Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Spyware Infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Spyware Infection

Unread postby jj72 » July 6th, 2009, 8:45 am

Hello

I have been having problems lately with a spyware infection. Initially Internet Explorer (which I do not use to browse) was launching automatically and directing to sites, and there were also popups to download antivirus software. I eventually did a system restore which stopped the pop ups but my PC's performance has slowed. I use McAfee Anti virus with which I have recently scanned and has found 6 Viruses and Trojans, 4 of which have been repaired/quarantined and 2 which cannot be. These are winlogon.exe and twexe.exe . McAfee however keeps being turned off automatically. I also shit down Macafee and scanned with online Trend Microhousecall yet when I try to enter this site, as well as other virus scans like avast, again my browser claims the page is unavailable.
I have been running Hijack this after downloading it from the link in the Important guidlines thread, yet the programme at first kept crashing at the 04 Registry and Start Menus autoruns so I was unable to complete the scan and post a log.
I would greatly appreciate any help.
Edited: Hijackthis now worked here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:33, on 2009-07-06
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL =

http://www.google.co.uk/ig/dell?hl=en&c ... bd=1061006
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://bt.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 193.125.23.12 updates.sald.com
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-

BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-

9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-

EABFE594F69C} - C:\Program Files\Java\jre6

\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -

C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media

Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common

Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common

Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program

Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-

PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program

Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6

\bin\jusched.exe"
O4 - HKLM\..\Run: [brastia] C:\WINDOWS\system32\brastia.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows

Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [brastia] C:\WINDOWS\system32\brastia.exe
O4 - HKUS\S-1-5-20\..\Run: [pukosikato] Rundll32.exe

"C:\WINDOWS\system32\jisagade.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

(User 'Default user')
O4 - Startup: legupd32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List -

res://C:\Program Files\Canon\Easy-

WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -

res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-

2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134

-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-

BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan

Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -

C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

Object) -

http://fpdownload2.macromedia.com/get/s ... wflash.cab
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}

- (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program

Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11

\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1

\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. -

c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1

\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee,

Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. -

C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero

BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation -

C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32

\YPCSER~1.EXE

--
End of file - 9622 bytes
jj72
Active Member
 
Posts: 14
Joined: July 6th, 2009, 8:19 am
Advertisement
Register to Remove

Re: Spyware Infection

Unread postby Axephilic » July 8th, 2009, 4:12 pm

Welcome to the Malware Removal Forums! My name is Adam and I will be assisting you with getting the malware off of your computer. Please observe the following points before we start:
  1. If at any point you don't understand something, please let me know and I will be glad to explain or go more into depth for you. :)
  2. Please remember, I am a volunteer and I have a personal life. I go to school full time, have a part time job, and I do sports. A lot of this takes a lot of time.
  3. Please keep all of your replies in this topic/thread and do not make a new topic/thread, thanks!
  4. Please stick with this, don't stop responding because the symptoms are gone, the infection could still be there. Keep replying to my posts until I give you the All Clean message. ;)
  5. If you don't reply within three days after my last instructions this topic will be closed. If you will not be able to reply within three days please tell me so the topic will not be closed.
  6. Please do not run other tools to remove the malware unless I ask you to until I give you the all clean. They will just mess up my fixes and make things more complicated, not fix the problem.

Download and Run ComboFix
Please visit this page to download and run Combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Save it to your desktop.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.

    Image

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please include:
  1. ComboFix log
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Spyware Infection

Unread postby jj72 » July 9th, 2009, 8:58 am

Hi Adam

EDIT: I am very sorry the site was down and I am going to run ComboFix now, please disregard the rest of my message.
Thnaks for your help so far. I have tried downloading ComboFix from the three links given in the guide and tutorial (from BleepingComputer etc) yet each link gives me a 404 Not Found error. I'm aware that this could be because the site itself is down, but I also know that this could not be the case as this spyware infection has been blocking my links to any online virus scanners such as Kaspersky or House Call. I don't want to search and donwload ComboFix from a source which isn't recommended and trusted my you, and I thought I should let you know exactly what is happening.

Here are my ComboFix and new Hijackthis logs:

ComboFix 09-07-08.07 - Veronica 2009-07-09 14:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.613 [GMT 1:00]
Running from: c:\documents and settings\Veronica\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\sysproc64
c:\documents and settings\LocalService\Application Data\sysproc64\sysproc32.sys
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\sysproc64
c:\documents and settings\NetworkService\Application Data\sysproc64\sysproc32.sys
c:\documents and settings\Veronica\Application Data\wiaserva.log
c:\windows\010112010146118114.dat
c:\windows\kb913800.exe
c:\windows\system32\logon.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\sdra64.exe
c:\windows\system32\sysproc64
c:\windows\system32\sysproc64\sysproc32.sys
c:\windows\system32\sysproc64\sysproc86.sys
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\wbem\proquota.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-09 13:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-09 13:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-02 14:35 . 2009-07-02 14:35 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-22 14:54 . 2009-06-22 14:54 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-06-22 09:58 . 2008-10-16 13:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-06-22 09:58 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-21 12:31 . 2009-06-21 12:31 -------- d-----w- c:\documents and settings\Veronica\Tracing
2009-06-21 12:26 . 2009-06-21 12:26 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-10 17:00 . 2009-06-10 17:00 152576 ----a-w- c:\documents and settings\Veronica\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 12:01 . 2008-10-28 19:29 169936 ----a-w- c:\documents and settings\Veronica\Application Data\Mozilla\Firefox\Profiles\a30wqp19.default\FlashGot.exe
2009-07-02 19:16 . 2009-04-26 18:54 -------- d-----w- c:\documents and settings\Veronica\Application Data\BSplayer
2009-07-02 14:35 . 2009-01-18 16:51 -------- d-----w- c:\documents and settings\Veronica\Application Data\uTorrent
2009-06-24 17:27 . 2009-05-31 19:22 -------- d-----w- c:\documents and settings\Veronica\Application Data\Spotify
2009-06-23 18:33 . 2009-02-22 13:34 -------- d-----w- c:\documents and settings\Veronica\Application Data\mIRC
2009-06-23 18:12 . 2009-02-22 13:34 -------- d-----w- c:\program files\mIRC
2009-06-22 14:53 . 2006-10-06 15:39 -------- d-----w- c:\program files\Microsoft Works
2009-06-21 12:46 . 2006-10-18 18:43 -------- d-----w- c:\program files\MSN Messenger
2009-06-21 12:30 . 2006-10-15 11:27 49664 ----a-w- c:\documents and settings\Veronica\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 17:01 . 2006-10-06 15:22 -------- d-----w- c:\program files\Java
2009-05-31 19:22 . 2009-05-31 19:22 -------- d-----w- c:\program files\Spotify
2009-05-31 00:32 . 2009-04-26 18:54 -------- d-----w- c:\documents and settings\Veronica\Application Data\BSplayer Pro
2009-05-31 00:32 . 2006-12-05 12:18 -------- d-----w- c:\documents and settings\Veronica\Application Data\Apple Computer
2009-05-31 00:32 . 2006-10-13 20:32 -------- d-----w- c:\documents and settings\Veronica\Application Data\AdobeUM
2009-05-21 10:33 . 2008-11-30 20:40 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-18 14:10 . 2006-10-27 23:41 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-18 14:10 . 2009-05-18 14:10 -------- d-----w- c:\documents and settings\Veronica\Application Data\DAEMON Tools Lite
2009-05-17 14:01 . 2009-05-17 14:00 -------- d-----w- c:\program files\CDisplay
2009-05-07 15:32 . 2005-08-16 03:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-08-16 03:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-08-16 03:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2005-08-16 03:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-08-16 03:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-10 19:48 . 2009-04-10 19:48 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2008-02-19 16:52 . 2008-02-19 16:52 8046893 ----a-w- c:\program files\HandBrakeCLI.exe
2007-12-14 17:22 . 2007-12-14 17:22 1872666 ----a-w- c:\program files\cygwin1.dll
2007-11-20 16:18 . 2007-11-20 16:18 2294 ----a-w- c:\program files\changeLog.txt
2006-10-18 18:29 . 2006-10-18 18:28 5133648 ----a-w- c:\program files\Firefox Setup 1.5.0.7.exe
2006-10-15 12:05 . 2006-10-15 12:05 56 --sh--r- c:\windows\system32\6363585067.sys
2006-10-15 12:02 . 2006-10-15 11:26 88 --sh--r- c:\windows\system32\6750586363.sys
2006-10-15 12:05 . 2006-10-14 18:00 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-15 185896]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\MSN Messenger\\usnsvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [2006-01-12 13696]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [2006-01-12 13568]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\Aspi32.sys [2008-08-04 16512]
.
Contents of the 'Scheduled Tasks' folder

2008-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-14 09:53]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-14 09:53]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKCU-Run-brastia - c:\windows\system32\brastia.exe
HKLM-Run-brastia - c:\windows\system32\brastia.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://bt.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Veronica\Application Data\Mozilla\Firefox\Profiles\a30wqp19.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 14:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-09 14:19
ComboFix-quarantined-files.txt 2009-07-09 13:18

Pre-Run: 2,532,671,488 bytes free
Post-Run: 2,658,766,848 bytes free

202 --- E O F --- 2009-06-28 18:15


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:25, on 2009-07-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&c ... bd=1061006
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://bt.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 193.125.23.12 updates.sald.com
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8731 bytes
jj72
Active Member
 
Posts: 14
Joined: July 6th, 2009, 8:19 am

Re: Spyware Infection

Unread postby Axephilic » July 10th, 2009, 3:24 am

Hi there,

Make an Uninstall List

Next, please make an uninstall list using HijackThis.
To access the Uninstall Manager you would do the following:

  1. Start HijackThis
  2. Click on the Config button
  3. Click on the Misc Tools button
  4. Click on the Open Uninstall Manager button.

Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply. Please also include a new HijackThis log.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Spyware Infection

Unread postby jj72 » July 10th, 2009, 8:25 am

Hi here is my Uninstall list and and the new hijack this log:

21CN VGO
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.0.8
Apple Mobile Device Support
Apple Software Update
ARTEuro
Bonjour
BS.Player FREE
BT Yahoo! Applications
Canon iP4300
Canon iP4300 User Registration
Canon Setup Utility 2.3
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CDisplay 1.8
CD-LabelPrint
Core FTP LE 2.0
Critical Update for Windows Media Player 11 (KB959772)
Dell CinePlayer
Dell Driver Reset Tool
Dell Network Assistant
Dell Support 3.2
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Easy-WebPrint
GemMaster Mystic
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
iTunes
Java(TM) 6 Update 14
McAfee SecurityCenter
MCU

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:23, on 2009-07-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&c ... bd=1061006
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://bt.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 193.125.23.12 updates.sald.com
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8970 bytes
jj72
Active Member
 
Posts: 14
Joined: July 6th, 2009, 8:19 am

Re: Spyware Infection

Unread postby Axephilic » July 10th, 2009, 12:59 pm

The uninstall list is cut off, please post the full uninstall list. ;)
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Spyware Infection

Unread postby jj72 » July 10th, 2009, 1:36 pm

Hi, I am very sorry about that. Since running combo fix my PC has been running much more smoothly. However, the virus sites are still blocked and this morning the computer did crash again as it had been doing numerous times before running combo fix (computer would freeze, become unresposive and make a beeping noise). I thought I had better mention this as I hadn't stated this in my previous posts.
Here is my full uninstall list:

21CN VGO
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.0.8
Apple Mobile Device Support
Apple Software Update
ARTEuro
Bonjour
BS.Player FREE
BT Yahoo! Applications
Canon iP4300
Canon iP4300 User Registration
Canon Setup Utility 2.3
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CDisplay 1.8
CD-LabelPrint
Core FTP LE 2.0
Critical Update for Windows Media Player 11 (KB959772)
Dell CinePlayer
Dell Driver Reset Tool
Dell Network Assistant
Dell Support 3.2
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Easy-WebPrint
GemMaster Mystic
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
iTunes
Java(TM) 6 Update 14
McAfee SecurityCenter
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
mIRC
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 7
Otto
Profile
QuickTime
RealPlayer
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
SearchAssist
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
SopCast 2.0.4
Spotify
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
Veetle TV 0.9.14
VideoLAN VLC media player 0.8.6b
Winamp
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR archiver
WinZip
Xvid 1.1.3 final uninstall
jj72
Active Member
 
Posts: 14
Joined: July 6th, 2009, 8:19 am

Re: Spyware Infection

Unread postby Axephilic » July 10th, 2009, 2:30 pm

Hello,

HostsXpert
Please download HostsXpert from Funkytoad and save it to your desktop.

  1. Right click on HostsXpert.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Once done, check (tick) the Show extracted files box and click Finish.
  5. Once extracted, HostsXpert folder will open.
  6. Double click on HostsXpert.exe to start it.
  7. On your left hand side, click on Restore MS Hosts File (see screenshot below, boxed up in red).

    Image
  8. Exit HostsXpert.

Run GMER
Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.
  6. Double click on gmer.exe to run it.
  7. Select the Rootkit tab.
  8. On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  9. Select all drives that are connected to your system to be scanned.
  10. Click on the Scan button.
  11. When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  12. Open Notepad or a similar text editor.
  13. Paste the clipboard contents into the text editor.
  14. Save the Gmer scan log and post it in your next reply.
  15. Close Gmer.
  16. Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
  17. In Command Prompt, type in net stop gmer. Press Enter.
  18. Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.

Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

In your next reply, please include:
  1. GMER log
  2. Kaspersky report
  3. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Spyware Infection

Unread postby jj72 » July 10th, 2009, 6:23 pm

Hello Adam,
All of those went well except when typing net stop gmer into command prompt I revieved the message - the specific service does not exist as an installed service. Here are the GMER log, Kaspersky report and the new Hijackthis log (I have had to split them to keep each post within the characters limit):
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-10 21:21:20
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spfp.sys ZwCreateKey [0xF72BD0E0]
SSDT spfp.sys ZwEnumerateKey [0xF72DBCA4]
SSDT spfp.sys ZwEnumerateValueKey [0xF72DC032]
SSDT spfp.sys ZwOpenKey [0xF72BD0C0]
SSDT spfp.sys ZwQueryKey [0xF72DC10A]
SSDT spfp.sys ZwQueryValueKey [0xF72DBF8A]
SSDT spfp.sys ZwSetValueKey [0xF72DC19C]

INT 0x62 ? 86DD8BF8
INT 0x63 ? 86DD8BF8
INT 0x63 ? 86DD8BF8
INT 0x63 ? 86DD8BF8
INT 0x84 ? 86C1BBF8
INT 0x94 ? 86C1BBF8
INT 0xA4 ? 86C1BBF8
INT 0xB4 ? 86C1BBF8

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA9C774EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9C77498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA9C774AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9C7752A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA9C77470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA9C77484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA9C774FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA9C774D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA9C774C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9C77559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9C77540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA9C77514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A9C77518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A9C774EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP A9C7752E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP A9C77544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP A9C77502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP A9C77474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP A9C77488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP A9C774C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP A9C774B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP A9C7749C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP A9C774DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP A9C7755D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? spfp.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F67888AC 5 Bytes JMP 86C1B1D8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[180] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00E72B80
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[180] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00E72B3D
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[180] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00E72B01
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[180] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E72AE6
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[180] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E72972
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[180] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E72A64
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[180] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E729AA
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[180] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E729E2
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[256] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00FE2B80
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[256] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00FE2B3D
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[256] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00FE2B01
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[256] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FE2AE6
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[256] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FE2972
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[256] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FE2A64
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[256] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FE29AA
.text C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[256] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FE29E2
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[320] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01132B80
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[320] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01132B3D
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[320] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01132B01
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[320] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01132AE6
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[320] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01132972
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[320] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01132A64
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[320] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011329AA
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[320] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011329E2
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[400] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 018B2B80
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[400] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 018B2B3D
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[400] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 018B2B01
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[400] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 018B2AE6
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[400] WS2_32.dll!send 71AB4C27 5 Bytes JMP 018B2972
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[400] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 018B2A64
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[400] WS2_32.dll!recv 71AB676F 5 Bytes JMP 018B29AA
.text C:\PROGRA~1\Yahoo!\browser\ycommon.exe[400] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 018B29E2
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01E00FEF
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01E00093
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01E00078
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01E00F9E
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01E00FAF
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01E0005B
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01E000CB
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01E000AE
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01E00F4D
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01E00F68
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01E00101
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01E00FCA
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01E00014
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01E00F83
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01E00040
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01E00025
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01E000E6
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01CA002F
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01CA005B
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01CA0FDE
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01CA0014
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01CA004A
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01CA0FEF
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01CA0FA8
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes JMP 50C03389
.text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01CA0FC3
.text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01C90047
.text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!system 77C293C7 5 Bytes JMP 01C90036
.text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01C90FC6
.text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01C90000
.text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01C90025
.text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01C90FE3
.text C:\WINDOWS\system32\services.exe[724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01C8000A
.text C:\WINDOWS\system32\services.exe[724] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 01CB0000
.text C:\WINDOWS\system32\services.exe[724] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 01CB0FE5
.text C:\WINDOWS\system32\services.exe[724] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 01CB001B
.text C:\WINDOWS\system32\services.exe[724] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 01CB0FCA
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F5009A
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50089
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50FAF
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50062
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50040
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50F94
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F500DC
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F50F4D
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F50F68
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F50F3C
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F50051
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F500B5
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F50025
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F50F79
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F40FDB
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F4006C
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F4002C
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F4005B
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F40FB9
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [14, 89] {ADC AL, 0x89}
.text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F40FCA
.text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F3004C
.text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F30FB7
.text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F30FD2
.text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F30027
.text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F30FE3
.text C:\WINDOWS\system32\lsass.exe[736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF000A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[792] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 015A2B80
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[792] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 015A2B3D
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[792] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 015A2B01
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[792] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 015A2AE6
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[792] WS2_32.dll!send 71AB4C27 5 Bytes JMP 015A2972
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[792] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 015A2A64
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[792] WS2_32.dll!recv 71AB676F 5 Bytes JMP 015A29AA
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[792] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 015A29E2
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02690FE5
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02690064
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02690F6F
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02690053
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02690F8A
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02690036
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026900A6
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02690095
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026900D9
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 026900C8
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02690F25
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02690FA5
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02690FD4
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02690F5E
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02690025
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0269000A
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026900B7
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02670FD4
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02670F9E
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02670FEF
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02670025
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0267005B
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0267000A
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02670FC3
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [87, 8A]
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02670040
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02660055
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!system 77C293C7 5 Bytes JMP 02660FD4
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02660044
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02660000
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02660FEF
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02660029
.text C:\WINDOWS\system32\svchost.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02650000
.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 02680000
.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 0268001B
.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 0268002C
.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 02680FDB
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1052] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01482B80
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1052] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01482B3D
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1052] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01482B01
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1052] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01482AE6
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1052] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01482972
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1052] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01482A64
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1052] WS2_32.dll!recv 71AB676F 5 Bytes JMP 014829AA
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1052] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 014829E2
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0105000A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01050F66
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0105005B
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01050F8D
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01050FA8
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0105004A
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0105009B
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01050080
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01050F13
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010500AC
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010500C7
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01050FC3
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0105001B
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01050F55
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01050FDE
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01050FEF
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01050F38
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01030025
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01030F8A
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0103000A
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01030FD4
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01030047
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01030FEF
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01030FA5
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [23, 89]
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01030036
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0102002F
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 01020FA4
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01020FB5
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01020014
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01020FC6
.text C:\WINDOWS\system32\svchost.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0101000A
.text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 01040FEF
.text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 01040000
.text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 01040FC0
.text C:\WINDOWS\system32\svchost.exe[1072] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 01040FAF
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05BB0000
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05BB0F9E
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05BB0089
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05BB0FAF
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05BB0FC0
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05BB0047
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05BB00BF
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05BB0F83
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05BB00D0
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05BB0F41
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 05BB00E1
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05BB0058
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05BB0011
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 05BB00AE
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05BB0FD1
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05BB002C
.text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 05BB0F5C
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 3 Bytes JMP 0569001B
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW + 4 77DD6AB3 1 Byte [8D]
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 77DD776C 3 Bytes JMP 05690F8D
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW + 4 77DD7770 1 Byte [8D]
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 77DD7852 3 Bytes JMP 05690FD4
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA + 4 77DD7856 1 Byte [8D]
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 77DD7946 3 Bytes JMP 05690FE5
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW + 4 77DD794A 1 Byte [8D]
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 3 Bytes JMP 05690F9E
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA + 4 77DDE9F8 1 Byte [8D]
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 3 Bytes JMP 0569000A
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA + 4 77DDEFCC 1 Byte [8D]
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 05690040
.text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 05690FB9
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 052C0027
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!system 77C293C7 5 Bytes JMP 052C0FA6
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 052C0FD2
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_open 77C2F566 5 Bytes JMP 052C0000
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 052C0FB7
.text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 052C0FE3
.text C:\WINDOWS\System32\svchost.exe[1168] WS2_32.dll!socket 71AB4211 5 Bytes JMP 052B0000
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 056A0000
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 056A0011
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 056A0022
.text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 056A0FD1
.text C:\Program Files\iTunes\iTunesHelper.exe[1264] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00BE2B80
.text C:\Program Files\iTunes\iTunesHelper.exe[1264] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00BE2B3D
.text C:\Program Files\iTunes\iTunesHelper.exe[1264] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00BE2B01
.text C:\Program Files\iTunes\iTunesHelper.exe[1264] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BE2AE6
.text C:\Program Files\iTunes\iTunesHelper.exe[1264] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BE2972
.text C:\Program Files\iTunes\iTunesHelper.exe[1264] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BE2A64
.text C:\Program Files\iTunes\iTunesHelper.exe[1264] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00BE29AA
.text C:\Program Files\iTunes\iTunesHelper.exe[1264] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00BE29E2
.text C:\Program Files\Java\jre6\bin\jusched.exe[1320] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00C32B80
.text C:\Program Files\Java\jre6\bin\jusched.exe[1320] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00C32B3D
.text C:\Program Files\Java\jre6\bin\jusched.exe[1320] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00C32B01
.text C:\Program Files\Java\jre6\bin\jusched.exe[1320] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C32AE6
.text C:\Program Files\Java\jre6\bin\jusched.exe[1320] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C32972
.text C:\Program Files\Java\jre6\bin\jusched.exe[1320] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C32A64
.text C:\Program Files\Java\jre6\bin\jusched.exe[1320] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C329AA
.text C:\Program Files\Java\jre6\bin\jusched.exe[1320] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C329E2
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10081
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A10F8C
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10070
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A1005F
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A1003D
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A10F5B
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A100A3
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A10F14
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A10F2F
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A10F03
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A1004E
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A10092
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A1002C
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A1001B
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A10F40
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A00FBC
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A00054
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A00FCD
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A00043
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A00FA1
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C0, 88]
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A00028
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009F0FAD
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!system 77C293C7 5 Bytes JMP 009F0FBE
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009F001D
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009F0FE3
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009F002E
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009F000C
.text C:\WINDOWS\system32\svchost.exe[1348] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0FEF
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1500] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01262B80
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1500] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01262B3D
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1500] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01262B01
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1500] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01262AE6
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1500] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01262972
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1500] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01262A64
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1500] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012629AA
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1500] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012629E2
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1604] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02622AE6
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1604] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02622972
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1604] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02622A64
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1604] WS2_32.dll!recv 71AB676F 5 Bytes JMP 026229AA
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1604] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 026229E2
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1604] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 02622B80
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1604] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02622B3D
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1604] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02622B01
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02850FE5
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02850084
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02850F8F
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02850069
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02850FAC
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0285003D
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 028500C1
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 028500B0
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02850F43
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 028500E6
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02850F28
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0285004E
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02850000
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0285009F
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0285002C
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02850011
.text C:\WINDOWS\Explorer.EXE[1740] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02850F68
.text C:\WINDOWS\Explorer.EXE[1740] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02770036
.text C:\WINDOWS\Explorer.EXE[1740] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02770FA5
.text C:\WINDOWS\Explorer.EXE[1740] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02770025
.text C:\WINDOWS\Explorer.EXE[1740] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02770FEF
.text C:\WINDOWS\Explorer.EXE[1740] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02770062
.text C:\WINDOWS\Explorer.EXE[1740] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02770000
.text C:\WINDOWS\Explorer.EXE[1740] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01842B80
.text C:\WINDOWS\Explorer.EXE[1740] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01842B3D
.text C:\WINDOWS\Explorer.EXE[1740] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01842B01
.text C:\WINDOWS\Explorer.EXE[1740] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02770051
.text C:\WINDOWS\Explorer.EXE[1740] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02770FCA
.text C:\WINDOWS\Explorer.EXE[1740] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02750F9E
.text C:\WINDOWS\Explorer.EXE[1740] msvcrt.dll!system 77C293C7 5 Bytes JMP 02750029
.text C:\WINDOWS\Explorer.EXE[1740] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02750018
.text C:\WINDOWS\Explorer.EXE[1740] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02750FEF
.text C:\WINDOWS\Explorer.EXE[1740] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02750FC3
.text C:\WINDOWS\Explorer.EXE[1740] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02750FDE
.text C:\WINDOWS\Explorer.EXE[1740] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 0284000A
.text C:\WINDOWS\Explorer.EXE[1740] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 02840FEF
.text C:\WINDOWS\Explorer.EXE[1740] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 02840025
.text C:\WINDOWS\Explorer.EXE[1740] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 02840FDE
.text C:\WINDOWS\Explorer.EXE[1740] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01842AE6
.text C:\WINDOWS\Explorer.EXE[1740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 017F0FEF
.text C:\WINDOWS\Explorer.EXE[1740] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01842972
.text C:\WINDOWS\Explorer.EXE[1740] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01842A64
.text C:\WINDOWS\Explorer.EXE[1740] WS2_32.dll!recv 71AB676F 5 Bytes JMP 018429AA
.text C:\WINDOWS\Explorer.EXE[1740] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 018429E2
.text C:\WINDOWS\eHome\ehmsas.exe[1852] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00CD2B80
.text C:\WINDOWS\eHome\ehmsas.exe[1852] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00CD2B3D
.text C:\WINDOWS\eHome\ehmsas.exe[1852] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00CD2B01
.text C:\WINDOWS\eHome\ehmsas.exe[1852] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CD2AE6
.text C:\WINDOWS\eHome\ehmsas.exe[1852] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CD2972
.text C:\WINDOWS\eHome\ehmsas.exe[1852] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CD2A64
.text C:\WINDOWS\eHome\ehmsas.exe[1852] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CD29AA
.text C:\WINDOWS\eHome\ehmsas.exe[1852] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CD29E2
.text C:\WINDOWS\ehome\ehtray.exe[1980] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 012E2B80
.text C:\WINDOWS\ehome\ehtray.exe[1980] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 012E2B3D
.text C:\WINDOWS\ehome\ehtray.exe[1980] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 012E2B01
.text C:\WINDOWS\ehome\ehtray.exe[1980] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 012E2AE6
.text C:\WINDOWS\ehome\ehtray.exe[1980] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012E2972
.text C:\WINDOWS\ehome\ehtray.exe[1980] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012E2A64
.text C:\WINDOWS\ehome\ehtray.exe[1980] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012E29AA
.text C:\WINDOWS\ehome\ehtray.exe[1980] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012E29E2
.text C:\WINDOWS\system32\hkcmd.exe[2000] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00DA2B80
.text C:\WINDOWS\system32\hkcmd.exe[2000] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00DA2B3D
.text C:\WINDOWS\system32\hkcmd.exe[2000] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00DA2B01
.text C:\WINDOWS\system32\hkcmd.exe[2000] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DA2AE6
.text C:\WINDOWS\system32\hkcmd.exe[2000] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DA2972
.text C:\WINDOWS\system32\hkcmd.exe[2000] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DA2A64
.text C:\WINDOWS\system32\hkcmd.exe[2000] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DA29AA
.text C:\WINDOWS\system32\hkcmd.exe[2000] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DA29E2
.text C:\WINDOWS\system32\igfxpers.exe[2012] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00D92B80
.text C:\WINDOWS\system32\igfxpers.exe[2012] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00D92B3D
.text C:\WINDOWS\system32\igfxpers.exe[2012] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00D92B01
.text C:\WINDOWS\system32\igfxpers.exe[2012] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D92AE6
.text C:\WINDOWS\system32\igfxpers.exe[2012] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D92972
.text C:\WINDOWS\system32\igfxpers.exe[2012] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D92A64
.text C:\WINDOWS\system32\igfxpers.exe[2012] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D929AA
.text C:\WINDOWS\system32\igfxpers.exe[2012] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D929E2
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2036] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 010B2B80
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2036] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 010B2B3D
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2036] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 010B2B01
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2036] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010B2AE6
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2036] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010B2972
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2036] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010B2A64
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2036] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010B29AA
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2036] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010B29E2
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C50036
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C50F4B
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C50F68
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50F83
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C5001B
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C50F15
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C5005D
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C50ECE
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C50EE9
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C50EBD
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50F94
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C50FCA
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C50F30
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C50FB9
.text C:\WINDOWS\system32\svchost.exe[2056] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C50EFA
.text C:\WINDOWS\system32\svchost.exe[2056] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C3002F
.text C:\WINDOWS\system32\svchost.exe[2056] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30F86
.text C:\WINDOWS\system32\svchost.exe[2056] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\system32\svchost.exe[2056] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[2056] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30F97
.text C:\WINDOWS\system32\svchost.exe[2056] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[2056] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C30FB2
.text C:\WINDOWS\system32\svchost.exe[2056] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E3, 88] {JECXZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[2056] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FC3
.text C:\WINDOWS\system32\svchost.exe[2056] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C2005D
.text C:\WINDOWS\system32\svchost.exe[2056] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20042
.text C:\WINDOWS\system32\svchost.exe[2056] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FD2
.text C:\WINDOWS\system32\svchost.exe[2056] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C2000C
.text C:\WINDOWS\system32\svchost.exe[2056] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20027
.text C:\WINDOWS\system32\svchost.exe[2056] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[2056] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[2056] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00C40011
.text C:\WINDOWS\system32\svchost.exe[2056] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00C40022
.text C:\WINDOWS\system32\svchost.exe[2056] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00C40033
.text C:\WINDOWS\system32\svchost.exe[2056] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C1000A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2112] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C12AE6
.text C:\Program Files\Bonjour\mDNSResponder.exe[2112] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C12972
.text C:\Program Files\Bonjour\mDNSResponder.exe[2112] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C12A64
.text C:\Program Files\Bonjour\mDNSResponder.exe[2112] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C129AA
.text C:\Program Files\Bonjour\mDNSResponder.exe[2112] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C129E2
.text C:\Program Files\Bonjour\mDNSResponder.exe[2112] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00C12B80
.text C:\Program Files\Bonjour\mDNSResponder.exe[2112] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00C12B3D
.text C:\Program Files\Bonjour\mDNSResponder.exe[2112] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00C12B01
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A002F
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F3A
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F4B
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F68
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0F94
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F0C
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F29
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0ECF
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0EE0
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EB4
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F79
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A004A
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\System32\svchost.exe[2132] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0EFB
.text C:\WINDOWS\System32\svchost.exe[2132] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FCA
.text C:\WINDOWS\System32\svchost.exe[2132] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0029007D
.text C:\WINDOWS\System32\svchost.exe[2132] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0029001B
.text C:\WINDOWS\System32\svchost.exe[2132] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029000A
.text C:\WINDOWS\System32\svchost.exe[2132] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0029006C
.text C:\WINDOWS\System32\svchost.exe[2132] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\System32\svchost.exe[2132] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290051
.text C:\WINDOWS\System32\svchost.exe[2132] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290036
.text C:\WINDOWS\System32\svchost.exe[2132] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0FB7
.text C:\WINDOWS\System32\svchost.exe[2132] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FC8
.text C:\WINDOWS\System32\svchost.exe[2132] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E002E
.text C:\WINDOWS\System32\svchost.exe[2132] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E000C
.text C:\WINDOWS\System32\svchost.exe[2132] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FD9
.text C:\WINDOWS\System32\svchost.exe[2132] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E001D
.text C:\WINDOWS\System32\svchost.exe[2132] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\System32\svchost.exe[2132] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 01010FE5
.text C:\WINDOWS\System32\svchost.exe[2132] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 01010000
.text C:\WINDOWS\System32\svchost.exe[2132] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 01010FCA
.text C:\WINDOWS\System32\svchost.exe[2132] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 01010FAF
.text C:\WINDOWS\eHome\ehRecvr.exe[2156] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00D02B80
.text C:\WINDOWS\eHome\ehRecvr.exe[2156] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00D02B3D
.text C:\WINDOWS\eHome\ehRecvr.exe[2156] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00D02B01
.text C:\WINDOWS\eHome\ehRecvr.exe[2156] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D02AE6
.text C:\WINDOWS\eHome\ehRecvr.exe[2156] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D02972
.text C:\WINDOWS\eHome\ehRecvr.exe[2156] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D02A64
.text C:\WINDOWS\eHome\ehRecvr.exe[2156] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D029AA
.text C:\WINDOWS\eHome\ehRecvr.exe[2156] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D029E2
.text C:\WINDOWS\eHome\ehSched.exe[2168] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00AC2B80
.text C:\WINDOWS\eHome\ehSched.exe[2168] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00AC2B3D
.text C:\WINDOWS\eHome\ehSched.exe[2168] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00AC2B01
.text C:\WINDOWS\eHome\ehSched.exe[2168] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00AC2AE6
.text C:\WINDOWS\eHome\ehSched.exe[2168] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00AC2972
.text C:\WINDOWS\eHome\ehSched.exe[2168] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00AC2A64
.text C:\WINDOWS\eHome\ehSched.exe[2168] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00AC29AA
.text C:\WINDOWS\eHome\ehSched.exe[2168] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00AC29E2
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2396] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00B32B80
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2396] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00B32B3D
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2396] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00B32B01
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2396] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B32AE6
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2396] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B32972
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2396] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B32A64
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2396] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B329AA
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2396] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B329E2
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[2600] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01152B80
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[2600] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01152B3D
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[2600] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01152B01
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[2600] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01152AE6
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[2600] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01152972
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[2600] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01152A64
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[2600] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011529AA
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[2600] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011529E2
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2684] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01912AE6
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2684] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01912972
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2684] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01912A64
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2684] WS2_32.dll!recv 71AB676F 5 Bytes JMP 019129AA
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2684] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 019129E2
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2684] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01912B80
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2684] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01912B3D
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2684] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01912B01
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2704] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01522AE6
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2704] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01522972
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2704] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01522A64
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2704] WS2_32.dll!recv 71AB676F 5 Bytes JMP 015229AA
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2704] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 015229E2
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2704] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01522B80
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2704] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01522B3D
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2704] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01522B01
.text C:\Program Files\McAfee\MSK\MskSrver.exe[2756] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 023C2B80
.text C:\Program Files\McAfee\MSK\MskSrver.exe[2756] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 023C2B3D
.text C:\Program Files\McAfee\MSK\MskSrver.exe[2756] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 023C2B01
.text C:\Program Files\McAfee\MSK\MskSrver.exe[2756] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 023C2AE6
.text C:\Program Files\McAfee\MSK\MskSrver.exe[2756] WS2_32.dll!send 71AB4C27 5 Bytes JMP 023C2972
.text C:\Program Files\McAfee\MSK\MskSrver.exe[2756] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 023C2A64
.text C:\Program Files\McAfee\MSK\MskSrver.exe[2756] WS2_32.dll!recv 71AB676F 5 Bytes JMP 023C29AA
.text C:\Program Files\McAfee\MSK\MskSrver.exe[2756] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 023C29E2
.text C:\Program Files\iPod\bin\iPodService.exe[2816] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00BD2B80
.text C:\Program Files\iPod\bin\iPodService.exe[2816] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00BD2B3D
.text C:\Program Files\iPod\bin\iPodService.exe[2816] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00BD2B01
.text C:\Program Files\iPod\bin\iPodService.exe[2816] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BD2AE6
.text C:\Program Files\iPod\bin\iPodService.exe[2816] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BD2972
.text C:\Program Files\iPod\bin\iPodService.exe[2816] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BD2A64
.text C:\Program Files\iPod\bin\iPodService.exe[2816] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00BD29AA
.text C:\Program Files\iPod\bin\iPodService.exe[2816] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00BD29E2
jj72
Active Member
 
Posts: 14
Joined: July 6th, 2009, 8:19 am

Re: Spyware Infection

Unread postby jj72 » July 10th, 2009, 6:25 pm

.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E00FE5
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E00087
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E0006C
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E00F9E
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E0005B
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E0002F
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E000A9
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E00098
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E00F3F
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E00F50
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E00F2E
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E0004A
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E00FD4
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E00F6D
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E00FC3
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E0000A
.text C:\WINDOWS\system32\svchost.exe[2948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E000C4
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DE002C
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DE0087
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DE0011
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DE0FE5
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DE0FC0
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DE0062
.text C:\WINDOWS\system32\svchost.exe[2948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DE0047
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DD0042
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DD0031
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DD0FC8
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DD0FB7
.text C:\WINDOWS\system32\svchost.exe[2948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DD000C
.text C:\WINDOWS\system32\svchost.exe[2948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DC000A
.text C:\WINDOWS\system32\svchost.exe[2948] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[2948] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00DF001B
.text C:\WINDOWS\system32\svchost.exe[2948] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00DF0FE5
.text C:\WINDOWS\system32\svchost.exe[2948] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00DF002C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2980] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 011B2B80
.text C:\Program Files\Mozilla Firefox\firefox.exe[2980] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 011B2B3D
.text C:\Program Files\Mozilla Firefox\firefox.exe[2980] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 011B2B01
.text C:\Program Files\Mozilla Firefox\firefox.exe[2980] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011B2AE6
.text C:\Program Files\Mozilla Firefox\firefox.exe[2980] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011B2972
.text C:\Program Files\Mozilla Firefox\firefox.exe[2980] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011B2A64
.text C:\Program Files\Mozilla Firefox\firefox.exe[2980] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011B29AA
.text C:\Program Files\Mozilla Firefox\firefox.exe[2980] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011B29E2
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0089
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F94
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0FA5
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FB6
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FD1
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F5E
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F6F
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F43
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00D2
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00F7
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0058
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A001B
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A009A
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A003D
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A002C
.text C:\WINDOWS\system32\dllhost.exe[3192] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00C1
.text C:\WINDOWS\system32\dllhost.exe[3192] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290066
.text C:\WINDOWS\system32\dllhost.exe[3192] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290055
.text C:\WINDOWS\system32\dllhost.exe[3192] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\dllhost.exe[3192] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0029000C
.text C:\WINDOWS\system32\dllhost.exe[3192] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290044
.text C:\WINDOWS\system32\dllhost.exe[3192] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290029
.text C:\WINDOWS\system32\dllhost.exe[3192] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0036
.text C:\WINDOWS\system32\dllhost.exe[3192] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0FAF
.text C:\WINDOWS\system32\dllhost.exe[3192] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\dllhost.exe[3192] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A000A
.text C:\WINDOWS\system32\dllhost.exe[3192] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\system32\dllhost.exe[3192] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[3192] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00EB2B80
.text C:\WINDOWS\system32\dllhost.exe[3192] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00EB2B3D
.text C:\WINDOWS\system32\dllhost.exe[3192] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00EB2B01
.text C:\WINDOWS\system32\dllhost.exe[3192] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0062
.text C:\WINDOWS\system32\dllhost.exe[3192] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0051
.text C:\WINDOWS\system32\dllhost.exe[3192] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EB2AE6
.text C:\WINDOWS\system32\dllhost.exe[3192] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\dllhost.exe[3192] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EB2972
.text C:\WINDOWS\system32\dllhost.exe[3192] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EB2A64
.text C:\WINDOWS\system32\dllhost.exe[3192] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EB29AA
.text C:\WINDOWS\system32\dllhost.exe[3192] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EB29E2
.text C:\WINDOWS\system32\dllhost.exe[3192] WININET.dll!InternetOpenA 7806C879 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\dllhost.exe[3192] WININET.dll!InternetOpenW 7806CEA9 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\dllhost.exe[3192] WININET.dll!InternetOpenUrlA 78070BD2 5 Bytes JMP 00ED0FD4
.text C:\WINDOWS\system32\dllhost.exe[3192] WININET.dll!InternetOpenUrlW 780BB079 5 Bytes JMP 00ED0025
.text C:\WINDOWS\ehome\mcrdsvc.exe[3312] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00C82B80
.text C:\WINDOWS\ehome\mcrdsvc.exe[3312] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00C82B3D
.text C:\WINDOWS\ehome\mcrdsvc.exe[3312] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00C82B01
.text C:\WINDOWS\ehome\mcrdsvc.exe[3312] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C82AE6
.text C:\WINDOWS\ehome\mcrdsvc.exe[3312] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C82972
.text C:\WINDOWS\ehome\mcrdsvc.exe[3312] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C82A64
.text C:\WINDOWS\ehome\mcrdsvc.exe[3312] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C829AA
.text C:\WINDOWS\ehome\mcrdsvc.exe[3312] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C829E2
.text C:\WINDOWS\System32\alg.exe[3712] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00B72B80
.text C:\WINDOWS\System32\alg.exe[3712] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00B72B3D
.text C:\WINDOWS\System32\alg.exe[3712] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00B72B01
.text C:\WINDOWS\System32\alg.exe[3712] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B72AE6
.text C:\WINDOWS\System32\alg.exe[3712] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B72972
.text C:\WINDOWS\System32\alg.exe[3712] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B72A64
.text C:\WINDOWS\System32\alg.exe[3712] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B729AA
.text C:\WINDOWS\System32\alg.exe[3712] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B729E2

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72BE042] spfp.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72BE13E] spfp.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72BE0C0] spfp.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72BE800] spfp.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72BE6D6] spfp.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86DD71F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbehci \Device\USBPDO-0 86B4F1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86D651F8
Device \Driver\dmio \Device\DmControl\DmConfig 86D651F8
Device \Driver\dmio \Device\DmControl\DmPnP 86D651F8
Device \Driver\dmio \Device\DmControl\DmInfo 86D651F8
Device \Driver\usbuhci \Device\USBPDO-1 86B661F8
Device \Driver\usbuhci \Device\USBPDO-2 86B661F8
Device \Driver\usbuhci \Device\USBPDO-3 86B661F8
Device \Driver\usbuhci \Device\USBPDO-4 86B661F8

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\USBSTOR \Device\00000063 864E01F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 86DD91F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86DD91F8
Device \Driver\Cdrom \Device\CdRom0 86B4B1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 862AF460
Device \Driver\atapi \Device\Ide\IdePort0 862AF460
Device \Driver\atapi \Device\Ide\IdePort1 862AF460
Device \Driver\atapi \Device\Ide\IdePort2 862AF460
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 862AF460
Device \Driver\USBSTOR \Device\00000066 864E01F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 86DD91F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 86DD91F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{5238E299-26B3-4FEE-879B-F31771B85B01} 86C1C1F8
Device \Driver\USBSTOR \Device\00000067 864E01F8
Device \Driver\USBSTOR \Device\00000068 864E01F8
Device \Driver\USBSTOR \Device\00000069 864E01F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86C1C1F8
Device \Driver\NetBT \Device\NetbiosSmb 86C1C1F8

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 86B661F8
Device \Driver\usbuhci \Device\USBFDO-1 86B661F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 867A3500
Device \Driver\usbuhci \Device\USBFDO-2 86B661F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 867A3500
Device \Driver\usbuhci \Device\USBFDO-3 86B661F8
Device \Driver\usbehci \Device\USBFDO-4 86B4F1F8
Device \Driver\Ftdisk \Device\FtControl 86DD91F8
Device \FileSystem\Fastfat \Fat 86B11500
Device \FileSystem\Fastfat \Fat A83BE297

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 86762500
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.15 ----

Thread System [4:2580] 862E5110
Thread System [4:2888] 862CFF0F
Thread System [4:2812] 86303487
Thread System [4:2472] 862D2B81

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -359878938
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1136146279
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9F 0x0B 0x2B 0xE0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x22 0x1A 0xF6 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x18 0x00 0xF4 0xFF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9F 0x0B 0x2B 0xE0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x22 0x1A 0xF6 0x85 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x18 0x00 0xF4 0xFF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8A 0xCB 0x13 0x4B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8F 0xA9 0x77 0x49 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0B 0x67 0xAF 0xEB ...

---- EOF - GMER 1.0.15 ----

KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 10, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 10, 2009 20:23:19
Records in database: 2457314
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 73491
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:27:29


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:09, on 2009-07-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre6\bin\java.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&c ... bd=1061006
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://bt.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: McAfee Application Installer Cleanup (0323711247260874) (0323711247260874mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\032371~1.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9290 bytes
jj72
Active Member
 
Posts: 14
Joined: July 6th, 2009, 8:19 am

Re: Spyware Infection

Unread postby Axephilic » July 10th, 2009, 11:38 pm

Congratulations, you are now all clean! To help to prevent from becoming reinfected, please follow the instructions below in order. If you have any questions, please feel free to ask them. If after 48 hours you have not responded to this, then I will assume you have no questions and have the topic closed.

First, lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Flush the system restore points

  1. Right click on My Computer and select Properties.
  2. Select the System Restore tab.
  3. Check (tick) Turn off system restore on all drives box.
  4. Click Apply.
  5. Uncheck (untick) Turn off system restore on all drives box.
  6. Click OK.
  7. Restart your computer.
Note: Do this only ONCE, don't flush it regularly.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update


Alternatively, you can visit the link below to update Windows and Office products.

Microsoft Update

I also recommend, if it's not already on, to enable Automatic updates. It will notify you whenever there are new updates available. Here's how:

  1. Go to Start > Control Panel > Automatic Updates
  2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.

For Internet Explorer 7

Please read this article to configure Internet Explorer 7 properly.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

  1. Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  2. Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

  3. Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.

  4. SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

All of your logs are clean, so that means that this is a technical issue not a malware one. This forum specializes in malware removal so I recommend that you ask about your problems at one of the below tech support forums:

http://whatthetech.com/
http://bleepingcomputer.com/
http://247fixes.com/

Happy surfing and stay clean!

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Spyware Infection

Unread postby jj72 » July 12th, 2009, 1:47 pm

Hi Adam, thanks for all of your help, I am taking the precautions you mentioned above. My computer is running much more smoothley now.
jj72
Active Member
 
Posts: 14
Joined: July 6th, 2009, 8:19 am

Re: Spyware Infection

Unread postby NonSuch » July 12th, 2009, 7:25 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 497 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware