Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Popups from different ip's

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Popups from different ip's

Unread postby MrOreo » August 28th, 2007, 2:39 pm

I have been getting popups from different ip addresses. I have run ad-aware, Spybot, webroot, and the mcafee suite.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:28 AM, on 8/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Xfire\Xfire.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\vhulymcj.exe
C:\Documents and Settings\Chris Gray\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\vntdarjc.dll",forkonce
O4 - HKLM\..\RunOnce: [*MSConfig32] C:\WINDOWS\system32\aecache.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA312] command /c del "C:\WINDOWS\system32\byxyxxv.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4513] cmd /c del "C:\WINDOWS\system32\byxyxxv.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9965] command /c del "C:\WINDOWS\system32\byxyxxv.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1608] cmd /c del "C:\WINDOWS\system32\byxyxxv.dll_tobedeleted"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MSConfig32] C:\WINDOWS\system32\aecache.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.simnetenterprise.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7712912203
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\vhulymcj.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11779 bytes
MrOreo
Regular Member
 
Posts: 22
Joined: August 28th, 2007, 1:19 pm
Location: California
Advertisement
Register to Remove

Unread postby Bob4 » August 28th, 2007, 7:10 pm

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!

  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.



Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!




_____________________________
Rename Hijackthis.exe:
Right click on hijackthis.exe and choose rename:
Rename it to noname:



Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.




_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.


C:\WINDOWS\system32\aecache.exe


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html





_____________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Vundo
  • The report from Jottis/ Virus total


User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby MrOreo » August 28th, 2007, 11:16 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:33 PM, on 8/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\vhulymcj.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chris Gray\Desktop\noname.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {76B7B17E-30F4-4272-9E5D-027C1DBE05E2} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [*MSConfig32] C:\WINDOWS\system32\aecache.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MSConfig32] C:\WINDOWS\system32\aecache.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.simnetenterprise.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7712912203
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\vhulymcj.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12087 bytes



VundoFix V6.5.7

Checking Java version...

Scan started at 7:58:58 PM 8/28/2007

Listing files found while scanning....

C:\windows\system32\byxyxxv.dll
C:\WINDOWS\system32\cjradtnv.ini
C:\windows\system32\fgbgqexy.ini
C:\WINDOWS\system32\gebyv.dll
C:\windows\system32\itvjvpbs.dll
C:\windows\system32\kesjykvu.dll
C:\windows\system32\phpfseux.dll
C:\windows\system32\sbpvjvti.ini
C:\windows\system32\uvkyjsek.ini
C:\WINDOWS\system32\vntdarjc.dll
C:\WINDOWS\system32\vwvtfebj.dll
C:\WINDOWS\system32\vybeg.bak1
C:\WINDOWS\system32\vybeg.bak2
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\vybeg.tmp
C:\windows\system32\xuesfphp.ini
C:\windows\system32\yxeqgbgf.dll

Beginning removal...

Attempting to delete C:\windows\system32\byxyxxv.dll
C:\windows\system32\byxyxxv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\cjradtnv.ini
C:\WINDOWS\system32\cjradtnv.ini Has been deleted!

Attempting to delete C:\windows\system32\fgbgqexy.ini
C:\windows\system32\fgbgqexy.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\system32\gebyv.dll Has been deleted!

Attempting to delete C:\windows\system32\itvjvpbs.dll
C:\windows\system32\itvjvpbs.dll Has been deleted!

Attempting to delete C:\windows\system32\kesjykvu.dll
C:\windows\system32\kesjykvu.dll Has been deleted!

Attempting to delete C:\windows\system32\phpfseux.dll
C:\windows\system32\phpfseux.dll Has been deleted!

Attempting to delete C:\windows\system32\sbpvjvti.ini
C:\windows\system32\sbpvjvti.ini Has been deleted!

Attempting to delete C:\windows\system32\uvkyjsek.ini
C:\windows\system32\uvkyjsek.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vntdarjc.dll
C:\WINDOWS\system32\vntdarjc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vwvtfebj.dll
C:\WINDOWS\system32\vwvtfebj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vybeg.bak1
C:\WINDOWS\system32\vybeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vybeg.bak2
C:\WINDOWS\system32\vybeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\vybeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vybeg.tmp
C:\WINDOWS\system32\vybeg.tmp Has been deleted!

Attempting to delete C:\windows\system32\xuesfphp.ini
C:\windows\system32\xuesfphp.ini Has been deleted!

Attempting to delete C:\windows\system32\yxeqgbgf.dll
C:\windows\system32\yxeqgbgf.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\byxyxxv.dll
C:\windows\system32\byxyxxv.dll Has been deleted!

Performing Repairs to the registry.
Done!



Last file scanned at least one scanner reported something about: infected.rar (MD5: 5356a206c706cdd9b52ed6a38a510303, size: 85652 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Crypt.FKM.Gen
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Trojan.Obfuscated.HF
ClamAV X
CPsecure Troj.W32.Obfuscated.gp
Dr.Web BackDoor.Bolg
F-Prot Antivirus X
F-Secure Anti-Virus Trojan.Win32.Obfuscated.gp
Fortinet X
Kaspersky Anti-Virus Trojan.Win32.Obfuscated.gp
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 Trojan.Win32.Obfuscated.gp
MrOreo
Regular Member
 
Posts: 22
Joined: August 28th, 2007, 1:19 pm
Location: California

Unread postby Bob4 » August 29th, 2007, 6:40 am

________________________________
Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable SpySweeper:

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked


_______________________________________________


O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: (no name) - {76B7B17E-30F4-4272-9E5D-027C1DBE05E2} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\RunOnce: [*MSConfig32] C:\WINDOWS\system32\aecache.exe
O4 - HKCU\..\Run: [MSConfig32] C:\WINDOWS\system32\aecache.exe
O15 - Trusted Zone: *.simnetenterprise.com (HKLM)



________________________________________



Open Notepad, copy and paste the following text (in bold) into the new Notepad window.
Save it to your Desktop, as type "all files", as fixservice.bat




sc stop DomainService

sc delete DomainService



save it to your desktop.
Now click the file you, won't see much happen.
Then you may delete the file we just made.

__________________________________



_____________________________
Task Manager
I would like you to open the task manager by pressing simeltaniously
Ctrl+Shift+Esc or cntrl /alt/delete
then go to the processes tab and end the following if present:
by: right clicking on and choosing end process.

vhulymcj.exe



___________________________________
Reconfigure Windows XP to show hidden files::

Click Start. My Computer.
Select the Tools menu Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
___________________________________
Search for and remove
Now I want you to search for and delete the following files if present. If you need help finding them.
Click start /search/ all files and folders/ look for More advanced options. once in there select the first 3 boxes.
Please just remove the files/folders I listed in BOLD


C:\WINDOWS\system32\vhulymcj.exe
C:\WINDOWS\system32\aecache.exe




______________________________

Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).


AVG Anti-Spyware:
________________________________________
Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).



    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    • Open up AVG anti Malware

Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
Close all open windows.
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
  • Make sure that Set all elements to: shows Quarantine
  • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
  • When the program has finished, it will display the message All actions have been applied.
  • Then click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
  • Reboot in normal mode.

_____________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from AVG antiMalware
  • Let me know you found and deletes those files
  • Let me know how things are running now

User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby MrOreo » August 29th, 2007, 2:14 pm

I am currently on the AVG step after the CCleaner but I wanted to let you know that the aechace file keeps coming back after deleting it. The other file did not return though.
MrOreo
Regular Member
 
Posts: 22
Joined: August 28th, 2007, 1:19 pm
Location: California

Unread postby Bob4 » August 29th, 2007, 3:00 pm

Finish what I have asked . Then post what I have asked and we will find the reason it keeps coming back.
Malware can be sneeky ;)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby MrOreo » August 29th, 2007, 3:05 pm

Sorry for Double post, but I finished all the parts.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:43 PM, on 8/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Chris Gray\Desktop\noname.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [*MSConfig32] C:\WINDOWS\system32\aecache.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [MSConfig32] C:\WINDOWS\system32\aecache.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7712912203
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11590 bytes


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:57:40 AM 8/29/2007

+ Scan result:



[1444] VM_13140000 -> Backdoor.Bandok.av : Cleaned with backup (quarantined).
[1560] VM_13140000 -> Backdoor.Bandok.av : Cleaned with backup (quarantined).
C:\Documents and Settings\Chris Gray\My Documents\Downloads\ZoneAlarm Anti-Spyware 2007 FULL+ KEY.zip/keygen.exe -> Backdoor.Bifrose.aes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4DA31A9F-DB58-45C3-9AF7-DB91427C3F52}\RP145\A0012451.dll -> Backdoor.Nuclear.ag : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\p1.exe -> Not-A-Virus.PSWTool.Win32.PassView.b : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.23:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.24:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.25:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.20:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.34:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.35:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.36:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.45:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ka0fva8.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\WINDOWS\bps1.exe -> Trojan.Delf.vg : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\p2.exe -> Trojan.Delf.vg : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\p3.exe -> Trojan.Delf.vg : Cleaned with backup (quarantined).


::Report end

I haven't had any popups yet so that's a plus, but the one aecache file still lurks around the corner.
MrOreo
Regular Member
 
Posts: 22
Joined: August 28th, 2007, 1:19 pm
Location: California

Unread postby Bob4 » August 29th, 2007, 3:16 pm

You have a file some of our experts would like to anylyze. Please take a moment of your time to submit this for us.
It will help us and other greatly.

Go to this link.

In the:
Link to topic where this file was requested:

Copy and paste this in

Code: Select all
    http://forum.malwareremoval.com/viewtopic.php?p=210125#210125


In the:
Browse to the file you want to submit:
Copy and paste this in:

C:\WINDOWS\system32\aecache.exe

In the comments box
Place this in.

requested by Grinler

______________

Click send file.
Thank you .
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby MrOreo » August 29th, 2007, 3:27 pm

Done, and done. Kinda cool having something you guys want to take a closer look at.
MrOreo
Regular Member
 
Posts: 22
Joined: August 28th, 2007, 1:19 pm
Location: California

Unread postby Bob4 » August 29th, 2007, 3:43 pm

The best of the best are looking at it.

Ok lets see if we can find out what makes this thing tick.

The following are fairly quick scans.


1. Download Combo fix from one of these locations.
http://www.techsupportforum.com/sectool ... mboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply . The log is svaed in (c:\comboFix.txt)

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


_________________________________



Download GMER's application from here

or

Here

Save it to your desktop.

Create a new folder in c: drive called Gmer

Click on Start then My Computer then double click Local Disk C:

Now right click anywhere on the open window and choose New then Folder Type in GMER and hit the Enter key.

Unzip the GMER zip file by double clicking on the desktop icon and save it to the GMER folder you just made.

Now Navigate to that folder (Gmer)
and double click the GMER.exe file

Click the Rootkit tab

Please, do not select the "Show all" checkbox during the scan.

click the Scan button.

IMPORTANT: Do NOT use the computer while the scan is in progress.


Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.

______________

Please post the contents of those 2 logs for me.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby MrOreo » August 29th, 2007, 3:58 pm

ComboFix 07-08-30.1 - "Chris Gray" 2007-08-29 12:49:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.491 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\cookies.ini


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))


2007-08-29 12:48 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-29 11:15 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-29 11:07 <DIR> d-------- C:\Program Files\CCleaner
2007-08-28 19:58 <DIR> d-------- C:\VundoFix Backups
2007-08-28 14:05 <DIR> d-------- C:\DOCUME~1\CHRISG~1\APPLIC~1\Media Player Classic
2007-08-28 10:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-27 21:13 <DIR> d-------- C:\backup
2007-08-27 18:08 <DIR> d-------- C:\DOCUME~1\CHRISG~1\APPLIC~1\Apple Computer
2007-08-27 18:06 <DIR> d-------- C:\Program Files\iTunes
2007-08-27 18:06 <DIR> d-------- C:\Program Files\iPod
2007-08-27 18:03 <DIR> d-------- C:\Program Files\QuickTime
2007-08-27 18:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-27 18:01 <DIR> d-------- C:\Program Files\Apple Software Update
2007-08-27 17:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-08-27 17:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-27 16:53 <DIR> d-------- C:\DOCUME~1\CHRISG~1\APPLIC~1\AdobeUM
2007-08-27 16:40 <DIR> d-------- C:\WINDOWS\Cache
2007-08-27 13:07 57,344 --a------ C:\WINDOWS\system32\itmreg.dll
2007-08-27 13:07 548,864 --a------ C:\WINDOWS\system32\Triad2003e.dll
2007-08-27 13:07 <DIR> d-------- C:\Program Files\Triad Interactive
2007-08-27 13:07 <DIR> d-------- C:\Program Files\SimNet 2003 Enterprise
2007-08-26 10:27 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-08-26 10:27 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-08-26 10:27 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-08-26 10:27 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-08-26 10:27 <DIR> d-------- C:\Program Files\Webroot
2007-08-26 10:27 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-08-26 10:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-08-26 10:26 <DIR> d-------- C:\DOCUME~1\CHRISG~1\APPLIC~1\Webroot
2007-08-25 21:47 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-25 21:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-25 02:00 90,112 --a------ C:\WINDOWS\unvise32.exe
2007-08-25 02:00 <DIR> d-------- C:\Program Files\YVD
2007-08-24 09:08 <DIR> d-------- C:\Program Files\Intelore
2007-08-24 09:02 <DIR> d-------- C:\Program Files\Passware
2007-08-23 14:00 91,136 --a------ C:\WINDOWS\system32\drivers\p4.exe
2007-08-23 14:00 89,088 --a------ C:\WINDOWS\system32\drivers\p5.exe
2007-08-23 14:00 84,480 --a------ C:\WINDOWS\system32\drivers\p6.exe
2007-08-23 10:21 <DIR> d--hs---- C:\Diskeeper
2007-08-23 09:28 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2007-08-23 09:27 <DIR> d-------- C:\Program Files\X64
2007-08-23 09:24 <DIR> d-------- C:\Program Files\X86
2007-08-23 09:20 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-08-23 09:16 <DIR> d-------- C:\Program Files\propremierx86v110686
2007-08-23 09:15 35,085,416 --a------ C:\Program Files\Diskeeper2007-ProPremier.exe
2007-08-23 09:15 31,449,264 --a------ C:\Program Files\Diskeeper2007-Server.exe
2007-08-23 09:15 <DIR> d-------- C:\Program Files\propremierx64v110686
2007-08-23 09:15 <DIR> d-------- C:\Program Files\Disskeeper2007.License
2007-08-23 09:14 52,126,144 --a------ C:\Program Files\Diskeeper2007-Administrator.exe
2007-08-23 09:14 35,536,256 --a------ C:\Program Files\Diskeeper2007-EnterpriseServer.exe
2007-08-23 09:14 35,460,384 --a------ C:\Program Files\Diskeeper2007-Professional.exe
2007-08-23 09:14 14,539,984 --a------ C:\Program Files\Diskeeper2007-Home.exe
2007-08-23 09:02 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-08-23 09:01 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-08-23 09:01 <DIR> d-------- C:\Program Files\GameMinimizer
2007-08-23 09:00 <DIR> d-------- C:\Program Files\Microsoft Works
2007-08-23 08:59 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-08-23 08:59 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-08-23 08:55 <DIR> dr-h----- C:\MSOCache
2007-08-23 08:54 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Xfire
2007-08-23 08:47 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-08-23 08:43 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-23 08:43 32,256 --a------ C:\WINDOWS\system32\aecache.exe
2007-08-23 08:35 <DIR> d-------- C:\Program Files\Siber Systems
2007-08-23 08:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\RoboForm
2007-08-23 08:28 <DIR> d-------- C:\Program Files\The All-Seeing Eye
2007-08-23 08:26 <DIR> d-------- C:\Program Files\DAMN NFO Viewer
2007-08-23 08:17 <DIR> d-------- C:\Program Files\VoiceOverlay
2007-08-22 23:47 <DIR> d-------- C:\DOCUME~1\CHRISG~1\APPLIC~1\vlc
2007-08-22 23:22 <DIR> d-------- C:\Program Files\VideoLAN
2007-08-21 22:40 <DIR> d-------- C:\Program Files\visual boy
2007-08-21 17:01 594,238 --a--c--- C:\WINDOWS\system32\dllcache\es56hpi.sys
2007-08-21 17:01 594,238 --a------ C:\WINDOWS\system32\drivers\es56hpi.sys
2007-08-21 17:01 49,152 --------- C:\WINDOWS\remvess.exe
2007-08-21 17:01 163,840 --------- C:\WINDOWS\essspk.exe
2007-08-21 17:01 <DIR> d-------- C:\WINDOWS\options
2007-08-21 17:00 <DIR> d-------- C:\DOCUME~1\CHRISG~1\APPLIC~1\WinRAR
2007-08-21 16:22 <DIR> d-------- C:\DOCUME~1\CHRISG~1\Contacts
2007-08-21 16:20 <DIR> d-------- C:\Program Files\MSN Messenger
2007-08-21 16:14 <DIR> d-------- C:\Program Files\PCPitstop
2007-08-21 16:11 <DIR> d-------- C:\Program Files\uTorrent
2007-08-21 16:10 <DIR> d-------- C:\DOCUME~1\CHRISG~1\APPLIC~1\uTorrent
2007-08-21 13:50 1,458,176 --a------ C:\WINDOWS\system\SmWizard.exe
2007-08-21 13:42 <DIR> d-------- C:\Program Files\C-Media 3D Audio
2007-08-21 13:41 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-08-21 13:39 <DIR> d-------- C:\SOYO
2007-08-21 13:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Xfire
2007-08-21 13:33 <DIR> d---s---- C:\Program Files\Xfire
2007-08-21 13:33 <DIR> d-------- C:\DOCUME~1\CHRISG~1\APPLIC~1\Xfire
2007-08-21 13:22 <DIR> d-------- C:\Program Files\Call of Duty
2007-08-21 12:54 <DIR> d-------- C:\DOCUME~1\CHRISG~1\APPLIC~1\ATI
2007-08-21 12:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ATI
2007-08-21 12:51 <DIR> d-------- C:\Program Files\Steam
2007-08-21 12:50 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-08-21 12:49 <DIR> d-------- C:\Program Files\ATI Technologies
2007-08-21 12:49 <DIR> d-------- C:\ATI
2007-08-21 12:41 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-21 11:59 <DIR> d-------- C:\Program Files\Download Manager
2007-08-21 11:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\IGN_DLM
2007-08-21 11:43 <DIR> d-------- C:\WINDOWS\system32\Defaults


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-29 11:59 0 --a------ C:\WINDOWS\system32\drivers\lvuvc.hs
2007-08-21 10:58 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-08-21 10:51 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-08-21 10:51 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-27 22:44 45296 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-07-27 20:30 269312 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-07-27 20:30 2371584 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-07-27 20:12 3067712 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-07-27 20:01 1550208 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-07-27 19:40 450560 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-10-16 14:09 1209 --a------ C:\Program Files\License.dal
2006-10-01 02:24 73728 --a------ C:\Program Files\Autorun.exe
2001-11-22 20:08 712704 --a------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 04:00]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" []
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 C:\WINDOWS\KHALMNPR.Exe]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 10:52]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 10:53]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"Cmaudio"="cmicnfg.cpl" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-29 11:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-08-21 12:54]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-08-23 08:35]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 03:29]
"MSConfig32"="C:\WINDOWS\system32\aecache.exe" [2007-08-29 12:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"*MSConfig32"=C:\WINDOWS\system32\aecache.exe

C:\DOCUME~1\CHRISG~1\STARTM~1\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2007-08-23 16:41:12]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

R3 LUsbFilt;Logitech SetPoint KMDF USB Filter;C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B6A807N6-42DF-4W02-93E5-B156B3FA8AL1}]
C:\WINDOWS\system32\aecache.exe

Contents of the 'Scheduled Tasks' folder
2007-08-28 01:01:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-21 17:29:23 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-08-21 17:29:21 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 12:50:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-30 12:51:47
C:\ComboFix-quarantined-files.txt ... 2007-08-30 12:51

--- E O F ---


GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-30 12:58:26
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!ZwYieldExecution 80509014 7 Bytes JMP A8F385BA \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 805793A1 7 Bytes JMP A8F38590 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtCreateFile 8057D3C4 5 Bytes JMP A8F3857C \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057E2A3 5 Bytes JMP A8F385E6 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E71B 7 Bytes JMP A8F385D0 \SystemRoot\system32\drivers\mfehidk.sys
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F724B62C 5 Bytes JMP 864DE1C8
? System32\Drivers\arcavo9z.SYS The system cannot find the file specified.
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified.
? C:\DOCUME~1\CHRISG~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified.

---- User code sections - GMER 1.0.13 ----

.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070F70
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070F81
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00070F9C
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00070F49
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0007009B
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000700E2
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 000700C7
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00070F2E
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0007008A
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[652] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 000700AC
.text C:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00060062
.text C:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[652] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00EF0F4B
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00EF0040
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00EF0F72
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00EF002F
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00EF0FA8
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00EF0089
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00EF0078
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00EF00C9
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00EF0F30
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00EF0F1F
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00EF0F97
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00EF0FCA
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00EF005B
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00EF0FB9
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00EF000A
.text C:\WINDOWS\system32\lsass.exe[664] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00EF00A4
.text C:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00EE002C
.text C:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00EE0087
.text C:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00EE0FDB
.text C:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00EE001B
.text C:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00EE006C
.text C:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00EE0051
.text C:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00EE000A
.text C:\WINDOWS\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00EE0FC0
.text C:\WINDOWS\system32\lsass.exe[664] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00840000
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00840F48
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00840F59
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00840F76
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00840F87
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00840022
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00840062
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00840F1A
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00840084
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00840EF5
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00840ED0
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00840033
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00840FDB
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00840F37
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00840011
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00840FC0
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00840073
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0083002F
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0083006F
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00830FDE
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00830FEF
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00830FA8
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00830FC3
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0083000A
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00830040
.text C:\WINDOWS\system32\svchost.exe[840] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00810000
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00990000
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00990F8A
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0099007F
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00990FA5
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00990062
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00990FCA
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00990F52
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00990F6D
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00990F0B
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00990F26
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009900B5
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00990051
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00990FE5
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009900A4
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0099002C
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00990011
.text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00990F41
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00980FB9
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0098005B
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00980FD4
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00980FE5
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00980F9E
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00980040
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00980000
.text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00980025
.text C:\WINDOWS\system32\svchost.exe[892] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00960FEF
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02810000
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0281008E
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0281007D
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02810FA5
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02810058
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0281002C
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02810F74
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 028100B0
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02810103
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 028100F2
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 02810F59
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 02810047
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02810FE5
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0281009F
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0281001B
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 02810FCA
.text C:\WINDOWS\System32\svchost.exe[1008] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 028100D7
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02800014
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02800F5E
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02800FC3
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02800FD4
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02800F83
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02800025
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02800FEF
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02800F9E
.text C:\WINDOWS\System32\svchost.exe[1008] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 027E0000
.text C:\WINDOWS\System32\svchost.exe[1008] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 01DE0000
.text C:\WINDOWS\System32\svchost.exe[1008] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 01DE0011
.text C:\WINDOWS\System32\svchost.exe[1008] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 01DE0FD1
.text C:\WINDOWS\System32\svchost.exe[1008] WININET.dll!InternetOpenUrlW 42C7AB2D 5 Bytes JMP 01DE0FC0
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00900FEF
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0090005D
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00900F68
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00900F79
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00900036
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00900025
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00900F1F
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00900F3C
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00900EF0
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00900089
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!GetProcAddress 7C80ADA0 1 Byte [ E9 ]
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!GetProcAddress + 2 7C80ADA2 3 Bytes [ 52, 0F, 84 ]
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00900F9E
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00900FD4
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00900F4D
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00900FB9
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00900078
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008F0036
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008F0FA8
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008F0FE5
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008F0025
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008F0FB9
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008F0FD4
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008F000A
.text C:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008F005B
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00820000
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00820082
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00820F8D
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00820071
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00820FA8
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0082004A
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00820093
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00820F4B
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008200AE
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00820F15
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00820F04
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00820FC3
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00820FE5
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00820F68
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00820025
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00820FD4
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00820F30
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0081002C
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00810F79
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0081001B
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00810FE5
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00810F8A
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00810FA5
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00810000
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00810FB6
.text C:\WINDOWS\System32\svchost.exe[1088] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00770000
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BD0000
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BD007D
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BD0F88
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BD0F99
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BD0058
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BD0FB6
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BD00DA
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BD00BF
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BD0F52
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BD0F6D
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00BD0F37
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00BD003D
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00BD0FDB
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00BD0098
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00BD0022
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00BD0011
.text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00BD00EB
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00BC002F
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00BC0F94
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00BC000A
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00BC005B
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00BC0FB9
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00BC004A
.text C:\WINDOWS\System32\svchost.exe[1188] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BA0000
.text C:\WINDOWS\System32\svchost.exe[1188] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00B90000
.text C:\WINDOWS\System32\svchost.exe[1188] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00B90FDB
.text C:\WINDOWS\System32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00B90FCA
.text C:\WINDOWS\System32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 42C7AB2D 5 Bytes JMP 00B90FAF
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1284] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ AB, FA, C3, 83 ]
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00650085
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00650F86
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00650F97
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00650FA8
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0065002F
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00650F5A
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006500A2
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006500E9
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006500D8
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 006500FA
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0065004A
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00650F75
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00650FC3
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00650FD4
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 006500BD
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0064002C
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0064005B
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0064001B
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00640F94
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00640FAF
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00640FC0
.text C:\WINDOWS\system32\svchost.exe[1528] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00620FEF
.text C:\WINDOWS\System32\svchost.exe[3176] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[3176] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A00D0
.text C:\WINDOWS\System32\svchost.exe[3176] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A00B5
.text C:\WINDOWS\System32\svchost.exe[3176] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0098
.te
MrOreo
Regular Member
 
Posts: 22
Joined: August 28th, 2007, 1:19 pm
Location: California

Unread postby Bob4 » August 29th, 2007, 4:54 pm

Let me get another list from you.


__________________
open CCleaner
click on tools
highlight uninstall

down on the bottom click save to text file.
Save it to your desktop and post
the contents
of that log for me.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby MrOreo » August 29th, 2007, 5:11 pm

Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
AI RoboForm (All Users)
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Anti-Spyware 7.5
C-Media 3D Audio
Call of Duty
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
CCC Help English
ccc-core-preinstall
ccc-core-static
ccc-utility
CCleaner (remove only)
CDDRV_Installer
Counter-Strike: Source
Diskeeper 2007 Pro Premier
Download Manager 2.3.6
EPSON Printer Software
Free Games Offer, Desktop Shortcut
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB926239)
iTunes
Java(TM) 6 Update 2
KhalInstallWrapper
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech SetPoint
Logitech® Camera Driver
McAfee SecurityCenter
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.6)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MVision
QuickTime
RAR Password Recovery v1.1 RC16 (remove only)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
SimNet 2003 Enterprise Edition
Skins
Spy Sweeper
Spybot - Search & Destroy 1.4
Steam
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Ventrilo Client
VideoLAN VLC media player 0.8.6c
ViewSonic Monitor Drivers
ViewSonic Windows XP Signed Files
WebFldrs XP
Windows Communication Foundation
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Xfire (remove only)
Yugioh Virtual Desktop
µTorrent
MrOreo
Regular Member
 
Posts: 22
Joined: August 28th, 2007, 1:19 pm
Location: California

Unread postby Bob4 » August 29th, 2007, 6:29 pm

______________________________
Make a new folder on your desktop. Call it reg finder

Download Reg Finder

Extract the files to that folder on the desktop you just created..

Go into that folder and double click RegFinder.vbs.
If any of your software gives you a warning about running this just allow it. It's safe.
Copy this exactly aecache.exe
into the text field that appears and hit enter.

Again... Some protection software may probably flag the script...
just let it run.
It will let you know when its done and a log should pop up ..If it doesn't there will be a file in that same folder called results.txt

Post that for me.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby MrOreo » August 29th, 2007, 6:40 pm

Windows Registry Editor Version 5.00

; Regscan.vbs Version: 1.2 by rand1038

; 8/30/2007 3:41:00 PM
; Search Term(s) Used: "aecache.exe"
; 7 matches were found.
; The search took 26 seconds.


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{B6A807N6-42DF-4W02-93E5-B156B3FA8AL1}]
"StubPath"="C:\\WINDOWS\\system32\\aecache.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*MSConfig32"="C:\\WINDOWS\\system32\\aecache.exe"

[HKEY_USERS\S-1-5-21-1482476501-2147105963-682003330-1004\Software\Microsoft\Windows\CurrentVersion]
"bnhide"="3016|aecache.exe|MSConfig32|1507|x|"

[HKEY_USERS\S-1-5-21-1482476501-2147105963-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"a"="C:\\WINDOWS\\system32\\aecache.exe"

[HKEY_USERS\S-1-5-21-1482476501-2147105963-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"a"="C:\\WINDOWS\\system32\\aecache.exe"

[HKEY_USERS\S-1-5-21-1482476501-2147105963-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Run]
"MSConfig32"="C:\\WINDOWS\\system32\\aecache.exe"

[HKEY_USERS\S-1-5-21-1482476501-2147105963-682003330-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\aecache.exe"="aecache"
MrOreo
Regular Member
 
Posts: 22
Joined: August 28th, 2007, 1:19 pm
Location: California
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 380 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware