another antivirus 2010 problem

View previous topic View next topic Go down

another antivirus 2010 problem

Post by memento2012 on Sun Sep 20, 2009 3:00 pm

My PC (windows XP) is also infected with antivirus 2010 pro. I couldn't start malware or get into internet. I used another computer to search online and I found this website. I downloaded combofix program into the infected computer and run the program. I didn't see the warning until after I run the combofix. Sorry/
Here is the the log from combofix run. I am not sure what to do next. Can anyone help me? Thanks.

ComboFix 09-09-18.02 - HP_Administrator 09/20/2009 10:22.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1509 [GMT -4:00]
Running from: G:\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\nibaxet.com
c:\documents and settings\All Users\Start Menu\PAV
c:\documents and settings\HP_Administrator\Application Data\emep.bin
c:\documents and settings\HP_Administrator\Application Data\ewev.sys
c:\documents and settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\HP_Administrator\Application Data\ojozebukyt.inf
c:\documents and settings\HP_Administrator\Cookies\asuj.ban
c:\documents and settings\HP_Administrator\Cookies\ebepyragat.exe
c:\documents and settings\HP_Administrator\Cookies\kerigoj.com
c:\documents and settings\HP_Administrator\Cookies\yfewy.exe
c:\documents and settings\HP_Administrator\Cookies\yjazemakin._dl
c:\documents and settings\HP_Administrator\Local Settings\Application Data\afyrytyny._sy
c:\documents and settings\HP_Administrator\Local Settings\Application Data\sywekim.pif
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\bipe.dat
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\hisisek.lib
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\ubodi.lib
c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\ufelasum.pif
c:\documents and settings\HP_Administrator\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\HP_Administrator\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\HP_Administrator\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\Common Files\awaqymixez.reg
c:\program files\PAV
c:\windows\ajede.pif
c:\windows\ALCMTR.EXE
c:\windows\ifeyarikomemap.dll
c:\windows\kb913800.exe
c:\windows\piweji.vbs
c:\windows\sikymani.bin
c:\windows\system32\braviax.exe
c:\windows\system32\emuzecytup.vbs
c:\windows\system32\fivuxawaxe.inf
c:\windows\system32\okox.dl
c:\windows\system32\wisdstr.exe
c:\windows\vojyw.scr
c:\windows\ywirapoke.ban
D:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-20 14:19 . 2009-09-20 14:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-09-20 14:14 . 2009-09-20 14:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-20 13:33 . 2009-09-20 13:33 13859 ----a-w- c:\windows\system32\aworizos.com
2009-09-20 02:54 . 2009-09-20 02:54 6656 ----a-w- C:\rhjdpc.exe
2009-09-20 02:54 . 2009-09-20 02:54 48640 ----a-w- C:\mdnsq.exe
2009-09-18 18:19 . 2009-09-18 18:19 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Kenwood_Corporation
2009-09-18 18:19 . 2009-09-18 18:19 -------- d-----w- c:\program files\KENWOOD
2009-09-11 11:44 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 14:14 . 2009-06-06 23:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 14:09 . 2007-08-28 23:50 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
2009-09-12 03:24 . 2009-06-06 16:48 -------- d-----w- c:\program files\McAfee
2009-09-11 14:52 . 2007-12-06 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-18 01:36 . 2006-09-02 04:18 58936 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 21:04 . 2009-08-06 21:04 -------- d-----w- c:\program files\MSBuild
2009-08-06 21:04 . 2009-08-06 21:04 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-10 04:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 04:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 16:32 . 2009-07-13 00:40 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-14 03:43 . 2004-08-10 04:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 23:56 . 2009-07-12 23:56 61224 ----a-w- c:\documents and settings\HP_Administrator\GoToAssistDownloadHelper.exe
2009-07-08 17:44 . 2009-07-13 00:40 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 17:44 . 2009-07-13 00:40 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 17:44 . 2009-07-13 00:40 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 17:44 . 2009-07-13 00:40 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 17:43 . 2009-07-13 00:40 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-06-29 16:12 . 2004-08-10 04:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 04:00 17408 ----a-w- c:\windows\system32\corpol.dll
2006-11-25 22:33 . 2007-08-16 03:31 22 -csha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-09 86016]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ICO.EXE [2004-07-14 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-9-2 36903]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli grswmset.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [9/2/2006 12:04 AM 82048]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [6/6/2009 7:03 PM 16512]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [6/6/2009 7:03 PM 13824]
.
Contents of the 'Scheduled Tasks' folder

2009-09-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-29 23:21]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-13 01:26]

2009-07-13 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-13 01:26]

2009-06-17 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2006-11-22 01:09]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-20 10:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(824)
c:\windows\grswmset.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3404)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\grswmset.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\arservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-09-20 10:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-20 14:32

Pre-Run: 211,679,379,456 bytes free
Post-Run: 215,636,140,032 bytes free

223 --- E O F --- 2009-09-19 21:00

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Sun Sep 20, 2009 9:08 pm

Hello.

Submit a file for analysis.

  1. Please visit this website: [You must be registered and logged in to see this link.]
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\grswmset.dll
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Mon Sep 21, 2009 12:09 am

Filename: grswmset.dll
Status: Scan finished. 4 out of 21 scanners reported malware.
Scan taken on: Mon 21 Sep 2009 02:04:51 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 48640 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: d8992274d950f1de8c1033808b354d04
SHA1: 8ae0a04d80ef0f3ba6ba872d7635e320ba2bcf1a







Scanners
2009-09-20 Found nothing 2009-09-21 Found nothing
2009-09-21 Trojan.Win32.Hiloti!IK 2009-09-20 Trojan.Win32.Hiloti
2009-09-20 Found nothing 2009-09-21 Found nothing
2009-09-20 Found nothing 2009-09-19 Found nothing
2009-09-18 Found nothing 2009-09-18 Found nothing
2009-09-20 Found nothing 2009-09-20 Found nothing
2009-09-19 Found nothing 2009-09-19 Found nothing
2009-09-20 Found nothing 2009-09-21 Found nothing
2009-09-21 Trojan.DownLoad.47337 2009-09-20 Bscope.Malware-Cryptor.Tip
2009-09-20 Found nothing 2009-09-20 Found nothing
2009-09-20 Found nothing

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Mon Sep 21, 2009 6:02 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\aworizos.com
    C:\rhjdpc.exe
    C:\mdnsq.exe
    C:\WINDOWS\grswmset.dll

    :reg
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=-


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Mon Sep 21, 2009 9:48 pm

Thanks. This is the results from OTM.
========== FILES ==========
c:\windows\system32\aworizos.com moved successfully.
File/Folder C:\rhjdpc.exe not found.
C:\mdnsq.exe moved successfully.
File/Folder C:\WINDOWS\grswmset.dll not found.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\software\microsoft\security center\\UpdatesDisableNotify deleted successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09212009_174701

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Tue Sep 22, 2009 1:11 am

Hello.
We need to run OTM one more time.


  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    C:\WINDOWS\system32\grswmset.dll


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Tue Sep 22, 2009 2:34 am

I am having trouble with antivirus system 2010 pro again. There is a popup trying to download that malware into the computer. I am also having trouble uploading the web pages.

========== FILES ==========
File/Folder C:\WINDOWS\system32\grswmset.dll not found.

OTM by OldTimer - Version 3.0.0.6 log created on 09212009_222803

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Tue Sep 22, 2009 3:14 am

I run MBAM to remove the antivirus system. Here is the log. The computer is running ok after MBAM run. But I cannot start my McCafee antivirus system to start scanning the computer. Can you help me again? Thanks.



Malwarebytes' Anti-Malware 1.41
Database version: 2833
Windows 5.1.2600 Service Pack 3

9/21/2009 11:04:04 PM
mbam-log-2009-09-21 (23-04-04).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 190481
Time elapsed: 38 minute(s), 9 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 3
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 4
Files Infected: 20

Memory Processes Infected:
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (Rogue.AntiVirusPro2010) -> Unloaded process successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\AntivirusPro_2010\AVEngn.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\htmlayout.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\pthreadVC2.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antiviruspro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus pro 2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\data (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\temp\~.exe (Trojan.Wantvi) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\AVEngn.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\htmlayout.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\pthreadVC2.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Uninstall.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\wscui.cpl (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\data\daily.cvd (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Desktop\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Tue Sep 22, 2009 7:34 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Tue Sep 22, 2009 11:02 pm

DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Administrator at 19:00:20.65 on Tue 09/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1435 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
svchost
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
uURLSearchHooks: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin1.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - [You must be registered and logged in to see this link.]
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-12 214024]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-12 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-12 144704]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-2 1252232]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-9-2 82048]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-12 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-12 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-12 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-12 40552]
S2 0244511253660371mcinstcleanup;McAfee Application Installer Cleanup (0244511253660371);c:\windows\temp\024451~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\024451~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-12 34248]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2009-6-6 16512]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [2009-6-6 13824]

=============== Created Last 30 ================

2009-09-21 22:23 18,942 a------- c:\windows\yfugenol.ban
2009-09-21 22:23 18,562 a------- c:\docume~1\alluse~1\applic~1\wadu.com
2009-09-21 22:23 16,796 a------- c:\program files\common files\lynyq.exe
2009-09-21 22:23 16,332 a------- c:\windows\zihuvi.vbs
2009-09-21 22:23 16,200 a------- c:\windows\digudopa.sys
2009-09-21 22:23 15,244 a------- c:\program files\common files\aqycaq.dat
2009-09-21 22:23 12,817 a------- c:\program files\common files\hojuza.vbs
2009-09-21 22:23 11,339 a------- c:\docume~1\alluse~1\applic~1\lusybi.scr
2009-09-21 22:23 17,701 a------- c:\docume~1\alluse~1\applic~1\vudycuc.com
2009-09-21 22:23 16,800 a------- c:\docume~1\alluse~1\applic~1\liralypu.bat
2009-09-21 22:23 11,684 a------- c:\docume~1\hp_adm~1\applic~1\ulilal.dat
2009-09-21 22:23 11,074 a------- c:\docume~1\hp_adm~1\applic~1\xojas.pif
2009-09-21 22:19 111,104 a------- C:\joxa.exe
2009-09-21 22:19 49,152 a------- C:\hwdgqmcw.exe
2009-09-21 17:47 --d----- C:\_OTM
2009-09-20 22:39 --d----- c:\docume~1\alluse~1\applic~1\Azureus
2009-09-20 22:39 --d----- c:\program files\Conduit
2009-09-20 22:39 --d----- c:\program files\Mininova-Vuze
2009-09-20 22:39 --d----- c:\docume~1\hp_adm~1\applic~1\Azureus
2009-09-20 22:38 --d----- c:\program files\Vuze
2009-09-20 10:21 229,888 a------- c:\windows\PEV.exe
2009-09-20 10:21 161,792 a------- c:\windows\SWREG.exe
2009-09-20 10:21 98,816 a------- c:\windows\sed.exe
2009-09-20 09:33 17,589 a------- c:\windows\ekerep._sy
2009-09-19 22:54 0 a----r-- c:\windows\sUBs
2009-09-18 14:19 --d----- c:\program files\KENWOOD
2009-09-11 07:44 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-21 22:23 11,971 a------- c:\program files\common files\zibasojoj.dl
2009-09-21 22:23 10,437 a------- c:\program files\common files\sujabujaqa.db
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-13 11:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 09:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-12 19:56 61,224 a------- c:\documents and settings\hp_administrator\GoToAssistDownloadHelper.exe
2009-07-10 09:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-06-29 07:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35 634,632 a------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-06-24 20:06 92,947 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-06 13:04 6,276 ac------ c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2006-11-25 18:33 22 ac-sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 19:00:49.15 ===============

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Wed Sep 23, 2009 12:58 am

Hello.
Couple more things to do now.


  • Please double-click OTM.exe to run it again.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\yfugenol.ban
    c:\docume~1\alluse~1\applic~1\wadu.com
    c:\program files\common files\lynyq.exe
    c:\windows\zihuvi.vbs
    c:\windows\digudopa.sys
    c:\program files\common files\aqycaq.dat
    c:\program files\common files\hojuza.vbs
    c:\docume~1\alluse~1\applic~1\lusybi.scr
    c:\docume~1\alluse~1\applic~1\vudycuc.com
    c:\docume~1\alluse~1\applic~1\liralypu.bat
    c:\docume~1\hp_adm~1\applic~1\ulilal.dat
    c:\docume~1\hp_adm~1\applic~1\xojas.pif
    C:\joxa.exe
    C:\hwdgqmcw.exe
    c:\windows\ekerep._sy
    c:\program files\common files\zibasojoj.dl
    c:\program files\common files\sujabujaqa.db
    c:\program files\Conduit


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Wed Sep 23, 2009 2:10 am

========== FILES ==========
c:\windows\yfugenol.ban moved successfully.
c:\docume~1\alluse~1\applic~1\wadu.com moved successfully.
c:\program files\common files\lynyq.exe moved successfully.
c:\windows\zihuvi.vbs moved successfully.
c:\windows\digudopa.sys moved successfully.
c:\program files\common files\aqycaq.dat moved successfully.
c:\program files\common files\hojuza.vbs moved successfully.
c:\docume~1\alluse~1\applic~1\lusybi.scr moved successfully.
c:\docume~1\alluse~1\applic~1\vudycuc.com moved successfully.
c:\docume~1\alluse~1\applic~1\liralypu.bat moved successfully.
c:\docume~1\hp_adm~1\applic~1\ulilal.dat moved successfully.
c:\docume~1\hp_adm~1\applic~1\xojas.pif moved successfully.
C:\joxa.exe moved successfully.
C:\hwdgqmcw.exe moved successfully.
c:\windows\ekerep._sy moved successfully.
c:\program files\common files\zibasojoj.dl moved successfully.
c:\program files\common files\sujabujaqa.db moved successfully.
c:\program files\Conduit\Community Alerts moved successfully.
c:\program files\Conduit moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09222009_221015

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Wed Sep 23, 2009 7:08 pm

Hello.
Next,

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Wed Sep 23, 2009 8:10 pm

Here is HijackThis result.



Ad-Aware 2007
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5
AnswerWorks 4.0 Runtime - English
Apple Software Update
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Critical Update for Windows Media Player 11 (KB959772)
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
Desktop Doctor
Enhanced Multimedia Keyboard Solution
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
Grandmaster Challenge
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Boot Optimizer
HP DigitalMedia Archive
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP Update
HP Web Helper
iPod for Windows 2005-02-07
iTunes
J2SE Runtime Environment 5.0 Update 6
KENWOOD Music Editor
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003 60 days trial
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mininova-Vuze Toolbar
Mouse Suite
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
NVIDIA Drivers
Otto
PaperVision Document Viewer Controls
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Sansa Media Converter
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Symantec KB-DocID:2003093015493306
TurboTax Home & Business 2007
TVUPlayer 2.3.4.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Updates from HP (remove only)
Vuze
WildTangent Web Driver
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Yahoo! Toolbar for Internet Explorer

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Wed Sep 23, 2009 11:17 pm

Hello.

I see that you are running Vuze.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Runtime Environment 5.0 Update 6
    Mininova-Vuze Toolbar
    Vuze

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Thu Sep 24, 2009 2:05 am

The computer is running well now. Thank you.
I was able to remove J2SE Runtime Environment 5.0 Update 6 and
Mininova-Vuze Toolbar.

I couldn't remove "Vuze". There is an error message " No JVM could be found on your system. Please define EX4J_JAVA_Home to point to an installed 32 bit JDK or JRE or download a JRE from [You must be registered and logged in to see this link.]

I also tried to run "Combofix /u". But I got a message stating that windows cannot find combofix. What should I do next? I downloaded comboFix.exe to my desktop. Should I run the program from the desktop. Thanks again.

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Thu Sep 24, 2009 6:49 pm

Hello.
Ignore Combofix /u, the uninstall command doesn't always work for everyone.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "This special release provides a few key fixes.".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe that you downloaded to install the newest version.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Thu Sep 24, 2009 11:41 pm

I did Java update today. I removed Vuze and the computer is running well. But I couldn't start McCafee to scan the computer. Do I have to download and reinstall the McCafee to the computer? Thanks again.

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Fri Sep 25, 2009 12:01 am

Hello.
The malware has locked Mcafee, we need to unlock it. Before doing so, we need to check for other locked files.

Please download [You must be registered and logged in to see this link.] file.

  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Fri Sep 25, 2009 2:23 am

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - [You must be registered and logged in to see this link.]


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\McAfee\VirusScan\mcods.exe: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe: Access is denied.


...

...

...

...

...

...No reparse points found.

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Fri Sep 25, 2009 9:17 am

Please download [You must be registered and logged in to see this link.] file.

  • Please download this file to your Desktop.
  • Now right click, and select > Copy, place it to next the following 3 files.

    c:\Program Files\McAfee\VirusScan\mcods.exe

  • Drag each exe file one by one into inherit.exe and let it run.
  • Wait for it to say OK and nowMcafee will work now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Fri Sep 25, 2009 9:27 pm

Thank you. McAfee is running well now. Any suggestion to prevent future infection like this one? thanks again.

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Sat Sep 26, 2009 12:15 am

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Sun Sep 27, 2009 6:52 pm

Hello,
I tried to do system restore but I didn't have the system restore bar "properties from my computer". So I found system restore from programs-->accessories--> system tools--> system restore.
When I click the system restore, there is an error bar " system restore has been turned off by group policy. To turn on, contact the domain administrator". I don't know what to do next.

I also had another anitvirus attack today, but I run the MBAM and the computer is working now. Here is the log file from the last two runs.

Malwarebytes' Anti-Malware 1.41
Database version: 2865
Windows 5.1.2600 Service Pack 3

9/27/2009 1:27:00 PM
mbam-log-2009-09-27 (13-27-00).txt


Scan type: Quick Scan
Objects scanned: 104567
Time elapsed: 8 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gasfkyqpmuycqh (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Administrator\Application Data\lizkavd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\aoqwlrag.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\cqfuy.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\ddqud.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\flqihkhx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gasfkyltoijews.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\temp\t9pz8.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\temp\1542614348.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\temp\h4fhqlfmgv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\hxlqib.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gasfkyqakllovy.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gasfkywqvrowpn.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gasfkyrqlthsir.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gasfkyxnsmgyfq.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.41
Database version: 2865
Windows 5.1.2600 Service Pack 3

9/27/2009 2:22:30 PM
mbam-log-2009-09-27 (14-22-30).txt


Scan type: Full Scan (C:\|D:\|)
Objects scanned: 186203
Time elapsed: 46 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\_OTM\MovedFiles\09212009_223530\rhjdpc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\_OTM\MovedFiles\09222009_221015\joxa.exe (Rootkit.Rustock) -> Quarantined and deleted successfully.

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Sun Sep 27, 2009 6:57 pm

Hello.
Please re-run Combofix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Mon Sep 28, 2009 1:35 pm

ComboFix 09-09-27.04 - HP_Administrator 09/28/2009 9:19.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1326 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\All Users\Application Data\yxyli.ban
c:\documents and settings\All Users\Documents\ebasede.reg
c:\documents and settings\All Users\Documents\okowe.scr
c:\documents and settings\All Users\Documents\onokurim.dl
c:\documents and settings\All Users\Documents\pudufyjywa.exe
c:\documents and settings\HP_Administrator\Application Data\ojoceqo.lib
c:\documents and settings\HP_Administrator\Cookies\yluhah.pif
c:\documents and settings\HP_Administrator\Local Settings\Application Data\qurat.bat
c:\documents and settings\HP_Administrator\Local Settings\Application Data\vawupami.scr
c:\documents and settings\HP_Administrator\Local Settings\temp\IadHide5.dll
c:\windows\system32\41.exe
c:\windows\system32\iniasd.txt
c:\windows\system32\wbem\proquota.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))
.

2009-09-28 13:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-28 13:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-27 15:59 . 2009-09-27 15:59 -------- d-----w- c:\program files\Alwil Software
2009-09-27 15:51 . 2009-09-27 15:51 -------- d-----w- c:\program files\Windows Defender
2009-09-27 15:49 . 2009-09-27 15:49 -------- d-----w- c:\program files\CCleaner
2009-09-27 15:44 . 2009-09-28 13:26 -------- d-----w- c:\windows\Internet Logs
2009-09-27 15:28 . 2009-09-27 15:28 0 ----a-w- c:\windows\nsreg.dat
2009-09-27 15:28 . 2009-09-27 15:28 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Mozilla
2009-09-24 23:32 . 2009-09-24 23:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-23 23:02 . 2009-09-23 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-23 23:02 . 2009-09-23 23:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-23 23:02 . 2009-09-23 23:02 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-09-21 21:47 . 2009-09-21 21:47 -------- d-----w- C:\_OTM
2009-09-21 02:39 . 2009-09-21 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-09-21 02:39 . 2009-09-21 02:39 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Conduit
2009-09-21 02:39 . 2009-09-22 02:19 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Azureus
2009-09-20 14:19 . 2009-09-20 14:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-09-20 14:14 . 2009-09-20 14:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-18 18:19 . 2009-09-18 18:19 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Kenwood_Corporation
2009-09-18 18:19 . 2009-09-18 18:19 -------- d-----w- c:\program files\KENWOOD
2009-09-11 11:44 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 15:47 . 2009-09-27 15:46 -------- d-----w- c:\program files\AskBarDis
2009-09-27 15:46 . 2009-09-27 15:46 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-27 15:46 . 2009-09-27 15:46 -------- d-----w- c:\program files\Zone Labs
2009-09-25 17:02 . 2009-06-06 16:48 -------- d-----w- c:\program files\McAfee
2009-09-25 02:21 . 2007-07-24 19:58 95616 ----a-w- c:\windows\junction.exe
2009-09-24 23:31 . 2006-09-02 03:48 -------- d-----w- c:\program files\Java
2009-09-23 23:01 . 2007-12-01 01:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-21 00:15 . 2009-06-06 23:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 14:09 . 2007-08-28 23:50 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\U3
2009-09-11 14:52 . 2007-12-06 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-10 18:54 . 2009-06-06 23:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-06-06 23:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-18 01:36 . 2006-09-02 04:18 58936 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 21:04 . 2009-08-06 21:04 -------- d-----w- c:\program files\MSBuild
2009-08-06 21:04 . 2009-08-06 21:04 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-10 04:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 04:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 16:32 . 2009-07-13 00:40 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-14 03:43 . 2004-08-10 04:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 23:56 . 2009-07-12 23:56 61224 ----a-w- c:\documents and settings\HP_Administrator\GoToAssistDownloadHelper.exe
2009-07-08 17:44 . 2009-07-13 00:40 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 17:44 . 2009-07-13 00:40 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 17:44 . 2009-07-13 00:40 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 17:44 . 2009-07-13 00:40 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 17:43 . 2009-07-13 00:40 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2006-11-25 22:33 . 2007-08-16 03:31 22 -csha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-28 13:25 . 2009-09-28 13:25 16384 c:\windows\Temp\Perflib_Perfdata_13c.dat
+ 2009-09-27 15:46 . 2009-02-16 04:10 97672 c:\windows\system32\ZoneLabs\zlquarantine.dll
+ 2009-09-27 15:46 . 2008-11-17 06:24 51688 c:\windows\system32\ZoneLabs\srescan.sys
+ 2009-09-27 15:46 . 2009-02-16 04:10 94088 c:\windows\system32\ZoneLabs\lib\zvpn.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 20360 c:\windows\system32\ZoneLabs\lib\zsys.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 59272 c:\windows\system32\ZoneLabs\lib\zpdp.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 14216 c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 24968 c:\windows\system32\ZoneLabs\lib\zic.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 84872 c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 34696 c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 17800 c:\windows\system32\ZoneLabs\lib\oem_1466.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 10120 c:\windows\system32\ZoneLabs\lib\oem_1454.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 10632 c:\windows\system32\ZoneLabs\lib\oem_1445.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 13704 c:\windows\system32\ZoneLabs\lib\oem_1440.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 11656 c:\windows\system32\ZoneLabs\lib\oem_1413.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 11144 c:\windows\system32\ZoneLabs\lib\oem_1010.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 29576 c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 12168 c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 35720 c:\windows\system32\ZoneLabs\lib\Alert.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 38280 c:\windows\system32\ZoneLabs\featuremap.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 98184 c:\windows\system32\ZoneLabs\fbl.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 74632 c:\windows\system32\ZoneLabs\camupd.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 69000 c:\windows\system32\zlcomm.dll
+ 2004-08-10 04:00 . 2009-06-25 08:25 54272 c:\windows\system32\wdigest.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 35208 c:\windows\system32\vswmi.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 58248 c:\windows\system32\vsregexp.dll
+ 2009-06-14 03:27 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2009-06-14 03:27 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
- 2004-08-10 04:00 . 2009-02-03 19:59 56832 c:\windows\system32\secur32.dll
+ 2004-08-10 04:00 . 2009-06-25 08:25 56832 c:\windows\system32\secur32.dll
+ 2004-08-10 11:00 . 2009-06-24 11:18 92928 c:\windows\system32\drivers\ksecdd.sys
+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll
- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys
+ 2005-08-31 04:02 . 2009-09-28 13:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-08-31 04:02 . 2009-09-20 13:36 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-08-30 20:51 . 2009-09-28 13:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-08-30 20:51 . 2009-09-20 13:36 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-20 17:38 . 2009-09-28 13:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-08-30 20:51 . 2009-09-20 13:36 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-09-27 15:45 . 2009-09-27 15:45 62464 c:\windows\Installer\1906d1.msi
+ 2009-09-23 23:02 . 2009-09-23 23:02 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-09-23 23:02 . 2009-09-23 23:02 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-09-27 15:46 . 2009-02-16 04:10 9608 c:\windows\system32\ZoneLabs\lib\oem_1460.zip.dll
+ 2009-09-23 23:02 . 2009-09-23 23:02 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2008-07-29 12:05 . 2008-07-29 12:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 07:54 . 2008-07-29 07:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 09:23 . 2008-07-29 09:23 626688 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcr90.dll
+ 2008-07-29 09:23 . 2008-07-29 09:23 856576 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcp90.dll
+ 2008-07-29 07:51 . 2008-07-29 07:51 245760 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcm90.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 108424 c:\windows\system32\ZoneLabs\zlupdate.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 302472 c:\windows\system32\ZoneLabs\zlsre.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 178568 c:\windows\system32\ZoneLabs\zlparser.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 172936 c:\windows\system32\ZoneLabs\vsvault.dll
+ 2009-09-27 15:45 . 2009-02-16 04:10 108424 c:\windows\system32\ZoneLabs\vsdb.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 176520 c:\windows\system32\ZoneLabs\updclient.exe
+ 2009-09-27 15:46 . 2007-10-11 20:51 832984 c:\windows\system32\ZoneLabs\updating.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 431496 c:\windows\system32\ZoneLabs\ssleay32.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 134536 c:\windows\system32\ZoneLabs\scheduler.dll
+ 2009-09-27 15:46 . 2008-11-17 06:23 796128 c:\windows\system32\ZoneLabs\qrsrecl.dll
+ 2009-09-27 15:46 . 2008-11-17 06:23 722400 c:\windows\system32\ZoneLabs\qrbase.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 118664 c:\windows\system32\ZoneLabs\lib\zui.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 151944 c:\windows\system32\ZoneLabs\lib\ztv.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 188808 c:\windows\system32\ZoneLabs\lib\Overview.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 344968 c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 136584 c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 344456 c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2009-09-27 15:45 . 2009-02-04 22:27 548128 c:\windows\system32\ZoneLabs\icslta.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 159112 c:\windows\system32\ZoneLabs\httpblocker.dll
+ 2009-09-27 15:46 . 2008-03-17 20:52 813568 c:\windows\system32\ZoneLabs\dbghelp.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 103816 c:\windows\system32\zlcommdb.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 109960 c:\windows\system32\vsxml.dll
+ 2009-09-27 15:45 . 2009-02-16 04:10 482184 c:\windows\system32\vsutil.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 309128 c:\windows\system32\vspubapi.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 107912 c:\windows\system32\vsmonapi.dll
+ 2009-09-27 15:45 . 2009-02-16 04:10 229256 c:\windows\system32\vsinit.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 353672 c:\windows\system32\vsdatant.sys
+ 2009-09-27 15:45 . 2009-02-16 04:10 110472 c:\windows\system32\vsdata.dll
+ 2004-08-10 04:00 . 2009-06-25 08:25 147456 c:\windows\system32\schannel.dll
+ 2004-08-10 04:00 . 2009-06-25 08:25 136192 c:\windows\system32\msv1_0.dll
+ 2004-08-10 04:00 . 2009-06-25 08:25 730112 c:\windows\system32\lsasrv.dll
+ 2004-08-10 04:00 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos.dll
+ 2009-09-24 23:32 . 2009-09-24 23:31 149280 c:\windows\system32\javaws.exe
+ 2009-09-24 23:32 . 2009-09-24 23:31 145184 c:\windows\system32\javaw.exe
+ 2009-09-24 23:32 . 2009-09-24 23:31 145184 c:\windows\system32\java.exe
+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2009-06-06 15:31 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 1221512 c:\windows\system32\zpeng25.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 1648520 c:\windows\system32\ZoneLabs\vsruledb.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 2402184 c:\windows\system32\ZoneLabs\vsmon.exe
+ 2009-09-27 15:46 . 2008-11-17 06:23 1512928 c:\windows\system32\ZoneLabs\srescan.dll
+ 2009-09-27 15:46 . 2009-02-16 04:10 1536392 c:\windows\system32\ZoneLabs\lib\zpy.zip.dll
+ 2009-09-23 23:02 . 2009-09-23 23:02 1583616 c:\windows\Installer\a443d4.msi
+ 2009-09-24 23:31 . 2009-09-24 23:31 1757696 c:\windows\Installer\8a96b.msi
+ 2009-09-27 15:51 . 2009-09-27 15:51 1155072 c:\windows\Installer\1906d5.msi
+ 2009-09-27 15:46 . 2008-12-15 05:11 10465257 c:\windows\system32\ZoneLabs\zlasdbup.dat
+ 2009-09-27 15:46 . 2008-12-15 05:11 10465257 c:\windows\system32\ZoneLabs\spyware.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 22:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-09 86016]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-24 149280]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ICO.EXE [2004-07-14 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-9-2 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [9/27/2009 11:46 AM 464264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [9/2/2006 12:04 AM 82048]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S2 jihrcaxlxh;jihrcaxlxh;\??\c:\windows\system32\drivers\wclqgubqw.sys --> c:\windows\system32\drivers\wclqgubqw.sys [?]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [6/6/2009 7:03 PM 16512]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [6/6/2009 7:03 PM 13824]
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-29 23:21]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-13 01:26]

2009-07-13 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-13 01:26]

2009-06-17 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2006-11-22 01:09]

2009-09-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\v76pphj7.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\HP_Administrator\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-28 09:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(300)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\arservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
.
**************************************************************************
.
Completion time: 2009-09-28 9:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-28 13:30
ComboFix2.txt 2009-09-20 14:33

Pre-Run: 221,572,018,176 bytes free
Post-Run: 221,678,755,840 bytes free

354 --- E O F --- 2009-09-24 03:10

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Origin on Mon Sep 28, 2009 2:29 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Mon Sep 28, 2009 8:52 pm

GMER 1.0.15.15087 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-28 16:49:13
Windows 5.1.2600 Service Pack 3
Running: zdgqyxzp.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kxldqpog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB1D390B0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB1C7B4EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB1C7B581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB1C7B498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB1C7B4AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB1C7B595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB1C7B5C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB1C7B62F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB1C7B619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB1C7B52A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB1C7B65B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB1C7B56D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB1C7B470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB1C7B484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB1C7B4FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB1C7B697]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB1C7B603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB1C7B5ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB1C7B5AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB1C7B683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB1C7B66F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB1C7B4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB1C7B4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB1C7B5D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB1C7B559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB1C7B645]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB1C7B540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB1C7B514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B1C7B518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B1C7B4EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B1C7B52E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B1C7B544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B1C7B502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 2 Bytes JMP B1C7B474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess + 3 805CB40B 2 Bytes [6B, 31]
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B1C7B488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B1C7B4C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP B1C7B4B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP B1C7B49C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B1C7B4DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B1C7B55D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219E8 7 Bytes JMP B1C7B5F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D36 7 Bytes JMP B1C7B5DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622060 7 Bytes JMP B1C7B649 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228FE 7 Bytes JMP B1C7B607 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D2 7 Bytes JMP B1C7B5AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B0 5 Bytes JMP B1C7B585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C40 7 Bytes JMP B1C7B599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E10 7 Bytes JMP B1C7B5C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 7 Bytes JMP B1C7B633 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425A 7 Bytes JMP B1C7B61D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B82 5 Bytes JMP B1C7B571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EA8 7 Bytes JMP B1C7B69B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80625168 5 Bytes JMP B1C7B673 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585C 5 Bytes JMP B1C7B687 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625976 5 Bytes JMP B1C7B65F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0062
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F6D
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0F88
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0051
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FC0
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F48
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0090
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0EF7
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F1C
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0EDC
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0FAF
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0011
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0073
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF002C
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F2D
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FB2
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930028
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FC3
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FDE
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930F6B
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930F7C
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930F97
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920FCA
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FE5
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920044
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0092000C
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920055
.text C:\WINDOWS\system32\svchost.exe[688] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920029
.text C:\WINDOWS\system32\svchost.exe[688] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[688] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[688] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00900FDB
.text C:\WINDOWS\system32\svchost.exe[688] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 0090002C
.text C:\WINDOWS\system32\svchost.exe[688] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0091000A
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30000
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F300C6
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F300A1
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30090
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F30073
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30FDB
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F30FA2
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F300F4
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F30120
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F30105
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F30F76
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F30062
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F30011
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F300D7
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F30047
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F3002C
.text C:\Program Files\Messenger\msmsgs.exe[780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F30F91
.text C:\Program Files\Messenger\msmsgs.exe[780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F1005D
.text C:\Program Files\Messenger\msmsgs.exe[780] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F10042
.text C:\Program Files\Messenger\msmsgs.exe[780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10FD2
.text C:\Program Files\Messenger\msmsgs.exe[780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10000
.text C:\Program Files\Messenger\msmsgs.exe[780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10031
.text C:\Program Files\Messenger\msmsgs.exe[780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FE3
.text C:\Program Files\Messenger\msmsgs.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F20025
.text C:\Program Files\Messenger\msmsgs.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20FAF
.text C:\Program Files\Messenger\msmsgs.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F20014
.text C:\Program Files\Messenger\msmsgs.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F20FDE
.text C:\Program Files\Messenger\msmsgs.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F20076
.text C:\Program Files\Messenger\msmsgs.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F20FEF
.text C:\Program Files\Messenger\msmsgs.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F20051
.text C:\Program Files\Messenger\msmsgs.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F20040
.text C:\Program Files\Messenger\msmsgs.exe[780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F0000A
.text C:\Program Files\Messenger\msmsgs.exe[780] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00EF0000
.text C:\Program Files\Messenger\msmsgs.exe[780] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00EF0FE5
.text C:\Program Files\Messenger\msmsgs.exe[780] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00EF0FCA
.text C:\Program Files\Messenger\msmsgs.exe[780] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00EF0FAF
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F8F
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070084
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070069
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FAC
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F59
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F6A
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F19
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700B2
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700CD
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070058
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070095
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F3E
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060FC0
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0006007D
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060062
.text C:\WINDOWS\system32\services.exe[804] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0005002E
.text C:\WINDOWS\system32\services.exe[804] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FA3
.text C:\WINDOWS\system32\services.exe[804] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FC8
.text C:\WINDOWS\system32\services.exe[804] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[804] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[804] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[804] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F8A
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F8007F
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80FA5
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80FC0
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F80047
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F80F5E
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F8009A
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F800E3
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F800C8
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800FE
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80062
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F8001B
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F80F6F
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80036
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F800B7
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F70040
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F70091
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70025
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F7000A
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70076
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F70FD4
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [17, 89]
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F7005B
.text C:\WINDOWS\system32\lsass.exe[816] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F60062
.text C:\WINDOWS\system32\lsass.exe[816] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F6003D
.text C:\WINDOWS\system32\lsass.exe[816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F60022
.text C:\WINDOWS\system32\lsass.exe[816] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\lsass.exe[816] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F60FCD
.text C:\WINDOWS\system32\lsass.exe[816] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F60FDE
.text C:\WINDOWS\system32\lsass.exe[816] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02450000
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02450F8A
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02450089
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0245006E
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02450051
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02450FAF
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024500C8
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024500B7
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024500FE
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02450F65
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02450F4A
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02450040
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02450011
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0245009A
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02450FC0
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02450FDB
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024500E3
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02440FB6
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02440F79
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02440011
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02440FDB
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02440036
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02440000
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02440F94
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [64, 8A]
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02440FA5
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0243004C
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!system 77C293C7 5 Bytes JMP 02430FB7
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02430027
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02430FE3
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02430FD2
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0243000C
.text C:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02420000
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F7009A
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70089
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70078
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F7005B
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F700DA
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F700BF
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F70117
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F700FC
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F70128
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F70F94
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70040
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F700EB
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60014
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F6005B
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F60FC3
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F60FD4
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60040
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F6002F
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F60FB2
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50F97
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F50FB2
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50011
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50FE3
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50022
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 055A000A
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 055A005B
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 055A0F5C
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 055A0F83
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 055A0F9E
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 055A0FC0
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 055A0076
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 055A0F2E
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 055A0EF8
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 055A0F13
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 055A0EDD
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 055A0FAF
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 055A001B
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 055A0F4B
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 055A002C
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 055A0FE5
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 055A0091
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 05590FB9
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 05590065
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 05590014
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 05590FDE
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0559004A
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 05590FEF
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 05590039
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 05590FA8
.text C:\WINDOWS\System32\svchost.exe[1180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 05580FAD
.text C:\WINDOWS\System32\svchost.exe[1180] msvcrt.dll!system 77C293C7 5 Bytes JMP 05580038
.text

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Mon Sep 28, 2009 8:52 pm

C:\WINDOWS\System32\svchost.exe[1180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0558001D
.text C:\WINDOWS\System32\svchost.exe[1180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 05580000
.text C:\WINDOWS\System32\svchost.exe[1180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 05580FD2
.text C:\WINDOWS\System32\svchost.exe[1180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 05580FEF
.text C:\WINDOWS\System32\svchost.exe[1180] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02000FEF
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 01FF0000
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 01FF0011
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 01FF0022
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 01FF003D
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650098
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650087
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650FAD
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650FCA
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650051
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00650F81
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006500C9
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006500FC
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006500EB
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0065010D
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00650062
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00650F92
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0065002C
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006500DA
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00640FB9
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640051
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640FD4
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640F8A
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0064002C
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0064001B
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0063003F
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630FB4
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0063001D
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0063002E
.text C:\WINDOWS\system32\svchost.exe[1212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0063000C
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0080002C
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00800F37
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00800011
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00800F54
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00800F8A
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00800F1A
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00800062
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00800EF5
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00800098
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008000A9
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00800F6F
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00800047
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00800FAF
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0080007D
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007F0FC3
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007F005B
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007F0FD4
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007F000A
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007F004A
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007F0039
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007F0FB2
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007E004B
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!system 77C293C7 5 Bytes JMP 007E0FCA
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007E003A
.text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007E0029
.text C:\WINDOWS\system32\svchost.exe[1296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00F6F
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00F94
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00FA5
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00062
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00FCA
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00090
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00F54
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A000C3
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A000B2
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A000D4
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A00051
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A0000A
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A0007F
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00036
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A0001B
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A000A1
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0FD4
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0F94
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F001B
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F000A
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0051
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009F0040
.text C:\WINDOWS\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0FB9
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E005A
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0049
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FE3
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E000C
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E002E
.text C:\WINDOWS\system32\svchost.exe[1380] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E001D
.text C:\WINDOWS\system32\svchost.exe[1380] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC00BD
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC00A2
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0087
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC006C
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0036
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0104
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC00E9
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC0F7C
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC0F8D
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FC0130
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FC005B
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FC0FD4
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FC00CE
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FC0025
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FC000A
.text C:\WINDOWS\Explorer.EXE[1724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FC0115
.text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C20036
.text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C20087
.text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C2001B
.text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C2000A
.text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C20FCA
.text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C20062
.text C:\WINDOWS\Explorer.EXE[1724] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C20047
.text C:\WINDOWS\Explorer.EXE[1724] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C10FC3
.text C:\WINDOWS\Explorer.EXE[1724] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C10FDE
.text C:\WINDOWS\Explorer.EXE[1724] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C10029
.text C:\WINDOWS\Explorer.EXE[1724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\Explorer.EXE[1724] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C10044
.text C:\WINDOWS\Explorer.EXE[1724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C1000C
.text C:\WINDOWS\Explorer.EXE[1724] WININET.dll!InternetOpenA 3D94C879 5 Bytes JMP 00BE0000
.text C:\WINDOWS\Explorer.EXE[1724] WININET.dll!InternetOpenW 3D94CEA9 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\Explorer.EXE[1724] WININET.dll!InternetOpenUrlA 3D950BD2 5 Bytes JMP 00BE0011
.text C:\WINDOWS\Explorer.EXE[1724] WININET.dll!InternetOpenUrlW 3D99B081 5 Bytes JMP 00BE0022
.text C:\WINDOWS\Explorer.EXE[1724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2228] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0078
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A005D
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F83
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F94
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A009F
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F57
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00D8
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F35
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F24
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0036
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F68
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A001B
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[2540] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F46
.text C:\WINDOWS\System32\svchost.exe[2540] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290036
.text C:\WINDOWS\System32\svchost.exe[2540] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290FC0
.text C:\WINDOWS\System32\svchost.exe[2540] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290025
.text C:\WINDOWS\System32\svchost.exe[2540] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FE5
.text C:\WINDOWS\System32\svchost.exe[2540] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290073
.text C:\WINDOWS\System32\svchost.exe[2540] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[2540] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290062
.text C:\WINDOWS\System32\svchost.exe[2540] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290051
.text C:\WINDOWS\System32\svchost.exe[2540] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0FAD
.text C:\WINDOWS\System32\svchost.exe[2540] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FBE
.text C:\WINDOWS\System32\svchost.exe[2540] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FE3
.text C:\WINDOWS\System32\svchost.exe[2540] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[2540] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E002E
.text C:\WINDOWS\System32\svchost.exe[2540] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0011
.text C:\WINDOWS\System32\svchost.exe[2540] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F80
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A007F
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0062
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0047
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0025
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F5E
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F6F
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00D2
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00C1
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00E3
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0036
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A000A
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0090
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\system32\dllhost.exe[2640] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F43
.text C:\WINDOWS\system32\dllhost.exe[2640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290F86
.text C:\WINDOWS\system32\dllhost.exe[2640] msvcrt.dll!system 77C293C7 5 Bytes JMP 0029001B
.text C:\WINDOWS\system32\dllhost.exe[2640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FB5
.text C:\WINDOWS\system32\dllhost.exe[2640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FE3
.text C:\WINDOWS\system32\dllhost.exe[2640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0029000A
.text C:\WINDOWS\system32\dllhost.exe[2640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FC6
.text C:\WINDOWS\system32\dllhost.exe[2640] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\dllhost.exe[2640] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0058
.text C:\WINDOWS\system32\dllhost.exe[2640] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FB9
.text C:\WINDOWS\system32\dllhost.exe[2640] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\system32\dllhost.exe[2640] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0047
.text C:\WINDOWS\system32\dllhost.exe[2640] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[2640] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A002C
.text C:\WINDOWS\system32\dllhost.exe[2640] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0011
.text C:\WINDOWS\system32\dllhost.exe[2640] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C10F81
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10F9C
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10076
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10065
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10F53
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C1009B
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C10F27
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C100C0
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C100DB
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10FC3
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C10F70
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C1001B
.text C:\WINDOWS\system32\svchost.exe[2784] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C10F42
.text C:\WINDOWS\system32\svchost.exe[2784] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C00040
.text C:\WINDOWS\system32\svchost.exe[2784] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C0007D
.text C:\WINDOWS\system32\svchost.exe[2784] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C00025
.text C:\WINDOWS\system32\svchost.exe[2784] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00014
.text C:\WINDOWS\system32\svchost.exe[2784] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00FC0
.text C:\WINDOWS\system32\svchost.exe[2784] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[2784] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C0006C
.text C:\WINDOWS\system32\svchost.exe[2784] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C0005B
.text C:\WINDOWS\system32\svchost.exe[2784] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0042
.text C:\WINDOWS\system32\svchost.exe[2784] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0027
.text C:\WINDOWS\system32\svchost.exe[2784] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0016
.text C:\WINDOWS\system32\svchost.exe[2784] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[2784] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0FB7
.text C:\WINDOWS\system32\svchost.exe[2784] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\svchost.exe[2784] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0FA1
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0096
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0FB2
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0FC3
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0040
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F75
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F86
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC00F0
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC00DF
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0F46
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0065
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC00B1
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\svchost.exe[2976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC00CE
.text C:\WINDOWS\system32\svchost.exe[2976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[2976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0F7C
.text C:\WINDOWS\system32\svchost.exe[2976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[2976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[2976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0F8D
.text C:\WINDOWS\system32\svchost.exe[2976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[2976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB002F
.text C:\WINDOWS\system32\svchost.exe[2976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0F9E
.text C:\WINDOWS\system32\svchost.exe[2976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0FBE
.text C:\WINDOWS\system32\svchost.exe[2976] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0FCF
.text C:\WINDOWS\system32\svchost.exe[2976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA002E
.text C:\WINDOWS\system32\svchost.exe[2976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[2976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA003F
.text C:\WINDOWS\system32\svchost.exe[2976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0011

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 reƖ 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 reƖ 2)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Tue Sep 29, 2009 12:13 am

Hello.
Can you post a NEW uninstall log? same instructions for getting one of those logs like before.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Tue Sep 29, 2009 2:09 am

Here is the new uninstall log from HijackThis. Thanks.


Ad-Aware 2007
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5
AnswerWorks 4.0 Runtime - English
Apple Software Update
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner (remove only)
Critical Update for Windows Media Player 11 (KB959772)
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
Desktop Doctor
Enhanced Multimedia Keyboard Solution
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
Grandmaster Challenge
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Boot Optimizer
HP DigitalMedia Archive
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP Update
HP Web Helper
iPod for Windows 2005-02-07
iTunes
Java(TM) 6 Update 16
KENWOOD Music Editor
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003 60 days trial
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mouse Suite
Mozilla Firefox (3.5.3)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
NVIDIA Drivers
Otto
PaperVision Document Viewer Controls
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Sansa Media Converter
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SUPERAntiSpyware Free Edition
Symantec KB-DocID:2003093015493306
TurboTax Home & Business 2007
TVUPlayer 2.3.4.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Updates from HP (remove only)
VC 9.0 Runtime
WildTangent Web Driver
Windows Defender
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Yahoo! Toolbar for Internet Explorer
ZoneAlarm Spy Blocker Toolbar

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by Belahzur on Tue Sep 29, 2009 10:39 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    ZoneAlarm Spy Blocker Toolbar

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: another antivirus 2010 problem

Post by memento2012 on Wed Sep 30, 2009 2:23 am

Thanks for your help, Belahzur. The computer is running well. From now I will be very careful not to browse unknown websites. I have three anti-spywares downloaded to the computer and hopefully that will prevent future problems. Annoyed or Unimpress

I was able to remove the ZoneAlarm toolbar and uninstall Combofix. i also set up a new system restore point.
Thank You!

memento2012
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-09-20
OS OS : XP
Points Points : 26406
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum