Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need some help.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need some help.

Unread postby Badhat » December 21st, 2008, 11:31 am

I started getting hijacks on my laptop about two or three weeks ago.

Here is my Hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 9:20:30 AM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\Program Files\AT&T\Communication Manager\SwiApiMux.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\AnalyzeThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - Unknown owner - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc (file missing)
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FAH@C:+Program Files+FAH502-Console.exe - Unknown owner - C:\Program Files\FAH502-Console.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE



Appreciate any help I can get.
Badhat
Regular Member
 
Posts: 15
Joined: December 21st, 2008, 11:26 am
Advertisement
Register to Remove

Re: Need some help.

Unread postby Shaba » December 29th, 2008, 6:29 am

Hi Badhat

Your HijackThis is outdated.

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Need some help.

Unread postby Badhat » December 29th, 2008, 12:08 pm

Okay, I think I have it done. Tks for the help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:12 AM, on 12/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Bill\LOCALS~1\Temp\Google Toolbar\gtb2E0.tmp.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\AT&T\Communication Manager\SwiApiMux.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
E:\HJTInstall.exe
E:\HJTInstall.exe
E:\HJTInstall.exe
E:\HJTInstall.exe
E:\HJTInstall.exe
E:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FAH@C:+Program Files+FAH502-Console.exe - Unknown owner - C:\Program Files\FAH502-Console.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12838 bytes
Badhat
Regular Member
 
Posts: 15
Joined: December 21st, 2008, 11:26 am

Re: Need some help.

Unread postby Shaba » December 29th, 2008, 12:14 pm

Please tell me next what kind of hijacks you get.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Need some help.

Unread postby Badhat » December 29th, 2008, 3:27 pm

Basically, when I do a Google search, and get the results, I will click on one of the results and it takes me off somewhere besides where the link should go. As a work around, I can copy and paste the link the the browser, and then get there usually. And sometimes, when I click on a favorite or link in IE, it gives me a "can't find" message...
Badhat
Regular Member
 
Posts: 15
Joined: December 21st, 2008, 11:26 am

Re: Need some help.

Unread postby Shaba » December 29th, 2008, 3:50 pm

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2

  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other unning programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Need some help.

Unread postby Badhat » December 29th, 2008, 11:38 pm

It won't let me run gmer for some reason. I click on it, and get an hourglass for about 10 seconds, and nothing.

And I have noticed that when I try to access the McAfee site, it redirects me to Google search. It's like it doesn't want me to fix it. My McAfee is messed up and won't correct.
Badhat
Regular Member
 
Posts: 15
Joined: December 21st, 2008, 11:26 am

Re: Need some help.

Unread postby Shaba » December 30th, 2008, 2:05 am

Please rename gmer.exe to badhat.exe and let me know if it runs now.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Need some help.

Unread postby Badhat » December 30th, 2008, 10:07 am

Still won't run. Whatever this is, it's a major pain in the tail end...
Badhat
Regular Member
 
Posts: 15
Joined: December 21st, 2008, 11:26 am

Re: Need some help.

Unread postby Shaba » December 30th, 2008, 10:29 am

Let's try this:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Image


Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Need some help.

Unread postby Badhat » December 30th, 2008, 12:13 pm

Here is the log. I hope I can get on here later to check it. I am fixing to leave to go on the road and I have been doing most of this off my home computer instead of my jacked up laptop. I will try and check back tonight.

ComboFix 08-12-29.02 - Bill 2008-12-30 10:03:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.708 [GMT -6:00]
Running from: c:\documents and settings\Bill\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\TDSSmhlt.sys
c:\windows\system32\TDSShrsr.dll
c:\windows\system32\TDSSkkdu.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqn.dll
c:\windows\system32\TDSSorvd.dat
c:\windows\system32\TDSSrhyp.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSSxfum.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-29 13:41 . 2008-12-29 13:41 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-29 13:36 . 2008-12-29 13:50 <DIR> d-------- c:\program files\NOS
2008-12-29 13:36 . 2008-12-29 13:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-12-20 08:38 . 2008-12-20 08:49 <DIR> d-------- C:\fixwareout
2008-12-11 16:11 . 2008-12-11 16:11 <DIR> d-------- c:\documents and settings\Bill\Application Data\acccore
2008-12-11 16:06 . 2008-12-11 16:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2008-12-11 16:06 . 2008-12-11 16:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-11 16:05 . 2008-12-11 16:06 <DIR> d-------- c:\program files\AIM6
2008-11-29 18:28 . 2008-11-29 18:28 <DIR> d-------- c:\documents and settings\Bill\Application Data\Viewpoint
2008-11-22 18:16 . 2008-11-22 18:16 <DIR> d-------- c:\program files\iPod
2008-11-22 18:16 . 2008-11-22 18:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 18:13 . 2008-11-22 18:14 <DIR> d-------- c:\program files\QuickTime
2008-11-11 14:57 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 14:55 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 19:44 --------- d-----w c:\program files\Google
2008-12-29 19:40 --------- d-----w c:\program files\Common Files\Adobe
2008-12-19 12:41 --------- d-----w c:\documents and settings\Bill\Application Data\SiteAdvisor
2008-12-16 14:05 --------- d-----w c:\program files\McAfee
2008-12-15 22:41 --------- d-----w c:\program files\World of Warcraft
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 22:06 --------- d-----w c:\program files\Viewpoint
2008-12-11 22:06 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-11 22:06 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-11 22:05 --------- d-----w c:\program files\Common Files\AOL
2008-11-23 00:17 --------- d-----w c:\program files\iTunes
2008-11-23 00:12 --------- d-----w c:\program files\Common Files\Apple
2008-10-30 02:24 --------- d-----w c:\documents and settings\Bill\Application Data\Acreon
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-03-22 23:45 520,417 ----a-w c:\program files\WIM-2.3.65.zip
2008-03-14 19:34 3,545,032 ----a-w c:\program files\daemon4121-lite.exe
2007-10-06 10:12 119 ----a-w c:\program files\client.cfg
2007-05-16 04:54 2,083,098 ----a-w c:\program files\Cosmos_Win.zip
2006-09-18 03:36 774,144 ----a-w c:\program files\RngInterstitial.dll
2006-09-01 02:15 6,873,065 ----a-w c:\program files\zmud721.exe
2006-06-26 23:54 2,790,912 ----a-w c:\program files\fpp251.exe
2006-05-20 18:18 1,455,872 ----a-w c:\program files\installspeedfan428.exe
2006-05-20 16:42 37,311,488 ----a-w c:\program files\iTunesSetup.exe
2006-05-20 05:17 397,352 ----a-w c:\program files\msgr75us.exe
2008-09-03 18:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-29 39408]
"Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-01-29 9442584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-01-16 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-12-15 839680]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-08 36904]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-05-22 33280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-05-09 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3724:TCP"= 3724:TCP:WOW
"6112:TCP"= 6112:TCP:WOW

R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\DRIVERS\swnc8u56.sys [2007-06-27 101248]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\DRIVERS\swumx56.sys [2007-06-27 73856]
S2 FAH@C:+Program Files+FAH502-Console.exe;FAH@C:+Program Files+FAH502-Console.exe;c:\program files\FAH502-Console.exe -svcstart []
S2 Machnm32;Machnm32 Driver;\??\c:\windows\system32\Machnm32.sys []
S3 ATTRcAppSvc;AT&T RcAppSvc;"c:\program files\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc" [2008-03-06 106496]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-12-11 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-29 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-01-29 07:53]

2008-07-12 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-01-29 07:53]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=na ... US254US255
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex}&startPage={startPage}
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
LSP: bmnet.dll
FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\r4polz9r.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 10:08:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@C:+Program Files+FAH502-Console.exe]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmhlt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1064)
c:\windows\system32\bmnet.dll
.
Completion time: 2008-12-30 10:10:44
ComboFix-quarantined-files.txt 2008-12-30 16:09:24

Pre-Run: 19,637,121,024 bytes free
Post-Run: 19,885,072,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

246 --- E O F --- 2008-12-18 21:09:52
Badhat
Regular Member
 
Posts: 15
Joined: December 21st, 2008, 11:26 am

Re: Need some help.

Unread postby Shaba » December 30th, 2008, 12:33 pm

That looks good :)

Please post also a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Need some help.

Unread postby Badhat » December 30th, 2008, 8:41 pm

Here you go...

Logfile of HijackThis v1.99.1
Scan saved at 6:40:49 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\Program Files\AT&T\Communication Manager\SwiApiMux.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\AnalyzeThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - Unknown owner - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc (file missing)
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FAH@C:+Program Files+FAH502-Console.exe - Unknown owner - C:\Program Files\FAH502-Console.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Badhat
Regular Member
 
Posts: 15
Joined: December 21st, 2008, 11:26 am

Re: Need some help.

Unread postby Badhat » December 30th, 2008, 9:26 pm

Also, got Gmer to run somehow...

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-30 19:24:25
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sppw.sys ZwCreateKey [0xF72CA0E0]
SSDT sppw.sys ZwEnumerateKey [0xF72E7CA2]
SSDT sppw.sys ZwEnumerateValueKey [0xF72E8030]
SSDT sppw.sys ZwOpenKey [0xF72CA0C0]
SSDT sppw.sys ZwQueryKey [0xF72E8108]
SSDT sppw.sys ZwQueryValueKey [0xF72E7F88]
SSDT sppw.sys ZwSetValueKey [0xF72E819A]

INT 0x62 ? 86FDBBF8
INT 0x63 ? 86D2FF00
INT 0x73 ? 86D2FF00
INT 0x73 ? 86D2FF00
INT 0x83 ? 86D2FF00
INT 0xB4 ? 86D2FF00

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAA1F59AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAA1F5958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAA1F596C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAA1F5A5B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAA1F5A87]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAA1F59EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAA1F5B21]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAA1F5930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAA1F5944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAA1F59BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAA1F5AC9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAA1F5A71]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAA1F5B49]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAA1F5B35]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAA1F5996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAA1F5982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAA1F5A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAA1F5B0B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAA1F5A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAA1F59D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP AA1F59D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP AA1F59AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A7500 7 Bytes JMP AA1F59EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8316 5 Bytes JMP AA1F5A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA94 7 Bytes JMP AA1F59C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1322 5 Bytes JMP AA1F5934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15AE 5 Bytes JMP AA1F5948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE0 5 Bytes JMP AA1F5986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F6 7 Bytes JMP AA1F5970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AC 5 Bytes JMP AA1F595C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B6 5 Bytes JMP AA1F599A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB6 5 Bytes JMP AA1F5A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BC2 7 Bytes JMP AA1F5B0F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619460 7 Bytes JMP AA1F5ACD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D34 7 Bytes JMP AA1F5A75 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7A2 7 Bytes JMP AA1F5A5F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A972 7 Bytes JMP AA1F5A8B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BCCA 5 Bytes JMP AA1F5B39 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C3BE 5 Bytes JMP AA1F5B4D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C4D8 5 Bytes JMP AA1F5B25 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? sppw.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F692B8AC 5 Bytes JMP 86D2F4E0
.text azidq1m6.SYS F685C384 1 Byte [ 20 ]
.text azidq1m6.SYS F685C386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text azidq1m6.SYS F685C3AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text azidq1m6.SYS F685C3C4 3 Bytes [ 00, 00, 00 ]
.text azidq1m6.SYS F685C3C9 1 Byte [ 00 ]
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02230000
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02230F72
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02230F8D
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0223005B
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02230F9E
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02230FD4
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 022300A4
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02230093
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02230F37
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 022300D0
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02230F26
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02230FB9
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02230025
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02230082
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02230FE5
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02230040
.text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 022300BF
.text C:\WINDOWS\Explorer.EXE[472] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02210FB9
.text C:\WINDOWS\Explorer.EXE[472] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0221004A
.text C:\WINDOWS\Explorer.EXE[472] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02210FCA
.text C:\WINDOWS\Explorer.EXE[472] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02210FE5
.text C:\WINDOWS\Explorer.EXE[472] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0221002F
.text C:\WINDOWS\Explorer.EXE[472] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02210000
.text C:\WINDOWS\Explorer.EXE[472] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02210F8D
.text C:\WINDOWS\Explorer.EXE[472] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 41, 8A ]
.text C:\WINDOWS\Explorer.EXE[472] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02210FA8
.text C:\WINDOWS\Explorer.EXE[472] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02220FEF
.text C:\WINDOWS\Explorer.EXE[472] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02220000
.text C:\WINDOWS\Explorer.EXE[472] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02220FD4
.text C:\WINDOWS\Explorer.EXE[472] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02220FAF
.text C:\WINDOWS\Explorer.EXE[472] WS2_32.dll!socket 71AB4211 5 Bytes JMP 021F0000
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010F0000
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010F0067
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010F0F68
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010F0F79
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010F0F8A
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010F0FA5
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010F0095
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010F0F4D
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010F0F32
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010F00CB
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 010F00E6
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 010F002C
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 010F0011
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 010F0078
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 010F0FCA
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 010F0FE5
.text C:\WINDOWS\system32\services.exe[704] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 010F00B0
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 010E0040
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 010E0FAF
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 010E001B
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 010E006C
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 010E0FE5
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 010E005B
.text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 010E0FCA
.text C:\WINDOWS\system32\services.exe[704] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F69
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F84
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0F95
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF005E
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FC3
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F3D
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F4E
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F00
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F11
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BF00BE
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BF0FB2
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BF0079
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BF002F
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BF0F2C
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BE0F65
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BE0022
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00BE0F80
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ DE, 88 ]
.text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\lsass.exe[716] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F77
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B8006C
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B8005B
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B8004A
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FB2
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B8007D
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F35
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B800A2
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F09
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B800B3
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B8002F
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B80FDE
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B80F5C
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B80FC3
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B8001E
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B80F1A
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B70022
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B70F91
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B70011
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B70FDB
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B70FAC
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B7004E
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B7003D
.text C:\WINDOWS\system32\svchost.exe[892] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F40098
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40087
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40076
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40065
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F4002F
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F6D
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F7E
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F400F5
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40F52
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F40F41
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F40054
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F400A9
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F40FC3
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F40FDE
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F400D0
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F30FAF
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F30051
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F30F94
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00F30036
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F3001B
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F10FE5
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 031A0FE5
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 031A0F59
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 031A0058
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 031A0047
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 031A0F94
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 031A0025
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 031A0F37
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 031A0F48
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 031A00BF
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 031A0F26
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 031A0F0B
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 031A0036
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 031A0FD4
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 031A0073
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 031A0014
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 031A0FB9
.text C:\WINDOWS\System32\svchost.exe[996] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 031A009A
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 03180FCA
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0318006C
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0318001B
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 03180000
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0318005B
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 03180FE5
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 03180FAF
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 38, 8B ]
.text C:\WINDOWS\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 03180036
.text C:\WINDOWS\System32\svchost.exe[996] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02D20FEF
.text C:\WINDOWS\System32\svchost.exe[996] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 0319000A
.text C:\WINDOWS\System32\svchost.exe[996] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 03190FE5
.text C:\WINDOWS\System32\svchost.exe[996] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 03190FD4
.text C:\WINDOWS\System32\svchost.exe[996] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 03190025
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00770076
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00770F81
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00770F92
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0077005B
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00770FD4
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007700A4
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00770093
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00770F30
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007700C9
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00770F15
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00770FB9
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00770F66
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00770040
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0077002F
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00770F41
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0076002F
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00760065
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00760FDE
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0076004A
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00760FA8
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 96, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00760FC3
.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00740FE5
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [ E9 ]
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx + 2 7C801A63 3 Bytes [ E5, 41, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C2004A
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20F7C
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C20F97
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C20FB2
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C200AC
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20091
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C20F2B
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C200CE
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C20F1A
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C20039
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C20076
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C200BD
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 009B001B
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 009B0051
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 009B0FD4
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 009B0036
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 009B0F9E
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ BB, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 009B0FAF
.text C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 009C0FCA
.text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 009C0FB9
.text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 009C000A
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B4008F
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40074
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40F9A
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40FAB
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B40032
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B400BB
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B400A0
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B40102
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B400F1
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B4011D
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B4004D
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B40FDE
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B40F7F
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B40FBC
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B40FCD
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B400CC
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B30040
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B30087
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B3002F
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B30076
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B3000A
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B30065
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B30FD4
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1676] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1676] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72CB040] sppw.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72CB13C] sppw.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72CB0BE] sppw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72CB7FC] sppw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72CB6D2] sppw.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72DAD92] sppw.sys
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\azidq1m6.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 86FDA1F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbehci \Device\USBPDO-0 86D01500
Device \Driver\usbuhci \Device\USBPDO-1 86D2E1F8
Device \Driver\sptd \Device\1249450602 sppw.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F6B1F8
Device \Driver\dmio \Device\DmControl\DmConfig 86F6B1F8
Device \Driver\dmio \Device\DmControl\DmPnP 86F6B1F8
Device \Driver\dmio \Device\DmControl\DmInfo 86F6B1F8
Device \Driver\usbuhci \Device\USBPDO-2 86D2E1F8
Device \Driver\usbuhci \Device\USBPDO-3 86D2E1F8
Device \Driver\usbuhci \Device\USBPDO-4 86D2E1F8

AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86FDC1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86FDC1F8
Device \Driver\Cdrom \Device\CdRom0 86B931F8
Device \Driver\Cdrom \Device\CdRom1 86B931F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 86FDC1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8689B1F8
Device \Driver\NetBT \Device\NetbiosSmb 8689B1F8
Device \Driver\PCI_PNP1852 \Device\0000005a sppw.sys
Device \Driver\PCI_PNP1852 \Device\0000005a sppw.sys

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 86D2E1F8
Device \Driver\usbuhci \Device\USBFDO-1 86D2E1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 868981F8
Device \Driver\usbuhci \Device\USBFDO-2 86D2E1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2092B281-B539-4123-90AE-7A7B3B873C2E} 8689B1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 868981F8
Device \Driver\usbuhci \Device\USBFDO-3 86D2E1F8
Device \Driver\usbehci \Device\USBFDO-4 86D01500
Device \Driver\Ftdisk \Device\FtControl 86FDC1F8
Device \Driver\azidq1m6 \Device\Scsi\azidq1m61 86B8E1F8
Device \Driver\azidq1m6 \Device\Scsi\azidq1m61Port1Path0Target0Lun0 86B8E1F8
Device \FileSystem\Fastfat \Fat 86C97500
Device \FileSystem\Fastfat \Fat A8529297

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 86D951F8
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB5 0x51 0x61 0xD4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF1 0x88 0x52 0x9D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x19 0x2A 0xC9 0xCE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB5 0x51 0x61 0xD4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF1 0x88 0x52 0x9D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x19 0x2A 0xC9 0xCE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB5 0x51 0x61 0xD4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF1 0x88 0x52 0x9D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x19 0x2A 0xC9 0xCE ...

---- EOF - GMER 1.0.14 ----
Badhat
Regular Member
 
Posts: 15
Joined: December 21st, 2008, 11:26 am

Re: Need some help.

Unread postby Shaba » December 31st, 2008, 6:11 am

GMER log is fine, those are related to Daemon Tools.

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware