp://www.searchfeed.com

12/8/2008 6:11:57 PM:421 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareGuard2008
Type - File
Risk Level - High
Infection - C:\PROGRAM FILES\Spyware Guard 2008\conf.cfg

12/8/2008 6:11:57 PM:421 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareGuard2008
Type - File
Risk Level - High
Infection - C:\PROGRAM FILES\Spyware Guard 2008\mbase.vdb

12/8/2008 6:11:57 PM:421 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareGuard2008
Type - Folder
Risk Level - High
Infection - C:\PROGRAM FILES\Spyware Guard 2008\quarantine\

12/8/2008 6:11:57 PM:421 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareGuard2008
Type - File
Risk Level - High
Infection - C:\PROGRAM FILES\Spyware Guard 2008\quarantine.vdb

12/8/2008 6:11:57 PM:437 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareGuard2008
Type - File
Risk Level - High
Infection - C:\PROGRAM FILES\Spyware Guard 2008\queue.vdb

12/8/2008 6:11:57 PM:437 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareGuard2008
Type - File
Risk Level - High
Infection - c:\program files\spyware guard 2008\spywareguard.exe

12/8/2008 6:11:57 PM:437 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareGuard2008
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, spywareguard = C:\Program Files\Spyware Guard 2008\spywareguard.exe

12/8/2008 6:11:57 PM:437 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareGuard2008
Type - File
Risk Level - High
Infection - C:\PROGRAM FILES\Spyware Guard 2008\uninstall.exe

12/8/2008 6:11:57 PM:453 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareGuard2008
Type - File
Risk Level - High
Infection - C:\PROGRAM FILES\Spyware Guard 2008\vbase.vdb

12/8/2008 6:11:57 PM:453 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareGuard2008
Type - Folder
Risk Level - High
Infection - C:\PROGRAM FILES\Spyware Guard 2008\

12/8/2008 6:11:57 PM:937 Infection was detected on this computer
Threat Name - Trojan-Downloader.Small.BUY
Type - File
Risk Level - High
Infection - C:\Temp\1cb\syscheck.log

12/8/2008 6:11:57 PM:937 Infection was detected on this computer
Threat Name - Trojan-Downloader.Small.BUY
Type - Folder
Risk Level - High
Infection - C:\Temp\1cb\

12/8/2008 6:11:58 PM:703 Infection was detected on this computer
Threat Name - Trojan-Downloader.VB.AWJ
Type - File
Risk Level - Elevated
Infection - C:\WINDOWS\SYSTEM32\pac.txt

12/8/2008 6:17:20 PM:359 Infection was detected on this computer
Threat Name - Hidden Files
Type - File
Risk Level - High
Infection - C:\Documents and Settings\Keith\Local Settings\Temp\

12/8/2008 7:07:34 PM:46 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareGuard2008
Type - File
Risk Level - High
Infection - C:\RECYCLER\S-1-5-21-1373678583-4058992243-2510349918-1006\Dc3686\Spyware Guard 2008.lnk

12/8/2008 7:07:52 PM:156 Infection was detected on this computer
Threat Name - RogueAntiSpyware.SpywareGuard2008
Type - File
Risk Level - High
Infection - C:\RECYCLER\S-1-5-21-1373678583-4058992243-2510349918-1006\Dc3708\Spyware Guard 2008.lnk

12/8/2008 7:23:06 PM:15 Infection was detected on this computer
Threat Name - Hidden Files
Type - File
Risk Level - High
Infection - C:\WINDOWS\system32\drivers\

12/8/2008 7:24:18 PM:156 Infection was detected on this computer
Threat Name - Hidden Files
Type - File
Risk Level - High
Infection - C:\WINDOWS\system32\

12/8/2008 7:25:23 PM:718 Infection was detected on this computer
Threat Name - Hidden Files
Type - File
Risk Level - High
Infection - C:\WINDOWS\Temp\

12/8/2008 7:37:06 PM:359 Smart Update
Smart update has experienced a download error. Please try again later.
12/8/2008 9:02:36 PM:296 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Contim, SysShell

12/8/2008 9:02:36 PM:296 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Contim

12/8/2008 9:02:39 PM:453 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, f012879f

12/8/2008 9:02:43 PM:390 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata, affid

12/8/2008 9:02:43 PM:390 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata, subid

12/8/2008 9:02:43 PM:390 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata, control

12/8/2008 9:02:43 PM:390 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata, prov

12/8/2008 9:02:43 PM:390 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata, googleadserver

12/8/2008 9:02:43 PM:390 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata, flagged

12/8/2008 9:02:43 PM:390 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

12/8/2008 9:02:43 PM:468 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss, build

12/8/2008 9:02:43 PM:484 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss, type

12/8/2008 9:02:43 PM:484 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss, affid

12/8/2008 9:02:43 PM:484 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss, subid

12/8/2008 9:02:43 PM:484 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss, cmddelay

12/8/2008 9:02:43 PM:484 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss, serversdown

12/8/2008 9:02:43 PM:484 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\connections, 7b72e91c

12/8/2008 9:02:43 PM:484 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\connections, 8f214514

12/8/2008 9:02:43 PM:484 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\connections

12/8/2008 9:02:43 PM:484 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, trsetup.exe

12/8/2008 9:02:43 PM:484 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, ViewpointService.exe

12/8/2008 9:02:43 PM:484 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, ViewMgr.exe

12/8/2008 9:02:43 PM:484 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, SpySweeper.exe

12/8/2008 9:02:43 PM:500 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, SUPERAntiSpyware.exe

12/8/2008 9:02:43 PM:500 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, SpySub.exe

12/8/2008 9:02:43 PM:500 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, SpywareTerminatorShield.exe

12/8/2008 9:02:43 PM:500 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, SpyHunter3.exe

12/8/2008 9:02:43 PM:500 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, XoftSpy.exe

12/8/2008 9:02:43 PM:500 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, SpyEraser.exe

12/8/2008 9:02:43 PM:500 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, combofix.exe

12/8/2008 9:02:43 PM:500 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, otscanit.exe

12/8/2008 9:02:43 PM:500 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, mbam.exe

12/8/2008 9:02:43 PM:500 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, mbam-setup.exe

12/8/2008 9:02:43 PM:500 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, flash_disinfector.exe

12/8/2008 9:02:43 PM:500 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, otmoveit2.exe

12/8/2008 9:02:43 PM:515 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, smitfraudfix.exe

12/8/2008 9:02:43 PM:515 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, prevxcsifree.exe

12/8/2008 9:02:43 PM:515 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, download_mbam-setup.exe

12/8/2008 9:02:43 PM:515 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, cbo_setup.exe

12/8/2008 9:02:43 PM:515 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, spywareblastersetup.exe

12/8/2008 9:02:43 PM:515 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, rminstall.exe

12/8/2008 9:02:43 PM:515 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, sdsetup.exe

12/8/2008 9:02:43 PM:515 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, vundofixsvc.exe

12/8/2008 9:02:43 PM:515 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, daft.exe

12/8/2008 9:02:43 PM:515 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, gmer.exe

12/8/2008 9:02:43 PM:515 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, catchme.exe

12/8/2008 9:02:43 PM:531 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, mcpr.exe

12/8/2008 9:02:43 PM:531 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, sdfix.exe

12/8/2008 9:02:43 PM:531 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, hjtinstall.exe

12/8/2008 9:02:43 PM:531 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, fixpolicies.exe

12/8/2008 9:02:43 PM:531 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, emergencyutil.exe

12/8/2008 9:02:43 PM:531 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, techweb.exe

12/8/2008 9:02:43 PM:562 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, GoogleUpdate.exe

12/8/2008 9:02:43 PM:562 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, windowsdefender.exe

12/8/2008 9:02:43 PM:562 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed, spybotsd.exe

12/8/2008 9:02:43 PM:562 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\disallowed

12/8/2008 9:02:43 PM:562 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\injector, *

12/8/2008 9:02:43 PM:562 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\injector

12/8/2008 9:02:43 PM:562 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\versions, /tdss/crcmds/init

12/8/2008 9:02:43 PM:578 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\versions, /tdss2/crcmds/init

12/8/2008 9:02:43 PM:578 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss\versions

12/8/2008 9:02:43 PM:578 Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\tdss

12/8/2008 9:02:43 PM:578 Infection was detected on this computer
Threat Name - Trojan-Downloader.Agent
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\xpre, execount

12/8/2008 9:02:43 PM:578 Infection was detected on this computer
Threat Name - Trojan-Downloader.Agent
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\xpre

12/8/2008 9:02:44 PM:296 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}, NextInstance

12/8/2008 9:02:44 PM:296 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Service

12/8/2008 9:02:44 PM:296 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Legacy

12/8/2008 9:02:44 PM:296 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, ConfigFlags

12/8/2008 9:02:44 PM:312 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Class

12/8/2008 9:02:44 PM:312 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, ClassGUID

12/8/2008 9:02:44 PM:312 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, DeviceDesc

12/8/2008 9:02:44 PM:312 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Capabilities

12/8/2008 9:02:44 PM:312 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Driver

12/8/2008 9:02:44 PM:312 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000\LogConf

12/8/2008 9:02:44 PM:312 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000\Control

12/8/2008 9:02:44 PM:328 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000

12/8/2008 9:02:44 PM:328 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}

12/8/2008 9:02:44 PM:328 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}, NextInstance

12/8/2008 9:02:44 PM:328 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Service

12/8/2008 9:02:44 PM:328 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Legacy

12/8/2008 9:02:44 PM:328 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, ConfigFlags

12/8/2008 9:02:44 PM:343 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Class

12/8/2008 9:02:44 PM:343 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, ClassGUID

12/8/2008 9:02:44 PM:343 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, DeviceDesc

12/8/2008 9:02:44 PM:343 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Capabilities

12/8/2008 9:02:44 PM:343 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Driver

12/8/2008 9:02:44 PM:343 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000\LogConf

12/8/2008 9:02:44 PM:359 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000

12/8/2008 9:02:44 PM:359 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}

12/8/2008 9:02:44 PM:359 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}, NextInstance

12/8/2008 9:02:44 PM:406 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Service

12/8/2008 9:02:44 PM:406 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Legacy

12/8/2008 9:02:44 PM:406 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, ConfigFlags

12/8/2008 9:02:44 PM:406 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Class

12/8/2008 9:02:44 PM:406 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, ClassGUID

12/8/2008 9:02:44 PM:421 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, DeviceDesc

12/8/2008 9:02:44 PM:421 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Capabilities

12/8/2008 9:02:44 PM:421 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Driver

12/8/2008 9:02:44 PM:421 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000\LogConf

12/8/2008 9:02:44 PM:421 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000\Control

12/8/2008 9:02:44 PM:421 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000

12/8/2008 9:02:44 PM:421 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}

12/8/2008 9:02:45 PM:62 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, Type

12/8/2008 9:02:45 PM:62 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, Start

12/8/2008 9:02:45 PM:62 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, ErrorControl

12/8/2008 9:02:45 PM:62 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, ImagePath

12/8/2008 9:02:45 PM:62 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Security, Security

12/8/2008 9:02:45 PM:62 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Security

12/8/2008 9:02:45 PM:62 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum, 0

12/8/2008 9:02:45 PM:62 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum, Count

12/8/2008 9:02:45 PM:62 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum, NextInstance

12/8/2008 9:02:45 PM:62 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum

12/8/2008 9:02:45 PM:62 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}

12/8/2008 9:02:45 PM:62 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, Type

12/8/2008 9:02:45 PM:78 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, Start

12/8/2008 9:02:45 PM:78 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, ErrorControl

12/8/2008 9:02:45 PM:78 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, ImagePath

12/8/2008 9:02:45 PM:78 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Security, Security

12/8/2008 9:02:45 PM:78 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Security

12/8/2008 9:02:45 PM:78 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}

12/8/2008 9:02:45 PM:78 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, Type

12/8/2008 9:02:45 PM:78 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, Start

12/8/2008 9:02:45 PM:78 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, ErrorControl

12/8/2008 9:02:45 PM:78 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, ImagePath

12/8/2008 9:02:45 PM:78 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Security, Security

12/8/2008 9:02:45 PM:78 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Security

12/8/2008 9:02:45 PM:93 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum, 0

12/8/2008 9:02:45 PM:93 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum, Count

12/8/2008 9:02:45 PM:93 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum, NextInstance

12/8/2008 9:02:45 PM:93 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum

12/8/2008 9:02:45 PM:93 Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}

12/8/2008 9:03:17 PM:390 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

12/8/2008 9:03:17 PM:390 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32, ThreadingModel

12/8/2008 9:03:17 PM:390 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32, (Default)

12/8/2008 9:03:17 PM:390 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32

12/8/2008 9:03:17 PM:390 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

12/8/2008 9:03:19 PM:250 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

12/8/2008 9:03:20 PM:656 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-21-1373678583-4058992243-2510349918-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore, Type

12/8/2008 9:03:20 PM:656 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-21-1373678583-4058992243-2510349918-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore, Count

12/8/2008 9:03:20 PM:656 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-21-1373678583-4058992243-2510349918-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore, Time

12/8/2008 9:03:20 PM:656 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-21-1373678583-4058992243-2510349918-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore

12/8/2008 9:03:20 PM:671 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-21-1373678583-4058992243-2510349918-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

12/8/2008 9:03:21 PM:156 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore, Type

12/8/2008 9:03:21 PM:156 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore, Flags

12/8/2008 9:03:21 PM:156 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore, Count

12/8/2008 9:03:21 PM:156 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore, Time

12/8/2008 9:03:21 PM:156 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore

12/8/2008 9:03:21 PM:156 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

12/8/2008 9:03:22 PM:656 Infection was detected on this computer
Threat Name - RogueAntiSpyware.XPAntispyware
Type - Modified Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile, EnableFirewall

12/8/2008 9:03:47 PM:359 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{476be1a6-f725-4afc-b8ad-7eb10a449963}

12/8/2008 9:03:47 PM:359 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{476be1a6-f725-4afc-b8ad-7eb10a449963}\InprocServer32, ThreadingModel

12/8/2008 9:03:47 PM:359 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{476be1a6-f725-4afc-b8ad-7eb10a449963}\InprocServer32, (Default)

12/8/2008 9:03:47 PM:359 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{476be1a6-f725-4afc-b8ad-7eb10a449963}\InprocServer32

12/8/2008 9:03:47 PM:359 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{476be1a6-f725-4afc-b8ad-7eb10a449963}

12/8/2008 9:03:47 PM:375 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{476be1a6-f725-4afc-b8ad-7eb10a449963}\InprocServer32, ThreadingModel

12/8/2008 9:03:47 PM:375 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{476be1a6-f725-4afc-b8ad-7eb10a449963}\InprocServer32, (Default)

12/8/2008 9:03:47 PM:375 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{476be1a6-f725-4afc-b8ad-7eb10a449963}\InprocServer32

12/8/2008 9:03:47 PM:375 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{476be1a6-f725-4afc-b8ad-7eb10a449963}

12/8/2008 9:03:47 PM:375 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-21-1373678583-4058992243-2510349918-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{476be1a6-f725-4afc-b8ad-7eb10a449963}\iexplore, Type

12/8/2008 9:03:47 PM:390 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-21-1373678583-4058992243-2510349918-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{476be1a6-f725-4afc-b8ad-7eb10a449963}\iexplore, Flags

12/8/2008 9:03:47 PM:390 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-21-1373678583-4058992243-2510349918-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{476be1a6-f725-4afc-b8ad-7eb10a449963}\iexplore, Count

12/8/2008 9:03:47 PM:390 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-21-1373678583-4058992243-2510349918-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{476be1a6-f725-4afc-b8ad-7eb10a449963}\iexplore, Time

12/8/2008 9:03:47 PM:390 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-21-1373678583-4058992243-2510349918-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{476be1a6-f725-4afc-b8ad-7eb10a449963}\iexplore

12/8/2008 9:03:47 PM:390 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-21-1373678583-4058992243-2510349918-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{476be1a6-f725-4afc-b8ad-7eb10a449963}

12/8/2008 9:03:47 PM:406 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{476be1a6-f725-4afc-b8ad-7eb10a449963}\iexplore, Type

12/8/2008 9:03:47 PM:406 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{476be1a6-f725-4afc-b8ad-7eb10a449963}\iexplore, Flags

12/8/2008 9:03:47 PM:406 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{476be1a6-f725-4afc-b8ad-7eb10a449963}\iexplore, Count

12/8/2008 9:03:47 PM:406 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{476be1a6-f725-4afc-b8ad-7eb10a449963}\iexplore, Time

12/8/2008 9:03:47 PM:406 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{476be1a6-f725-4afc-b8ad-7eb10a449963}\iexplore

12/8/2008 9:03:47 PM:406 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{476be1a6-f725-4afc-b8ad-7eb10a449963}

12/8/2008 9:03:47 PM:421 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - File
Risk Level - Elevated
Infection - C:\WINDOWS\system32\mezeweku.dll

12/8/2008 9:03:47 PM:421 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32, ThreadingModel

12/8/2008 9:03:47 PM:421 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32, (Default)

12/8/2008 9:03:47 PM:421 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32

12/8/2008 9:03:47 PM:421 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

12/8/2008 9:03:47 PM:484 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Module
Risk Level - Elevated
Infection - winlogon.exe (C:\WINDOWS\system32\iiffCTJC.dll)

12/8/2008 9:03:47 PM:484 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Module
Risk Level - Elevated
Infection - mcagent.exe (C:\WINDOWS\system32\iiffCTJC.dll)

12/8/2008 9:03:47 PM:484 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Module
Risk Level - Elevated
Infection - pctsSvc.exe (C:\WINDOWS\system32\iiffCTJC.dll)

12/8/2008 9:03:47 PM:484 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Module
Risk Level - Elevated
Infection - explorer.exe (C:\WINDOWS\system32\iiffCTJC.dll)

12/8/2008 9:03:47 PM:484 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Module
Risk Level - Elevated
Infection - pctsGui.exe (C:\WINDOWS\system32\iiffCTJC.dll)

12/8/2008 9:03:49 PM:140 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Startup
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

12/8/2008 9:03:50 PM:828 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Startup
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\iiffCTJC, DllName = iiffCTJC.dll

12/8/2008 9:03:50 PM:828 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - File
Risk Level - Elevated
Infection - C:\WINDOWS\system32\iiffCTJC.dll

12/8/2008 9:03:51 PM:109 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Startup
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, f012879f = rundll32.exe "C:\WINDOWS\system32\hugezese.dll",b

12/8/2008 9:03:51 PM:109 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - File
Risk Level - Elevated
Infection - C:\WINDOWS\system32\hugezese.dll

12/8/2008 9:03:51 PM:109 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{05c9fc96-07d0-4145-83aa-72345f97b4dc}

12/8/2008 9:03:51 PM:140 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{05c9fc96-07d0-4145-83aa-72345f97b4dc}\InprocServer32, (Default)

12/8/2008 9:03:51 PM:140 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{05c9fc96-07d0-4145-83aa-72345f97b4dc}\InprocServer32, ThreadingModel

12/8/2008 9:03:51 PM:140 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{05c9fc96-07d0-4145-83aa-72345f97b4dc}\InprocServer32

12/8/2008 9:03:51 PM:140 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{05c9fc96-07d0-4145-83aa-72345f97b4dc}

12/8/2008 9:03:51 PM:156 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ef3bdbc-41a5-4537-aa79-170ea073d0ba}

12/8/2008 9:03:51 PM:156 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{2ef3bdbc-41a5-4537-aa79-170ea073d0ba}\InprocServer32, (Default)

12/8/2008 9:03:51 PM:156 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{2ef3bdbc-41a5-4537-aa79-170ea073d0ba}\InprocServer32, ThreadingModel

12/8/2008 9:03:51 PM:156 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{2ef3bdbc-41a5-4537-aa79-170ea073d0ba}\InprocServer32

12/8/2008 9:03:51 PM:156 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{2ef3bdbc-41a5-4537-aa79-170ea073d0ba}

12/8/2008 9:03:51 PM:156 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{41f7b255-a777-4405-b40b-7cc10320c89c}

12/8/2008 9:03:51 PM:156 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{41f7b255-a777-4405-b40b-7cc10320c89c}\InprocServer32, (Default)

12/8/2008 9:03:51 PM:171 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{41f7b255-a777-4405-b40b-7cc10320c89c}\InprocServer32, ThreadingModel

12/8/2008 9:03:51 PM:171 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{41f7b255-a777-4405-b40b-7cc10320c89c}\InprocServer32

12/8/2008 9:03:51 PM:171 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{41f7b255-a777-4405-b40b-7cc10320c89c}

12/8/2008 9:03:51 PM:296 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8D632AD5-B856-4782-A19C-6944FF12C8CB}

12/8/2008 9:03:51 PM:296 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{8D632AD5-B856-4782-A19C-6944FF12C8CB}\InprocServer32, (Default)

12/8/2008 9:03:51 PM:296 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{8D632AD5-B856-4782-A19C-6944FF12C8CB}\InprocServer32, ThreadingModel

12/8/2008 9:03:51 PM:296 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{8D632AD5-B856-4782-A19C-6944FF12C8CB}\InprocServer32

12/8/2008 9:03:51 PM:296 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{8D632AD5-B856-4782-A19C-6944FF12C8CB}

12/8/2008 9:03:51 PM:296 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9ef7147-8988-4da0-9836-fc6c163feffe}

12/8/2008 9:03:51 PM:312 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{c9ef7147-8988-4da0-9836-fc6c163feffe}\InprocServer32, (Default)

12/8/2008 9:03:51 PM:312 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{c9ef7147-8988-4da0-9836-fc6c163feffe}\InprocServer32, ThreadingModel

12/8/2008 9:03:51 PM:312 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{c9ef7147-8988-4da0-9836-fc6c163feffe}\InprocServer32

12/8/2008 9:03:51 PM:312 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{c9ef7147-8988-4da0-9836-fc6c163feffe}

12/8/2008 9:03:51 PM:312 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d0926b67-2e2c-43ae-8c0f-c320c5e8f982}

12/8/2008 9:03:51 PM:312 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{d0926b67-2e2c-43ae-8c0f-c320c5e8f982}\InprocServer32, (Default)

12/8/2008 9:03:51 PM:312 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{d0926b67-2e2c-43ae-8c0f-c320c5e8f982}\InprocServer32, ThreadingModel

12/8/2008 9:03:51 PM:312 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{d0926b67-2e2c-43ae-8c0f-c320c5e8f982}\InprocServer32

12/8/2008 9:03:51 PM:312 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_CLASSES_ROOT\CLSID\{d0926b67-2e2c-43ae-8c0f-c320c5e8f982}

12/8/2008 9:03:51 PM:343 Scan Finished
Scan Type - Full Scan
Items Processed - 902967
Threats Detected - 16
Infections Detected - 359
Infections Ignored - 0
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby Odd dude » December 15th, 2008, 11:11 am

The devmvmt.msc instructions look like they worked on TDSServ. After that, I was able to run combofix, smitfraudfix, and gmer without renaming them.

:)

Now that TDSServ is gone & I should be able to update Spyware Doctor's data files, should I do that and run a fresh scan?

Sounds like a good idea to me, but before you fix anything let me see the log, so that I know what is going on.

All active infections appear to have been removed, however I see some leftover files ComboFix didn't pick up so let's run an online scan.

ATF-Cleaner
Download ATF-Cleaner by Atribune to your desktop.
Start the program and place a check next to the following items:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Java Cache
  • Recycle Bin
Now click Empty Selected and click OK.

If you use FireFox, click the FireFox tab and place a check Select All. Click Empty Selected and answer No at the prompt.
If you use Opera, click the Opera tab and place a check Select All. Click Empty Selected and answer No at the prompt.

Kaspersky Online Scan
I would like you to run an online antivirus scan.

Please click HERE to be taken to the Kaspersky site.

  • The site will present you with a list of important items. Read those. If you're unsure about something, stop and ask! If you're sure everything is all right, close all other windows.
  • Now, click Accept.
  • It will start a download rougly 10 MB in size. If prompted by your firewall to allow internet access, allow.
  • Once the download has finished, click Next.
  • Under Please select a target to scan, choose My Computer
  • Get a cup of coffee and watch some TV. Do not run any other programs while Kaspersky is scanning! If you're on dial-up, you can now terminate the internet connection if you wish.
  • Once finished, you will be presented with the results. Click Save as text and save the log to your desktop.

Post the results in your next reply. If you have performed a new Spyware Doctor scan, post the log from that as well.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby kstubbs » December 15th, 2008, 10:19 pm

OD, here are the results from Kaspersky, Spyware Doctor, & McAfee (which ran an automatic scan I'd forgotten was scheduled).

McAfee ran first & automatically quarantined some files, which it appears Kaspersky found in C:\Qoobox\Quarantine. I didn't see a way to save or copy the McAfee log, so I had to transcribe the info into a notepad file & it's possible I mistyped some of the restore paths.

Spyware Doctor found a lot of Mebroot & Virtumonde stuff in the registry, but not in the filesystem.

McAfee & Spyware Doctor seem to agree that _restore is compromised, but Kaspersky doesn't seem concerned about it.

McAfee & Spyware Doctor are offering to clean up what they found.

Also, as I mentioned in a previous message, I've had my G: drive powered down for a week, but it was running during the early days of the infection. Since my H: drive hasn't shown any problems in the scans, I'm guessing the G: drive is clean. Let me know if you think I should scan it now (given that it has my only offline copy of lots of important data). I also have a couple of thumb drives that I plugged into usb slots while in Safe Mode with Networking, but couldn't get to mount (possibly because they were being assigned to G:, the letter of the shutdown 500Gb external. Are there any special steps I should take to examine the thumb drives? The data on them is not critical.

Thanks for your efficient & clear help getting to this point. My PC seems to be behaving, but looking at the logs, it looks like I still need your help to do some more clean-up.

=================================================================

KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 15, 2008 13:58:24
Records in database: 1462800
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
H:\
Scan statistics
Files scanned 556891
Threat name 5
Infected objects 4
Suspicious objects 2
Duration of the scan 04:54:32

File name Threat name Threats count
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\2\Front\1\M0000000131.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\2\Front\1\M0000000134.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Qoobox\Quarantine\C\Program Files\Spyware Guard 2008\spywareguard.exe.vir Infected: not-a-virus:FraudTool.Win32.SpywareGuard2008.f 1
C:\Qoobox\Quarantine\C\Program Files\Spyware Guard 2008\uninstall.exe.vir Infected: not-a-virus:FraudTool.Win32.SpywareGuard2008.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\av.dat.vir Infected: not-a-virus:AdWare.Win32.BHO.ejm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSocun.dll.vir Infected: Trojan.Win32.Agent.arvz 1
The selected area was scanned.

=================================================================

McAfee Scan 12/14/2008

Detection Type: Potentially Unwanted Program
Detection Name: PrcViewer
Status: Detected
Items: File Name: E:\SmitfraudFix.exe, C:\Documents and Settings\Keith\Desktop\SmitfraudFix\Process.exe, C:\Documents and Settings\Keith\Desktop\SmitfraudFix.exe

Detection Type: Potentially Unwanted Program
Detection Name: RemAdm-ProcLaunch!171
Status: Detected
Items: File Name: E:\Combofix.exe, C:\Documents and Settings\Keith\Desktop\Combofix.exe

Detection Type: Potentially Unwanted Program
Detection Name: Tool-NirCmd
Status: Detected
Items: File Name: C:\System Volume Information\_restore{129201FA-B0AC-49B3-DEB8B91E727B}\RP737\A0063431.com

Detection Type: Potentially Unwanted Program
Detection Name: Generic PUP.x
Status: Detected
Items: File Name: C:\System Volume Information\_restore{129201FA-B0AC-49B3-DEB8B91E727B}\RP737\A0063374.dll, C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSocun.dll.vir

Detection Type: Trojan
Detection Name: FakeAlert-AG.gen.a
Status: Quarantined
File Name: C:\qoobox\quarantine\c\windows\system32\tdssirxy.dll.vir

Detection Type: Trojan
Detection Name: Generic.dx
Status: Quarantined
File Name: C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TDSSKTAO.DLL.VIR

Detection Type: Trojan
Detection Name: FakeAlert-AG.gen.a
Status: Quarantined
File Name: C:\qoobox\quarantine\c\windows\system32\tdssravu.dll.vir

Detection Type: Trojan
Detection Name: Generic.dx
Status: Quarantined
File Name: C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\TDSSXEUU.SYS.VIR

Detection Type: Trojan
Detection Name: Generic.dx
Status: Quarantined
Items: File Name: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063371.sys

Detection Type: Trojan
Detection Name: FakeAlert-AG.gen.a
Status: Quarantined
File Name: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063372.dll

Detection Type: Trojan
Detection Name: Generic.dx
Status: Quarantined
File Name: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063373.dll

Detection Type: Trojan
Detection Name: FakeAlert-AG.gen.a
Status: Quarantined
File Name: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063376.dll

=================================================================

PC Tools Spyware Doctor

Date

Status
12/15/2008 4:53:15 PM:703
Service Started
Spyware Doctor Service Application started
12/15/2008 4:53:15 PM:703
Anti-Malware Engine
Anti-Malware engine configuration loaded successfully.
12/15/2008 4:57:10 PM:265
Service Stopped
Spyware Doctor Service Application Stopped
12/15/2008 4:57:51 PM:93
Service Started
Spyware Doctor Service Application started
12/15/2008 4:57:51 PM:93
Anti-Malware Engine
Anti-Malware engine configuration loaded successfully.
12/15/2008 4:58:41 PM:687
Scan Started
Scan Type - Full Scan
12/15/2008 4:58:55 PM:328
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - AA002 atdmt.com
12/15/2008 4:58:55 PM:343
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - id doubleclick.net
12/15/2008 4:58:55 PM:359
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - dmc specificclick.net
12/15/2008 4:58:55 PM:359
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - dmk specificclick.net
12/15/2008 4:58:55 PM:359
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - smc specificclick.net
12/15/2008 4:58:55 PM:359
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - smk specificclick.net
12/15/2008 4:58:55 PM:359
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - adp specificclick.net
12/15/2008 4:58:55 PM:359
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - adk specificclick.net
12/15/2008 4:58:55 PM:359
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - adc specificclick.net
12/15/2008 4:58:55 PM:375
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - smx specificclick.net
12/15/2008 4:58:55 PM:390
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - CTCI adopt.specificclick.net
12/15/2008 4:58:55 PM:390
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - LO adopt.specificclick.net
12/15/2008 4:58:55 PM:390
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - UI adopt.specificclick.net
12/15/2008 4:58:55 PM:468
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - PRID ads.pointroll.com
12/15/2008 4:58:55 PM:468
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - PRimp ads.pointroll.com
12/15/2008 4:58:55 PM:468
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - PRca ads.pointroll.com
12/15/2008 4:58:55 PM:468
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - PRcp ads.pointroll.com
12/15/2008 4:58:55 PM:468
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - PRpl ads.pointroll.com
12/15/2008 4:58:55 PM:468
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - PRcr ads.pointroll.com
12/15/2008 4:58:55 PM:468
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - PRpc ads.pointroll.com
12/15/2008 4:58:55 PM:515
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - FFgeo zedo.com
12/15/2008 4:58:55 PM:515
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - FFCap zedo.com
12/15/2008 4:58:55 PM:515
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - PI zedo.com
12/15/2008 4:58:55 PM:531
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - ES questionmarket.com
12/15/2008 4:58:55 PM:640
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - ZEDOIDA zedo.com
12/15/2008 4:58:55 PM:640
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - ZEDOIDX zedo.com
12/15/2008 4:58:55 PM:859
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - VisitorInfo stopzilla.com
12/15/2008 4:58:55 PM:906
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - Conversion hxxp://www.stopzilla.com
12/15/2008 4:58:55 PM:906
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - __utma stopzilla.com
12/15/2008 4:58:55 PM:906
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - __utmz stopzilla.com
12/15/2008 4:58:56 PM:46
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - V5 imrworldwide.com
12/15/2008 4:58:56 PM:46
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - IMRID imrworldwide.com
12/15/2008 4:58:56 PM:171
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - OAX 247realmedia.com
12/15/2008 4:58:56 PM:421
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - eyeblaster bs.serving-sys.com
12/15/2008 4:58:56 PM:437
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - A2 serving-sys.com
12/15/2008 4:58:56 PM:437
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - B2 serving-sys.com
12/15/2008 4:58:56 PM:437
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - C3 serving-sys.com
12/15/2008 4:58:56 PM:437
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - D3 serving-sys.com
12/15/2008 4:58:56 PM:437
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - E2 serving-sys.com
12/15/2008 4:58:56 PM:437
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - U serving-sys.com
12/15/2008 4:58:56 PM:453
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - svid mediaplex.com
12/15/2008 4:58:56 PM:484
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - XCLGFbrowser com.com
12/15/2008 4:58:56 PM:531
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - fl_inst ad.yieldmanager.com
12/15/2008 4:58:56 PM:531
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - uid ad.yieldmanager.com
12/15/2008 4:58:56 PM:531
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - ih ad.yieldmanager.com
12/15/2008 4:58:56 PM:531
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - pv1 ad.yieldmanager.com
12/15/2008 4:58:56 PM:640
Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - creative hxxp://www.registrydefender.com
12/15/2008 4:58:56 PM:640
Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - keyword hxxp://www.registrydefender.com
12/15/2008 4:58:56 PM:640
Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - medium hxxp://www.registrydefender.com
12/15/2008 4:58:56 PM:640
Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - source hxxp://www.registrydefender.com
12/15/2008 4:58:56 PM:640
Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - campaign hxxp://www.registrydefender.com
12/15/2008 4:58:56 PM:640
Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - __utma registrydefender.com
12/15/2008 4:58:56 PM:640
Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - __utmz registrydefender.com
12/15/2008 4:58:56 PM:640
Infection was detected on this computer
Threat Name - Hijacker.Affiliated_with_Browser_Hijackers
Type - Cookie
Risk Level - Elevated
Infection - __utmv registrydefender.com
12/15/2008 4:58:56 PM:703
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - HumanClickID server.iad.liveperson.net
12/15/2008 4:58:56 PM:984
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - bh ad.yieldmanager.com
12/15/2008 4:58:57 PM:46
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - ANON_ID tribalfusion.com
12/15/2008 4:58:57 PM:468
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - NC1U www3.addfreestats.com
12/15/2008 4:58:57 PM:484
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - /PC hxxp://www.burstnet.com
12/15/2008 4:58:57 PM:500
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - CMID casalemedia.com
12/15/2008 4:58:57 PM:500
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - CMPS casalemedia.com
12/15/2008 4:58:57 PM:500
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - CMPP casalemedia.com
12/15/2008 4:58:57 PM:500
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - CMX1 casalemedia.com
12/15/2008 4:58:57 PM:500
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - CMS casalemedia.com
12/15/2008 4:58:57 PM:500
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - TData burstnet.com
12/15/2008 4:58:57 PM:500
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - TID burstnet.com
12/15/2008 4:58:57 PM:515
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - CMIMP casalemedia.com
12/15/2008 4:58:57 PM:515
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - pjw fastclick.net
12/15/2008 4:58:57 PM:515
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - adv_ic fastclick.net
12/15/2008 4:58:57 PM:515
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - pluto fastclick.net
12/15/2008 4:58:57 PM:515
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - /BC hxxp://www.burstbeacon.com
12/15/2008 4:58:57 PM:531
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - pop fastclick.net
12/15/2008 4:58:57 PM:531
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - vt fastclick.net
12/15/2008 4:58:57 PM:656
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - RMID realmedia.com
12/15/2008 4:58:57 PM:656
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - RMFW realmedia.com
12/15/2008 4:58:57 PM:734
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - CS1 questionmarket.com
12/15/2008 4:58:57 PM:750
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - /ad.12043 hxxp://www.burstnet.com
12/15/2008 4:58:57 PM:750
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - __qca burstnet.com
12/15/2008 4:58:57 PM:765
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - ditechbt468 realmedia.com
12/15/2008 4:58:57 PM:765
Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - /ad.12189 hxxp://www.burstnet.com
12/15/2008 4:59:20 PM:15
Scan Finished
Scan Type - Full Scan
Items Processed - 59144
Threats Detected - 3
Infections Detected - 80
Infections Ignored - 0
12/15/2008 5:00:02 PM:734
Scan Started
Scan Type - Full Scan
12/15/2008 5:00:16 PM:515
Infection was detected on this computer
Threat Name - Spyware.Found_By_Browser_Defender
Type - Favourite
Risk Level - Medium
Infection - hxxp://www.nonags.com/ : C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\y0qka3c9.default\bookmarks.htmlFreeware World Center - NONAGS -
12/15/2008 5:00:16 PM:687
Infection was detected on this computer
Threat Name - Spyware.Found_By_Browser_Defender
Type - Favourite
Risk Level - Medium
Infection - hxxp://www.versiontracker.com/dyn/moreinfo/palm/3130 : C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\y0qka3c9.default\bookmarks.htmlLockbox 1.2 – Palm OS – VersionTracker
12/15/2008 5:00:16 PM:796
Infection was detected on this computer
Threat Name - Spyware.Found_By_Browser_Defender
Type - Favourite
Risk Level - Medium
Infection - hxxp://www.dors.de/razorlame/index.php : C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\y0qka3c9.default\bookmarks.htmlRazorLame | A LAME Front-end - open source encoding MP3 files
12/15/2008 6:00:01 PM:250
Scheduled Scan Skipped
Scheduled task Intelli-Scan of this computer skipped - another scan is already running.
12/15/2008 6:03:31 PM:312
Infection was detected on this computer
Threat Name - Rootkit.Agent!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063275.exe
12/15/2008 6:03:45 PM:937
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063395.EXE
12/15/2008 6:11:56 PM:828
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
12/15/2008 6:11:57 PM:359
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\ERDNT\subs\ERDNT.EXE
12/15/2008 6:18:44 PM:750
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\SWXCACLS.exe
12/15/2008 8:11:43 PM:937
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow
12/15/2008 8:11:43 PM:937
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs
12/15/2008 8:11:43 PM:937
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot
12/15/2008 8:11:43 PM:953
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware
12/15/2008 8:11:43 PM:984
Infection was detected on this computer
Threat Name - Trojan-Downloader.Agent
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\xpre, execount
12/15/2008 8:11:44 PM:0
Infection was detected on this computer
Threat Name - Trojan-Downloader.Agent
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\xpre
12/15/2008 8:11:44 PM:171
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance
12/15/2008 8:11:44 PM:171
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
12/15/2008 8:11:45 PM:531
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}, NextInstance
12/15/2008 8:11:45 PM:531
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Service
12/15/2008 8:11:45 PM:531
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Legacy
12/15/2008 8:11:45 PM:546
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, ConfigFlags
12/15/2008 8:11:45 PM:546
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Class
12/15/2008 8:11:45 PM:546
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, ClassGUID
12/15/2008 8:11:45 PM:546
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, DeviceDesc
12/15/2008 8:11:45 PM:546
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Capabilities
12/15/2008 8:11:45 PM:546
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Driver
12/15/2008 8:11:45 PM:562
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000\LogConf
12/15/2008 8:11:45 PM:562
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000\Control
12/15/2008 8:11:45 PM:562
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000
12/15/2008 8:11:45 PM:562
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}
12/15/2008 8:11:45 PM:562
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}, NextInstance
12/15/2008 8:11:45 PM:578
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Service
12/15/2008 8:11:45 PM:578
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Legacy
12/15/2008 8:11:45 PM:578
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, ConfigFlags
12/15/2008 8:11:45 PM:578
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Class
12/15/2008 8:11:45 PM:578
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, ClassGUID
12/15/2008 8:11:45 PM:578
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, DeviceDesc
12/15/2008 8:11:45 PM:593
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Capabilities
12/15/2008 8:11:45 PM:593
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Driver
12/15/2008 8:11:45 PM:593
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000\LogConf
12/15/2008 8:11:45 PM:593
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000
12/15/2008 8:11:45 PM:593
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}
12/15/2008 8:11:45 PM:609
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}, NextInstance
12/15/2008 8:11:45 PM:609
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Service
12/15/2008 8:11:45 PM:609
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Legacy
12/15/2008 8:11:45 PM:609
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, ConfigFlags
12/15/2008 8:11:45 PM:609
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Class
12/15/2008 8:11:45 PM:609
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, ClassGUID
12/15/2008 8:11:45 PM:625
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, DeviceDesc
12/15/2008 8:11:45 PM:625
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Capabilities
12/15/2008 8:11:45 PM:625
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000, Driver
12/15/2008 8:11:45 PM:625
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000\LogConf
12/15/2008 8:11:45 PM:625
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000\Control
12/15/2008 8:11:45 PM:625
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}\0000
12/15/2008 8:11:45 PM:640
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_{DEF85C80-216A-43AB-AF70-1665EDBE2780}
12/15/2008 8:11:46 PM:750
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, Type
12/15/2008 8:11:46 PM:765
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, Start
12/15/2008 8:11:46 PM:765
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, ErrorControl
12/15/2008 8:11:46 PM:765
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, ImagePath
12/15/2008 8:11:46 PM:765
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Security, Security
12/15/2008 8:11:46 PM:765
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Security
12/15/2008 8:11:46 PM:765
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum, 0
12/15/2008 8:11:46 PM:765
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum, Count
12/15/2008 8:11:46 PM:765
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum, NextInstance
12/15/2008 8:11:46 PM:765
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum
12/15/2008 8:11:46 PM:765
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}
12/15/2008 8:11:46 PM:765
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, Type
12/15/2008 8:11:46 PM:781
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, Start
12/15/2008 8:11:46 PM:781
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, ErrorControl
12/15/2008 8:11:46 PM:781
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, ImagePath
12/15/2008 8:11:46 PM:781
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Security, Security
12/15/2008 8:11:46 PM:781
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Security
12/15/2008 8:11:46 PM:781
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}
12/15/2008 8:11:46 PM:781
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, Type
12/15/2008 8:11:46 PM:781
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, Start
12/15/2008 8:11:46 PM:796
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, ErrorControl
12/15/2008 8:11:46 PM:796
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}, ImagePath
12/15/2008 8:11:46 PM:796
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Security, Security
12/15/2008 8:11:46 PM:796
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Security
12/15/2008 8:11:46 PM:796
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum, 0
12/15/2008 8:11:46 PM:796
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum, Count
12/15/2008 8:11:46 PM:796
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum, NextInstance
12/15/2008 8:11:46 PM:796
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}\Enum
12/15/2008 8:11:46 PM:796
Infection was detected on this computer
Threat Name - Trojan.Mebroot
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\{DEF85C80-216A-43AB-AF70-1665EDBE2780}
12/15/2008 8:11:50 PM:906
Infection was detected on this computer
Threat Name - Trojan.Generic
Type - Registry Key
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-21-1373678583-4058992243-2510349918-1006\Software\Wget
12/15/2008 8:12:47 PM:46
Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore, Type
12/15/2008 8:12:47 PM:46
Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore, Flags
12/15/2008 8:12:47 PM:46
Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore, Count
12/15/2008 8:12:47 PM:46
Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Value
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore, Time
12/15/2008 8:12:47 PM:46
Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\iexplore
12/15/2008 8:12:47 PM:46
Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - Registry Key
Risk Level - Elevated
Infection - HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
12/15/2008 8:12:49 PM:218
Scan Finished
Scan Type - Full Scan
Items Processed - 766282
Threats Detected - 7
Infections Detected - 90
Infections Ignored - 0
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby Odd dude » December 16th, 2008, 9:58 am

OD, here are the results from Kaspersky, Spyware Doctor, & McAfee (which ran an automatic scan I'd forgotten was scheduled).

No problem.

McAfee ran first & automatically quarantined some files, which it appears Kaspersky found in C:\Qoobox\Quarantine. I didn't see a way to save or copy the McAfee log, so I had to transcribe the info into a notepad file & it's possible I mistyped some of the restore paths.

No problem.

Spyware Doctor found a lot of Mebroot & Virtumonde stuff in the registry, but not in the filesystem.

Feel free to have it fix.

McAfee & Spyware Doctor seem to agree that _restore is compromised, but Kaspersky doesn't seem concerned about it.

That is because Kaspersky doesn't have privileges to see that. _restore resides in C:\System Volume Information which is a folder with permissions set only to SYSTEM, not to you. In order to be able to see it, the program needs to have system-level access, which Kaspersky Online Scan does not have.
We'll clean everything in there once you're clean - these are just system restore points.

McAfee & Spyware Doctor are offering to clean up what they found.

Let them do so. :)

Also, as I mentioned in a previous message, I've had my G: drive powered down for a week, but it was running during the early days of the infection. Since my H: drive hasn't shown any problems in the scans, I'm guessing the G: drive is clean. Let me know if you think I should scan it now (given that it has my only offline copy of lots of important data). I also have a couple of thumb drives that I plugged into usb slots while in Safe Mode with Networking, but couldn't get to mount (possibly because they were being assigned to G:, the letter of the shutdown 500Gb external. Are there any special steps I should take to examine the thumb drives? The data on them is not critical.

This will do the trick:

Flash_Disinfector
Download Flash_Disinfector by sUBs.
  • Disconnect from the internet and disable all antivirus/antimalware programs. That ensures they won't interfere.
  • Run Flash_Disinfector. When asked, plug in the flash drive.
  • Your desktop will disappear as the program starts cleaning the flash drives.
  • When done, a message box will appear. Click OK
  • If your desktop does not come up, press Ctrl + Shift + Esc to bring up Task Manager. Click File > New task (Run...) and enter:
    Code: Select all
    explorer
  • Then click OK and your desktop will appear.

It's been made to disinfect flash drives, but it can actually disinfect any USB drive.

Thanks for your efficient & clear help getting to this point. My PC seems to be behaving, but looking at the logs, it looks like I still need your help to do some more clean-up.

Yes, still some more clean up to do.

Good news: Kaspersky is clean and McAfee only found some things in our tools (as expected) and quarantined files.

Let's run this next to clear up the last inactive files:

Run CFScript
Open notepad and copy/paste the following to it:

Code: Select all
File::
c:\windows\system32\awtUKabx.dll
c:\windows\system32\sufabuwu.exe
c:\windows\system32\tipenuno.exe
c:\windows\system32\hisakite.exe
c:\windows\system32\fibunihu.exe
c:\windows\system32\nulapawa.exe
c:\windows\system32\bikabufe.exe
c:\windows\system32\jehuzuru.exe
c:\windows\system32\zotemiso.exe
c:\windows\system32\fabidadu
c:\documents and settings\Keith\delself.bat
c:\windows\system32\drivers\cbidf2kk.sys
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
[-HKEY_CLASSES_ROOT\CLSID\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
[-HKEY_CLASSES_ROOT\CLSID\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
Driver::
{DEF85C80-216A-43ab-AF70-1665EDBE2780}
cbidf2kk
0105711229302727mcinstcleanup


Save this to your desktop as "CFScript.txt".

Disconnect from the internet, disable your antimalware software like you did before, and drag CFScript into ComboFix

Image

ComboFix will run again. Post the log. Also post a new HijackThis log and a new uninstall list.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby kstubbs » December 16th, 2008, 8:15 pm

Thanks again, OD.

Here are the ComboFix.exe/CFScript.txt log, HijackThis log and fresh uninstall list.

I'm also including the latest Spyware Doctor & McAfee scan logs. This time I had McAfee skip my H: drive because there weren't any problems there last scan & I didn't want to wait the additional 2-3 hours it would take to scan it. I'll run that scan tonight. I had McAfee fix everything it found except the ComboFix & SmitfraudFix items. I presume I'll uninstall those apps when we're done & that will resolve what bothers McAfee there.

I had Spyware Doctor fix everything it found except the versiontracker.com one (labeled Low risk) and the Application.NirCmd ones (labeled Info & Potentially Unwanted Applications). I don't know if deleting those might cause problems with apps I use.

I haven't run Flash_Disinfector yet. Should I also run it on my external USB drives as well as the flash drives? Is there a risk of damage or loss of the data?

================================================================

ComboFix 08-12-14.01 - Keith 2008-12-16 10:33:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.561 [GMT -5:00]
Running from: c:\documents and settings\Keith\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Keith\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Keith\delself.bat
c:\windows\system32\awtUKabx.dll
c:\windows\system32\bikabufe.exe
c:\windows\system32\drivers\cbidf2kk.sys
c:\windows\system32\fabidadu
c:\windows\system32\fibunihu.exe
c:\windows\system32\hisakite.exe
c:\windows\system32\jehuzuru.exe
c:\windows\system32\nulapawa.exe
c:\windows\system32\sufabuwu.exe
c:\windows\system32\tipenuno.exe
c:\windows\system32\zotemiso.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Keith\delself.bat
c:\windows\system32\awtUKabx.dll
c:\windows\system32\bikabufe.exe
c:\windows\system32\fabidadu
c:\windows\system32\fibunihu.exe
c:\windows\system32\hisakite.exe
c:\windows\system32\jehuzuru.exe
c:\windows\system32\nulapawa.exe
c:\windows\system32\sufabuwu.exe
c:\windows\system32\tipenuno.exe
c:\windows\system32\tmp.reg
c:\windows\system32\zotemiso.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{DEF85C80-216A-43AB-AF70-1665EDBE2780}
-------\Service_{DEF85C80-216A-43ab-AF70-1665EDBE2780}
-------\Service_cbidf2kk


((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.

2008-12-14 20:08 . 2008-12-14 20:08 250 --a------ c:\windows\gmer.ini
2008-12-14 14:22 . 2008-12-14 14:22 <DIR> d-------- C:\GMER
2008-12-03 19:43 . 2008-12-16 05:18 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-03 19:43 . 2008-12-03 19:43 <DIR> d-------- c:\documents and settings\Keith\Application Data\PC Tools
2008-12-03 19:43 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-03 19:43 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-03 19:43 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-03 19:43 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-03 16:31 . 2008-12-16 10:30 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 14:53 . 2008-12-16 10:39 2,206 --a------ c:\windows\system32\wpa.dbl
2008-12-01 11:03 . 2008-12-16 10:38 64,988 --a------ c:\windows\system32\DVCState-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
2008-12-01 11:03 . 2008-12-16 10:38 55,168 --a------ c:\windows\system32\BMXStateBkp-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
2008-12-01 11:03 . 2008-12-16 10:38 55,168 --a------ c:\windows\system32\BMXState-{00000005-00000000-00000004-00001102-00000005-10031102}.rfx
2008-12-01 11:03 . 2008-12-16 10:38 1,080 --a------ c:\windows\system32\settingsbkup.sfm
2008-12-01 11:03 . 2008-12-16 10:38 1,080 --a------ c:\windows\system32\settings.sfm
2008-12-01 11:02 . 2008-12-16 10:38 17,464 --a------ c:\windows\system32\Config.MPF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 16:34 --------- d-----w c:\program files\McAfee
2008-12-03 22:09 --------- d-----w c:\program files\Legacy
2008-11-08 21:23 --------- d-----w c:\program files\Palm
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-01 14:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090120080902\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-14_19.57.01.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-23 10:17:49 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3QFE\tzchange.exe
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB955839\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB955839\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB955839\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB955839\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB955839\update\updspapi.dll
+ 2008-10-23 12:43:42 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3QFE\gdi32.dll
+ 2008-07-08 13:02:01 17,272 ----a-w c:\windows\$hf_mig$\KB956802\spmsg.dll
+ 2008-07-08 13:02:02 231,288 ----a-w c:\windows\$hf_mig$\KB956802\spuninst.exe
+ 2008-07-08 13:02:01 26,488 ----a-w c:\windows\$hf_mig$\KB956802\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB956802\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB956802\update\updspapi.dll
+ 2008-12-15 01:08:14 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-08-26 07:24:28 124,928 -c----w c:\windows\ie7updates\KB958215-IE7\advpack.dll
+ 2008-08-26 07:24:28 347,136 -c----w c:\windows\ie7updates\KB958215-IE7\dxtmsft.dll
+ 2008-08-26 07:24:28 214,528 -c----w c:\windows\ie7updates\KB958215-IE7\dxtrans.dll
+ 2008-08-26 07:24:28 133,120 -c----w c:\windows\ie7updates\KB958215-IE7\extmgr.dll
+ 2008-08-26 07:24:28 63,488 -c----w c:\windows\ie7updates\KB958215-IE7\icardie.dll
+ 2008-08-25 08:37:59 70,656 -c----w c:\windows\ie7updates\KB958215-IE7\ie4uinit.exe
+ 2008-08-26 07:24:28 153,088 -c----w c:\windows\ie7updates\KB958215-IE7\ieakeng.dll
+ 2008-08-26 07:24:28 230,400 -c----w c:\windows\ie7updates\KB958215-IE7\ieaksie.dll
+ 2008-08-23 05:54:51 161,792 -c----w c:\windows\ie7updates\KB958215-IE7\ieakui.dll
+ 2008-08-26 07:24:28 383,488 -c----w c:\windows\ie7updates\KB958215-IE7\ieapfltr.dll
+ 2008-08-26 07:24:29 384,512 -c----w c:\windows\ie7updates\KB958215-IE7\iedkcs32.dll
+ 2008-10-03 17:41:15 6,066,176 -c----w c:\windows\ie7updates\KB958215-IE7\ieframe.dll
+ 2008-08-26 07:24:29 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\iernonce.dll
+ 2008-08-26 07:24:29 267,776 -c----w c:\windows\ie7updates\KB958215-IE7\iertutil.dll
+ 2008-08-25 08:38:00 13,824 -c----w c:\windows\ie7updates\KB958215-IE7\ieudinit.exe
+ 2008-08-23 05:56:15 635,848 -c----w c:\windows\ie7updates\KB958215-IE7\iexplore.exe
+ 2008-08-26 07:24:30 27,648 -c----w c:\windows\ie7updates\KB958215-IE7\jsproxy.dll
+ 2008-08-26 07:24:30 459,264 -c----w c:\windows\ie7updates\KB958215-IE7\msfeeds.dll
+ 2008-08-26 07:24:30 52,224 -c----w c:\windows\ie7updates\KB958215-IE7\msfeedsbs.dll
+ 2008-08-27 08:24:32 3,593,216 -c----w c:\windows\ie7updates\KB958215-IE7\mshtml.dll
+ 2008-08-26 07:24:30 477,696 -c----w c:\windows\ie7updates\KB958215-IE7\mshtmled.dll
+ 2008-08-26 07:24:30 193,024 -c----w c:\windows\ie7updates\KB958215-IE7\msrating.dll
+ 2008-08-26 07:24:30 671,232 -c----w c:\windows\ie7updates\KB958215-IE7\mstime.dll
+ 2008-08-26 07:24:30 102,912 -c----w c:\windows\ie7updates\KB958215-IE7\occache.dll
+ 2008-08-26 07:24:30 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\updspapi.dll
+ 2008-08-26 07:24:30 105,984 -c----w c:\windows\ie7updates\KB958215-IE7\url.dll
+ 2008-08-26 07:24:31 1,159,680 -c----w c:\windows\ie7updates\KB958215-IE7\urlmon.dll
+ 2008-08-26 07:24:31 233,472 -c----w c:\windows\ie7updates\KB958215-IE7\webcheck.dll
+ 2008-08-26 07:24:31 826,368 -c----w c:\windows\ie7updates\KB958215-IE7\wininet.dll
- 2008-08-26 07:24:28 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-12-14 19:09:51 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-16 13:49:21 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-14 19:09:51 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-16 13:49:21 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-14 19:09:51 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-16 13:49:21 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-26 07:24:28 124,928 ------w c:\windows\system32\dllcache\advpack.dll
+ 2008-10-16 20:38:34 124,928 ------w c:\windows\system32\dllcache\advpack.dll
- 2008-08-26 07:24:28 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-08-26 07:24:28 214,528 ------w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ------w c:\windows\system32\dllcache\dxtrans.dll
- 2008-08-26 07:24:28 133,120 ------w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 20:38:35 133,120 ------w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-23 12:36:14 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
- 2008-08-26 07:24:28 63,488 ------w c:\windows\system32\dllcache\icardie.dll
+ 2008-10-16 20:38:35 63,488 ------w c:\windows\system32\dllcache\icardie.dll
- 2008-08-25 08:37:59 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-08-26 07:24:28 153,088 ------w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 ------w c:\windows\system32\dllcache\ieakeng.dll
- 2008-08-26 07:24:28 230,400 ------w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 ------w c:\windows\system32\dllcache\ieaksie.dll
- 2008-08-23 05:54:51 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
+ 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
- 2008-08-26 07:24:28 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-08-26 07:24:29 384,512 ------w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 ------w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-03 17:41:15 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
- 2008-08-26 07:24:29 44,544 ------w c:\windows\system32\dllcache\iernonce.dll
+ 2008-10-16 20:38:37 44,544 ------w c:\windows\system32\dllcache\iernonce.dll
- 2008-08-26 07:24:29 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
+ 2008-10-16 20:38:37 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
- 2008-08-25 08:38:00 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
- 2008-08-23 05:56:15 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
+ 2008-10-15 07:06:26 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
- 2008-08-26 07:24:30 27,648 ------w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 ------w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-06-11 07:47:52 96,768 ------w c:\windows\system32\dllcache\logagent.exe
- 2008-08-26 07:24:30 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
- 2008-08-26 07:24:30 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-08-27 08:24:32 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
+ 2008-10-17 07:08:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
- 2008-08-26 07:24:30 477,696 ------w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ------w c:\windows\system32\dllcache\mshtmled.dll
- 2008-08-26 07:24:30 193,024 ------w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 20:38:38 193,024 ------w c:\windows\system32\dllcache\msrating.dll
- 2008-08-26 07:24:30 671,232 ------w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 20:38:39 671,232 ------w c:\windows\system32\dllcache\mstime.dll
- 2008-08-26 07:24:30 102,912 ------w c:\windows\system32\dllcache\occache.dll
+ 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\dllcache\occache.dll
- 2008-08-26 07:24:30 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-04-14 00:12:07 246,814 ------w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:02:42 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
- 2008-08-26 07:24:30 105,984 ------w c:\windows\system32\dllcache\url.dll
+ 2008-10-16 20:38:39 105,984 ------w c:\windows\system32\dllcache\url.dll
- 2008-08-26 07:24:31 1,159,680 ------w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 ------w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-26 07:24:31 233,472 ------w c:\windows\system32\dllcache\webcheck.dll
+ 2008-10-16 20:38:39 233,472 ------w c:\windows\system32\dllcache\webcheck.dll
- 2008-08-26 07:24:31 826,368 ------w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 20:38:40 826,368 ------w c:\windows\system32\dllcache\wininet.dll
+ 2008-06-11 07:58:16 988,672 ------w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-12-07 04:14:51 2,330,624 ------w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-11 07:58:24 2,330,624 ------w c:\windows\system32\dllcache\WMVCore.dll
+ 2008-12-15 01:08:14 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-08-26 07:24:28 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-08-26 07:24:28 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-08-26 07:24:28 133,120 ------w c:\windows\system32\extmgr.dll
+ 2008-10-16 20:38:35 133,120 ------w c:\windows\system32\extmgr.dll
- 2008-04-14 00:11:54 285,184 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\system32\gdi32.dll
- 2008-08-26 07:24:28 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-08-25 08:37:59 70,656 ------w c:\windows\system32\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\ie4uinit.exe
- 2008-08-26 07:24:28 153,088 ------w c:\windows\system32\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 ------w c:\windows\system32\ieakeng.dll
- 2008-08-26 07:24:28 230,400 ------w c:\windows\system32\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 ------w c:\windows\system32\ieaksie.dll
- 2008-08-23 05:54:51 161,792 ------w c:\windows\system32\ieakui.dll
+ 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\ieakui.dll
- 2008-08-26 07:24:28 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-08-26 07:24:29 384,512 ------w c:\windows\system32\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 ------w c:\windows\system32\iedkcs32.dll
- 2008-10-03 17:41:15 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
- 2008-08-26 07:24:29 44,544 ------w c:\windows\system32\iernonce.dll
+ 2008-10-16 20:38:37 44,544 ------w c:\windows\system32\iernonce.dll
- 2008-08-26 07:24:29 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-08-25 08:38:00 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-08-26 07:24:30 27,648 ------w c:\windows\system32\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 ------w c:\windows\system32\jsproxy.dll
- 2005-08-04 00:29:52 96,768 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-11 07:47:52 96,768 ----a-w c:\windows\system32\logagent.exe
+ 2008-12-09 20:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
- 2008-08-26 07:24:30 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-08-26 07:24:30 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-08-27 08:24:32 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-10-17 07:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-26 07:24:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-08-26 07:24:30 193,024 ------w c:\windows\system32\msrating.dll
+ 2008-10-16 20:38:38 193,024 ------w c:\windows\system32\msrating.dll
- 2008-08-26 07:24:30 671,232 ------w c:\windows\system32\mstime.dll
+ 2008-10-16 20:38:39 671,232 ------w c:\windows\system32\mstime.dll
- 2008-08-26 07:24:30 102,912 ------w c:\windows\system32\occache.dll
+ 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\occache.dll
- 2008-08-26 07:24:30 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2008-07-08 13:02:01 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-04-14 00:12:07 246,814 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:02:42 247,326 ----a-w c:\windows\system32\strmdll.dll
- 2008-04-14 00:12:38 60,416 ----a-w c:\windows\system32\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\system32\tzchange.exe
- 2008-08-26 07:24:30 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-08-26 07:24:31 1,159,680 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-26 07:24:31 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-08-26 07:24:31 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
- 2005-08-04 00:29:52 988,672 ----a-w c:\windows\system32\wmnetmgr.dll
+ 2008-06-11 07:58:16 988,672 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-12-07 04:14:51 2,330,624 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-11 07:58:24 2,330,624 ----a-w c:\windows\system32\WMVCore.dll
+ 2008-12-16 15:39:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_830.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-08-16 1531904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"CTHelper"="CTHELPER.EXE" [2005-09-20 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-11-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-02-27 221295]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-04-06 28672]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]
M-Audio Transit USB Control Panel Launcher.lnk - c:\program files\M-Audio Transit USB\TUSBTask.exe [2003-04-28 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\AceBIT\\WISE-FTP\\wise_ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
R2 Transit USBInstallerService;Transit USB Installer;c:\program files\M-Audio Transit USB\Install\TUSBInst.exe [2006-04-25 49152]
S2 0300481229358863mcinstcleanup;McAfee Application Installer Cleanup (0300481229358863);c:\windows\TEMP\030048~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service []
S3 ma763006;M-Audio Transit USB;c:\windows\system32\drivers\MA763006.sys [2006-04-25 41216]
S3 MADFU006;MADFU006;c:\windows\system32\DRIVERS\MADFU006.sys [2006-04-25 16512]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-03 356920]

*Newly Created Service* - 0300481229358863MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Keith\Application Data\Mozilla\Firefox\Profiles\y0qka3c9.default\
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2008-12-16 10:39:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\gearsec.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Sony\MD Simple Burner\NetMDSB.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\CTXFISPI.EXE
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-12-16 10:43:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-16 15:43:42

Pre-Run: 35,928,039,424 bytes free
Post-Run: 35,970,580,480 bytes free

413 --- E O F --- 2008-12-15 08:04:15

================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:47, on 12/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\M-Audio Transit USB\TUSBTask.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Keith\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: M-Audio Transit USB Control Panel Launcher.lnk = C:\Program Files\M-Audio Transit USB\TUSBTask.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - hxxp://download.mcafee.com/molbin/share ... insctl.cab
O23 - Service: McAfee Application Installer Cleanup (0300481229358863) (0300481229358863mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\030048~1.EXE (file missing)
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Transit USB Installer (Transit USBInstallerService) - Nemesis - C:\Program Files\M-Audio Transit USB\Install\TUSBInst.exe

--
End of file - 13261 bytes

================================================================

7-Zip 4.32
AbcNavigator 2.0
Adobe Flash Player Plugin
Adobe Photoshop Elements 3.0
Adobe Reader 7.0.9
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOLIcon
APC PowerChute Personal Edition
Apple Mobile Device Support
Apple Software Update
Banctec Service Agreement
BK ReplaceEm 2.0
Bonjour
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
Corel Paint Shop Pro X
Corel Photo Album 6
Creative MediaSource
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
DellSupport
Digital Content Portal
Documents To Go
EarthLink setup files
Easy Thumbnails (Remove only)
EducateU
ELIcon
ESPNMotion
Exact Audio Copy v0.9 beta 4
FastStone Image Viewer 2.30
GemMaster Mystic
Get High Speed Internet!
Google AFE
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
HP Image Zone 4.7
HP Image Zone Express
HP PSC & OfficeJet 4.7
HP Software Update
Intel Matrix Storage Manager
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Intel(R) Quick Resume Technology Drivers
Intel(R) Quick Resume Technology Drivers
Intel® Viiv™
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
Legacy 6.0
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
McAfee SecurityCenter
McAfee Uninstaller
MCU
MD Simple Burner 2.0.05
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Robocopy GUI
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (3.0.4)
Mp3tag v2.35
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
NetZeroInstallers
Norton Ghost 10.0
NVIDIA Drivers
OpenMG Limited Patch 4.4-06-13-19-01
OpenMG Secure Module 4.4.00
Otto
Palm
Palm-DB-Tools 0.3.6
Pilot-DB 1.1.3
PowerDVD 5.5
QuickTime
RealPlayer
RON Tool Banners4u
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SonicStage 3.4
Sony Sound Forge Audio Studio 8.0a
Sound Blaster X-Fi
Spyware Doctor 6.0
Transit USB 1.0.2.2
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WildTangent Web Driver
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Media Center Edition 2005 KB908246
Windows XP Service Pack 3
Wise-FTP
Xenu's Link Sleuth

================================================================

McAfee Security Center Scan - 12/16/2008

Number of items scanned: 308433
Number of items detected: 28
Number of items repaired: 0
Number of items quarantined: 18
Number of items removed: 0

Detection Type: Potentially Unwanted Program
Detection Name: PrcViewer
Status: Detected
Items: File Name: E:\SmitfraudFix.exe, C:\Documents and Settings\Keith\Desktop\SmitfraudFix\Process.exe, C:\Documents and Settings\Keith\Desktop\SmitfraudFix.exe, C:\Documents and Settings\Keith\Desktop\SmitfraudFix\Process.exe, C:\Documents and Settings\Keith\Desktop\SmitfraudFix.exe

Detection Type: Potentially Unwanted Program
Detection Name: RemAdm-ProcLaunch!171
Status: Detected
Items: File Name: E:\ComboFix.exe, C:\Documents and Settings\Keith\Desktop\ComboFix.exe, C:\Documents and Settings\Keith\Desktop\ComboFix.exe

Detection Type: Potentially Unwanted Program
Detection Name: Generic PUP.x
Status: Detected
Items: File Name: C:\Qoobox\Quarantine\C\Windows\system32\TDSSocun.dll.vir

Detection Type: Potentially Unwanted Program
Detection Name: Generic PUP.x
Status: Detected
Items: File Name: C:\Qoobox\Quarantine\C\Program Files\Spyware Guard\uninstall.exe.vir

Detection Type: Trojan
Detection Name: Generic.dx
Status: Quarantined
Items: File Name: C:\Qoobox\Quarantine\C\Windows\system32\av.dat.vir

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Qoobox\Quarantine\C\Windows\system32\dotevumo.dll.vir

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Qoobox\Quarantine\C\Windows\system32\furutedo.dll.vir

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Qoobox\Quarantine\C\Windows\system32\gawokire.dll.vir

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Qoobox\Quarantine\C\Windows\system32\hugezese.dll.vir

Detection Type: Trojan
Detection Name: Vundo
Status: Quarantined
Items: File Name: C:\Qoobox\Quarantine\C\Windows\system32\iiffctjc.dll.vir

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Qoobox\Quarantine\C\Windows\system32\kofelabe.dll.vir

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Qoobox\Quarantine\C\Windows\system32\lijujuto.dll.vir

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Qoobox\Quarantine\C\Windows\system32\navolawe.dll.vir

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Qoobox\Quarantine\C\Windows\system32\wakuribi.dll.vir

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Qoobox\Quarantine\C\Windows\system32\yotogewo.dll.vir

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Qoobox\Quarantine\C\Windows\system32\zafusiyo.dll.vir

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Windows\system32\bemamuve.dll.tmp

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Windows\system32\fadateta.dll.tmp

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Windows\system32\mezeweku.dll.tmp

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Windows\system32\tobirugo.dll.tmp

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Windows\system32\vuyumijo.dll.tmp

Detection Type: Trojan
Detection Name: Vundo.gen.o
Status: Quarantined
Items: File Name: C:\Windows\system32\yuwegiju.dll.tmp

================================================================

PC Tools Spyware Doctor

Date: 12/16/2008 1:32:23 PM:750
Status: Scan Started
Scan Type - Full Scan
12/16/2008 1:32:40 PM:125
Infection was detected on this computer
Threat Name - Application.TrackingCookies
Type - Cookie
Risk Level - Low
Infection - hxxp://www.versiontracker.com
12/16/2008 1:47:07 PM:62
Smart Update
Smart update was unable to run because a internet connection was not found. Please check your network settings and try again.
12/16/2008 2:56:16 PM:562
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - File
Risk Level - High
Infection - C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSocun.dll.vir
12/16/2008 3:00:54 PM:359
Infection was detected on this computer
Threat Name - Trojan.Garntet!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP736\A0062942.exe
12/16/2008 3:01:46 PM:859
Infection was detected on this computer
Threat Name - Trojan-Downloader.MisleadApp!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063236.dll
12/16/2008 3:02:37 PM:968
Infection was detected on this computer
Threat Name - Rootkit.Agent!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063275.exe
12/16/2008 3:02:47 PM:468
Infection was detected on this computer
Threat Name - Trojan.Garntet!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063304.exe
12/16/2008 3:04:53 PM:15
Infection was detected on this computer
Threat Name - Trojan.TDSServ
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063374.dll
12/16/2008 3:04:54 PM:218
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063395.EXE
12/16/2008 3:05:14 PM:312
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP740\A0063630.EXE
12/16/2008 3:05:16 PM:906
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP740\A0063648.EXE
12/16/2008 3:05:17 PM:781
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP740\A0063666.EXE
12/16/2008 3:15:00 PM:515
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
12/16/2008 3:15:01 PM:125
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\ERDNT\subs\ERDNT.EXE
12/16/2008 3:23:33 PM:703
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\SWXCACLS.exe
12/16/2008 6:00:06 PM:875
Scheduled Scan Skipped
Scheduled task Intelli-Scan of this computer skipped - another scan is already running.
12/16/2008 6:29:27 PM:625
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow
12/16/2008 6:29:27 PM:625
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs
12/16/2008 6:29:27 PM:625
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot
12/16/2008 6:29:27 PM:625
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware
12/16/2008 6:29:27 PM:734
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance
12/16/2008 6:29:27 PM:734
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Service
12/16/2008 6:29:27 PM:734
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Legacy
12/16/2008 6:29:27 PM:734
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ConfigFlags
12/16/2008 6:29:27 PM:734
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Class
12/16/2008 6:29:27 PM:734
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ClassGUID
12/16/2008 6:29:27 PM:734
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, DeviceDesc
12/16/2008 6:29:27 PM:750
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Capabilities
12/16/2008 6:29:27 PM:750
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\Control
12/16/2008 6:29:27 PM:750
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
12/16/2008 6:29:27 PM:750
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
12/16/2008 6:29:27 PM:828
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Type
12/16/2008 6:29:27 PM:828
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ErrorControl
12/16/2008 6:29:27 PM:828
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Start
12/16/2008 6:29:27 PM:828
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ImagePath
12/16/2008 6:29:27 PM:828
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Group
12/16/2008 6:29:27 PM:843
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, 0
12/16/2008 6:29:27 PM:843
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, Count
12/16/2008 6:29:27 PM:843
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, NextInstance
12/16/2008 6:29:27 PM:843
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum
12/16/2008 6:29:27 PM:843
Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme
12/16/2008 6:30:31 PM:906
Scan Finished
Scan Type - Full Scan
Items Processed - 767389
Threats Detected - 6
Infections Detected - 39
Infections Ignored - 0
12/16/2008 6:45:00 PM:484
Infection quarantined
Threat Name - Trojan.TDSServ
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063374.dll
12/16/2008 6:45:00 PM:515
Infection quarantined
Threat Name - Trojan.TDSServ
Type - File
Risk Level - High
Infection - C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSocun.dll.vir
12/16/2008 6:45:00 PM:578
Infection cleaned
Threat Name - Trojan.TDSServ
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063374.dll
12/16/2008 6:45:00 PM:578
Infection cleaned
Threat Name - Trojan.TDSServ
Type - File
Risk Level - High
Infection - C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSocun.dll.vir
12/16/2008 6:45:00 PM:593
Infection quarantined
Threat Name - Trojan.Garntet!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063304.exe
12/16/2008 6:45:00 PM:625
Infection quarantined
Threat Name - Trojan.Garntet!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP736\A0062942.exe
12/16/2008 6:45:00 PM:625
Infection cleaned
Threat Name - Trojan.Garntet!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063304.exe
12/16/2008 6:45:00 PM:625
Infection cleaned
Threat Name - Trojan.Garntet!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP736\A0062942.exe
12/16/2008 6:45:00 PM:656
Infection quarantined
Threat Name - Trojan-Downloader.MisleadApp!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063236.dll
12/16/2008 6:45:00 PM:687
Infection cleaned
Threat Name - Trojan-Downloader.MisleadApp!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063236.dll
12/16/2008 6:45:00 PM:796
Infection quarantined
Threat Name - Rootkit.Agent!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063275.exe
12/16/2008 6:45:00 PM:812
Infection cleaned
Threat Name - Rootkit.Agent!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP737\A0063275.exe
12/16/2008 6:45:02 PM:937
Infections Quarantined/Removed Summary
Quarantined - 6
Quarantine Failed - 0
Removed - 6
Remove Failed - 0
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby Odd dude » December 17th, 2008, 10:21 am

Application.NirCmd ones (labeled Info & Potentially Unwanted Applications). I don't know if deleting those might cause problems with apps I use.

Yes, fixing nircmd would break ComboFix. The other one can be safely fixed.

We would like some samples of some of the infected files that I had ComboFix quarantine.

Please copy and paste the following to notepad:
Code: Select all
@ECHO OFF
:: 
:: As requested in the following thread:
:: http://malwareremoval.com/forum/viewtopic.php?p=382225#p382225
:: 
:: As the OP did some GP scans I added a little piece of my own :-) (in case files from Qoobox were quarantined)
:: 
:: Pleased to serve you :-)
:: 
:: 
::    ~ Odd dude
:: 
FOR %%G IN (


c:\qoobox\quarantine\c\windows\system32\awtUKabx.dll.vir



C:\Qoobox\Quarantine\C\windows\system32\sufabuwu.exe.vir
C:\Qoobox\Quarantine\C\windows\system32\tipenuno.exe.vir
C:\Qoobox\Quarantine\C\windows\system32\nulapawa.exe.vir
C:\Qoobox\Quarantine\C\windows\system32\zotemiso.exe.vir


) DO (
If not exist %%G (
Nircmd infobox "%%~nG.vir could not be found!~n~nInitiating search... this will take a few minutes. Sorry!" "Notice"
Nircmd infobox "Please DEQUARANTINE %%~nG.vir BEFORE clicking OK.~n(Unfortunately I cannot tell whether it was Spyware Doctor or McAfee which quarantined this file)~n~nThank you!" "Information"
)
Zip.exe -Sq UploadThis %%i
)



Zip.exe -mq UploadThis %0

Save this to your desktop as "Upload.bat". Please include the quotation marks.
When you double click the file, a black box will open. When it closes, a zip file will have been created on your desktop.

Open this zip file and make sure that these files are present:
  • Upload.bat
  • awtUKabx.dll.vir
  • sufabuwu.exe.vir
  • tipenuno.exe.vir
  • nulapawa.exe.vir
  • zotemiso.exe.vir
If one of them isn't, either McAfee or Spyware Doctor quarantined it. If this is the case, please dequarantine the file in question. Then delete the zip file and rerun upload.bat.

Now click here. Add a link to this topic (copy and paste from the address bar of your browser) in the designated box and click Browse. Browse to your desktop and select the zip that was created by the batch file.

After that, click Submit.

Update your Adobe Reader
Your version of Adobe Reader is old and may contain security leaks. Please first uninstall the older version, then download and install the newest version from here.


Now disable all your antimalware programs as we will rerun ComboFix for the last time.
Click Start>Run and enter: ComboFix /u
Then click OK.

This will clean up system restore points, clean up temporary internet files, etc.

Now...

If you don't have any other issues, then I think all the malware is gone!


Congratulations!
Image Image Image Image Image Image

As far as I can tell, you are CLEAN!


Image


Have a big cup of Image, sit back & relax, and now please follow a few of the following tips; they will dramatically reduce your chance of getting infected again.


  • Turn on Automatic Updates if you have not done so. It is MANDATORY to keep your Windows updated, otherwise you are vulnerable to exploits! To turn on Automatic Updates: click Start > Control Panel > Security Centre > Automatic Updates.

Below are optional items. It's highly recommended to read them through, but decide for yourself how many of these recommendations (if any) you follow.

  • Install WinPatrol from here. Instructions for use are here.

  • Install SpywareBlaster to protect you from bad sites. Download - How to use it

  • Install a custom hosts file. Let's say I have a directory of 640kb's worth of bad sites. Let's say I can make sure you will never be able to access those sites, so you will never get any infection from those sites. It's like blocking a site - without site blocking tools. How would you like to never be able to visit (a lot, but not all of the) malware-infected sites again? Well, now you can!
    First, we must disable a service, as Windows cannot work with a very large hosts file while that service is active. This will not affect anything else.
    The disabling routine:
    1. Click Start, then Run
    2. Copy and paste the following:
      Code: Select all
      sc config dnscache start= disabled
    3. Click OK.
    Next, you can download the custom hosts file from here. Installation instructions can be found there as well.

  • Install Sandboxie. Sandboxie isolates programs into a sandbox. When you get infected, and the program that caused this (i.e. Internet Explorer) is inside the sandbox, the infection will remain trapped inside the sandbox. Then it only takes a few clicks to empty the sandbox and thus kill the virus. Sandboxie is completely free! Download it here.
Note that using Sandboxie does not guarantee that you will never get infected. Some malware can bypass Sandboxie, so don't let your guard down!

Please reply to this thread once more so we know it can be archived


Happy surfing!! :)
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby kstubbs » December 17th, 2008, 2:31 pm

OD,

When I run "Upload.bat", the run window quickly flashes 4 "nothing to do" messages and the resulting zip file contains only the script bat file. I can't find any of the 4 quarantined files in either Spyware Doctor or McAfee's quarantine logs, so I don't know how to unquarantine them. In Windows Explorer, the size & dates of the 4 files are:

C:\Qoobox\Quarantine\C\windows\system32\sufabuwu.exe.vir - 302592 bytes - created 12/14/2008 19:46:14; modified 12/14/2008 19:46:16
C:\Qoobox\Quarantine\C\windows\system32\tipenuno.exe.vir - 2713 bytes - created 12/13/2008 13:13:18; modified 12/13/2008 13:13:18
C:\Qoobox\Quarantine\C\windows\system32\nulapawa.exe.vir - 2713 bytes - created 12/8/2008 7:16:52; modified 12/8/2008 7:16:52
C:\Qoobox\Quarantine\C\windows\system32\zotemiso.exe.vir - 2713 bytes - created 12/6/2008 1:14:22; modified 12/6/2008 1:14:22

Spyware Doctor's Settings->Quarantine and Settings->History lists don't show any of the 4 files. Spyware Doctor doesn't show any quarantine activity until 12/16, which makes sense since I wasn't able to register it and activate its repair functions until 12/15 & didn't ask it to repair anything until 12/16. McAfee's Restore logs go back to 3/9/2007, but don't list any of the files we're looking for. And the McAfee log doesn't show any activity on 12/6, 12/8, or 12/13, and list only 2 files (both TDSS) for 12/14.

Since I can't find a way to unquarantine the 4 files, is there a workaround such as renaming, moving or copying them?

FYI, I updated Adobe Reader & confirmed that Windows Automatic Updates is on. I did not run Combofix /u yet.
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm

Re: Infested w. Virtumonde, Mebroot, TDSServ, Spyware Guard 2008

Unread postby kstubbs » December 17th, 2008, 2:54 pm

Change all my "4"s in the previous message to "5"s.

I missed one of the five files in my cutting-and-pasting.

c:\qoobox\quarantine\c\windows\system32\awtUKabx.dll.vir - 302592 bytes - created 12/14/2008, 19:46:14; modified 12/14/2008, 19:46:16

I couldn't find this one in the Spyware Doctor or McAfee quarantine logs either.
kstubbs
Regular Member
 
Posts: 26
Joined: December 12th, 2008, 2:51 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 57 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware