TechSpot

Can someone confirm that I'm now clear of the antivir virus?

By alfrot
Aug 14, 2010
  1. Hi

    I've not worried about viruses for a while but my saturday was ruined by what looked like the antivir virus. I ran all the checks in your helpful 8-step instructions (http://www.techspot.com/vb/topic58138.html) and MalwareBytes' program appeared to catch it.

    But I'm concerned that a couple of times since then my computer's just turned itself off for no reason.

    I've got the MBAM, GMER and both DDS logs which I'll append below.

    I also want to say that I am amazed that you do this, and very grateful!

    Andrew

    MBAM:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4427

    Windows 6.0.6002 Service Pack 2 (Safe Mode)
    Internet Explorer 7.0.6002.18005

    14/08/2010 15:23:49
    mbam-log-2010-08-14 (15-23-49).txt

    Scan type: Quick scan
    Objects scanned: 130847
    Time elapsed: 6 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 4
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{af4f29ac-8686-796b-72e3-cc37255a2d3c} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{531e3990-7e8e-cc75-3919-792b57422d0a} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gopxnxjd (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rfgtwpcj (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  2. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    GMER

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-14 16:34:30
    Windows 6.0.6002 Service Pack 2
    Running: kurls4u6.exe; Driver: C:\Users\Andrew\AppData\Local\Temp\ugldrpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x8F50DE26]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x8F50E704]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x8F50E864]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x8F512086]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x8F5120B8]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwLoadKey [0x8F51221A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x8F50E7C8]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenProcess [0x8F50DF6A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x8F50E15C]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x8F50E28E]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x8F512190]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x8F5120FA]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x8F51212C]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x8F51215E]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x8F50DDCC]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x8F50E8C4]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0x8F51201E]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x8F50DD68]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateProcess [0x8F50DCBC]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0x8F50DD04]

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F56673C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F566750]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F5667E0]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8F566823]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F56677A]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F5667F6]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F5667CC]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F566766]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 834349D2 5 Bytes JMP 8F5667D0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    .text ntkrnlpa.exe!KeSetEvent + 191 834B58F4 4 Bytes [26, DE, 50, 8F] {FICOM WORD ES:[EAX-0x71]}
    .text ntkrnlpa.exe!KeSetEvent + 1D9 834B593C 4 Bytes [04, E7, 50, 8F]
    .text ntkrnlpa.exe!KeSetEvent + 2D1 834B5A34 8 Bytes CALL A3D1E989
    .text ntkrnlpa.exe!KeSetEvent + 2E1 834B5A44 4 Bytes [B8, 20, 51, 8F]
    .text ntkrnlpa.exe!KeSetEvent + 381 834B5AE4 4 Bytes [1A, 22, 51, 8F]
    .text ...
    PAGE ntkrnlpa.exe!ZwNotifyChangeKey 835C85B5 5 Bytes JMP 8F566827 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateUserProcess 835D2B82 5 Bytes JMP 8F56676A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 836194FA 7 Bytes JMP 8F5667E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 836197BD 5 Bytes JMP 8F5667FA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetInformationProcess 8361D528 5 Bytes JMP 8F56677E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcess 8369A8BF 5 Bytes JMP 8F566740 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 8369A90A 7 Bytes JMP 8F566754 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8AB51000, 0x4036D, 0xE8000020]
    .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8AB9A000, 0x510, 0x40000040]
    .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E40A000, 0x1FB52A, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\services.exe[616] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 001C0F5F
    .text C:\Windows\system32\services.exe[616] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 001C00AF
    .text C:\Windows\system32\services.exe[616] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 001C0F22
    .text C:\Windows\system32\services.exe[616] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 001C0F33
    .text C:\Windows\system32\services.exe[616] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 001C0080
    .text C:\Windows\system32\services.exe[616] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 001C0025
    .text C:\Windows\system32\services.exe[616] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 001C004A
    .text C:\Windows\system32\services.exe[616] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 001C0F7A
    .text C:\Windows\system32\services.exe[616] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 001C0FB2
    .text C:\Windows\system32\services.exe[616] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 001C0FC3
    .text C:\Windows\system32\services.exe[616] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 001C006F
    .text C:\Windows\system32\services.exe[616] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 001C0FDE
    .text C:\Windows\system32\services.exe[616] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 001C0F95
    .text C:\Windows\system32\services.exe[616] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 001C0F07
    .text C:\Windows\system32\services.exe[616] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 001C0014
    .text C:\Windows\system32\services.exe[616] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 001C0FEF
    .text C:\Windows\system32\services.exe[616] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 001C0F4E
    .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 0034006C
    .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 00340036
    .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 00340000
    .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 00340051
    .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 00340FA5
    .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 0034001B
    .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 00340FDB
    .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 00340FCA
    .text C:\Windows\system32\services.exe[616] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 0033005D
    .text C:\Windows\system32\services.exe[616] msvcrt.dll!system 7786804B 5 Bytes JMP 0033004C
    .text C:\Windows\system32\services.exe[616] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 00330016
    .text C:\Windows\system32\services.exe[616] msvcrt.dll!_open 7786D106 5 Bytes JMP 00330FEF
    .text C:\Windows\system32\services.exe[616] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 00330031
    .text C:\Windows\system32\services.exe[616] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 00330FD2
    .text C:\Windows\system32\services.exe[616] WS2_32.dll!socket 765336D1 5 Bytes JMP 00320FE5
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 001C00A1
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 001C0F5B
    .text
     
  3. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    GMER part 2 of 6

    C:\Windows\system32\lsass.exe[628] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 001C00D7
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 001C00BC
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 001C0F80
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 001C001B
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 001C002C
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 001C0086
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 001C0F9B
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 001C0FB6
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 001C0058
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 001C003D
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 001C0075
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 001C00E8
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 001C000A
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 001C0FEF
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 001C0F40
    .text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 001F002F
    .text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 001F0FA1
    .text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 001F0FE5
    .text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 001F001E
    .text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 001F0040
    .text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 001F0FC3
    .text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 001F0FD4
    .text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 001F0FB2
    .text C:\Windows\system32\lsass.exe[628] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 001E003B
    .text C:\Windows\system32\lsass.exe[628] msvcrt.dll!system 7786804B 5 Bytes JMP 001E0020
    .text C:\Windows\system32\lsass.exe[628] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 001E0FC1
    .text C:\Windows\system32\lsass.exe[628] msvcrt.dll!_open 7786D106 5 Bytes JMP 001E0FEF
    .text C:\Windows\system32\lsass.exe[628] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 001E0FA6
    .text C:\Windows\system32\lsass.exe[628] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 001E0FDE
    .text C:\Windows\system32\lsass.exe[628] WS2_32.dll!socket 765336D1 5 Bytes JMP 001D0FEF
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 002600D0
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 002600AB
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 00260F5B
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 002600F2
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 0026006E
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 00260011
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 00260FCA
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 0026009A
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 0026005D
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 00260040
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 00260F94
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 00260FB9
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 00260089
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 00260F40
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 00260000
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 00260FE5
    .text C:\Windows\system32\svchost.exe[772] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 002600E1
    .text C:\Windows\system32\svchost.exe[772] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 00280FC1
    .text C:\Windows\system32\svchost.exe[772] msvcrt.dll!system 7786804B 5 Bytes JMP 00280042
    .text C:\Windows\system32\svchost.exe[772] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 00280FD2
    .text C:\Windows\system32\svchost.exe[772] msvcrt.dll!_open 7786D106 5 Bytes JMP 00280FEF
    .text C:\Windows\system32\svchost.exe[772] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 00280031
    .text C:\Windows\system32\svchost.exe[772] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 00280000
    .text C:\Windows\system32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 00290F9E
    .text C:\Windows\system32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 00290FC3
    .text C:\Windows\system32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 00290FEF
    .text C:\Windows\system32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 0029004A
    .text C:\Windows\system32\svchost.exe[772] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 00290065
    .text C:\Windows\system32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 0029000A
    .text C:\Windows\system32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 00290FD4
    .text C:\Windows\system32\svchost.exe[772] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 0029002F
    .text C:\Windows\system32\svchost.exe[772] WS2_32.dll!socket 765336D1 5 Bytes JMP 00270FEF
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 001C0F43
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 001C0089
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 001C00D0
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 001C00BF
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 001C0F8A
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 001C002C
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 001C003D
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 001C0F68
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 001C0F9B
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 001C0FC7
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 001C0FB6
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 001C004E
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 001C0F79
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 001C0F1E
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 001C001B
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 001C000A
    .text C:\Windows\system32\svchost.exe[904] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 001C00AE
    .text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 006A0F9E
    .text C:\Windows\system32\svchost.exe[904] msvcrt.dll!system 7786804B 5 Bytes JMP 006A0FAF
    .text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 006A0FD4
    .text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_open 7786D106 5 Bytes JMP 006A0000
    .text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 006A0029
    .text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 006A0FEF
    .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 006B0054
    .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 006B0039
    .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 006B0FEF
    .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 006B0FA8
    .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 006B0065
    .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 006B0FD4
    .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 006B0014
    .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 006B0FC3
    .text
     
  4. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    GMER part 3 of 6

    C:\Windows\system32\svchost.exe[904] WS2_32.dll!socket 765336D1 5 Bytes JMP 001D000A
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 00FD00A4
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 00FD0F5E
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 00FD0F28
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 00FD00BF
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 00FD0F94
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 00FD0FE5
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 00FD0036
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 00FD0F83
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 00FD0062
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 00FD0047
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 00FD0FA5
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 00FD0FC0
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 00FD0093
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 00FD00D0
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 00FD001B
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 00FD0000
    .text C:\Windows\System32\svchost.exe[952] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 00FD0F43
    .text C:\Windows\System32\svchost.exe[952] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 0129004B
    .text C:\Windows\System32\svchost.exe[952] msvcrt.dll!system 7786804B 5 Bytes JMP 0129003A
    .text C:\Windows\System32\svchost.exe[952] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 01290029
    .text C:\Windows\System32\svchost.exe[952] msvcrt.dll!_open 7786D106 5 Bytes JMP 0129000C
    .text C:\Windows\System32\svchost.exe[952] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 01290FD4
    .text C:\Windows\System32\svchost.exe[952] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 01290FEF
    .text C:\Windows\System32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 012A0080
    .text C:\Windows\System32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 012A005B
    .text C:\Windows\System32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 012A0000
    .text C:\Windows\System32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 012A0FD4
    .text C:\Windows\System32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 012A0091
    .text C:\Windows\System32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 012A0036
    .text C:\Windows\System32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 012A001B
    .text C:\Windows\System32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 012A0FEF
    .text C:\Windows\System32\svchost.exe[952] WS2_32.dll!socket 765336D1 5 Bytes JMP 01280FEF
    .text C:\Windows\System32\svchost.exe[952] wininet.dll!InternetOpenA 77D6D47D 5 Bytes JMP 012B0000
    .text C:\Windows\System32\svchost.exe[952] wininet.dll!InternetOpenW 77D6D7DA 5 Bytes JMP 012B001B
    .text C:\Windows\System32\svchost.exe[952] wininet.dll!InternetOpenUrlA 77D6FE4B 5 Bytes JMP 012B0036
    .text C:\Windows\System32\svchost.exe[952] wininet.dll!InternetOpenUrlW 77DB9139 5 Bytes JMP 012B0047
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1044] ntdll.dll!KiUserApcDispatcher 77C35D18 5 Bytes JMP 00414A50 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1044] USER32.dll!InSendMessageEx + 3B1 779AE6B0 6 Bytes JMP 716E001E
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1044] WS2_32.dll!getaddrinfo 7653418A 5 Bytes JMP 71640022
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1044] WS2_32.dll!gethostbyname 765462D4 5 Bytes JMP 71670022
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 00880F61
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 00880F7C
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 008800EE
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 008800DD
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 0088009D
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 00880011
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 00880036
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 00880F8D
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 00880076
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 00880FB9
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 00880065
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 00880FCA
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 00880F9E
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 008800FF
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 00880000
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 00880FE5
    .text C:\Windows\System32\svchost.exe[1144] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 008800C2
    .text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 008E0F7F
    .text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!system 7786804B 5 Bytes JMP 008E0F90
    .text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 008E0FC6
    .text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_open 7786D106 5 Bytes JMP 008E0FE3
    .text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 008E0FAB
    .text C:\Windows\System32\svchost.exe[1144] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 008E0000
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 00A80FA8
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 00A80FCA
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 00A8000A
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 00A80FB9
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 00A8005B
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 00A8002C
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 00A8001B
    .text C:\Windows\System32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 00A80FDB
    .text C:\Windows\System32\svchost.exe[1144] WS2_32.dll!socket 765336D1 5 Bytes JMP 007E0000
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 00A70F43
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 00A70F5E
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 00A70F0D
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 00A70F28
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 00A7006E
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 00A70FDB
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 00A70FC0
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 00A70089
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 00A7005D
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 00A7002C
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 00A70F94
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 00A70FA5
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 00A70F79
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 00A700BF
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 00A70011
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 00A70000
    .text C:\Windows\System32\svchost.exe[1168] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 00A700AE
    .text C:\Windows\System32\svchost.exe[1168] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 01640FB2
    .text C:\Windows\System32\svchost.exe[1168] msvcrt.dll!system 7786804B 5 Bytes JMP 0164003D
    .text C:\Windows\System32\svchost.exe[1168] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 01640018
    .text C:\Windows\System32\svchost.exe[1168] msvcrt.dll!_open 7786D106 5 Bytes JMP 01640FEF
    .text C:\Windows\System32\svchost.exe[1168] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 01640FC3
    .text C:\Windows\System32\svchost.exe[1168] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 01640FDE
    .text C:\Windows\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 01750051
    .text C:\Windows\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 01750FCA
    .text C:\Windows\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 0175000A
    .text C:\Windows\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 01750FAF
    .text C:\Windows\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 0175006C
    .text C:\Windows\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 01750036
    .text C:\Windows\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 0175001B
    .text C:\Windows\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 01750FDB
    .text C:\Windows\System32\svchost.exe[1168] WS2_32.dll!socket 765336D1 5 Bytes JMP 00FF0FEF
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 00EF009B
    .text
     
  5. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    GMER part 4 of 6
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 00EF008A
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 00EF00BD
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 00EF00AC
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 00EF0F70
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 00EF0FC3
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 00EF0FB2
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 00EF0065
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 00EF004A
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 00EF002F
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 00EF0F8D
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 00EF001E
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 00EF0F5F
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 00EF0F0B
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 00EF0FDE
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 00EF0FEF
    .text C:\Windows\system32\svchost.exe[1188] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 00EF0F3A
    .text C:\Windows\system32\svchost.exe[1188] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 01200F86
    .text C:\Windows\system32\svchost.exe[1188] msvcrt.dll!system 7786804B 5 Bytes JMP 01200F97
    .text C:\Windows\system32\svchost.exe[1188] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 01200FC3
    .text C:\Windows\system32\svchost.exe[1188] msvcrt.dll!_open 7786D106 5 Bytes JMP 01200FEF
    .text C:\Windows\system32\svchost.exe[1188] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 01200FB2
    .text C:\Windows\system32\svchost.exe[1188] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 01200FDE
    .text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 01250040
    .text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 0125000A
    .text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 01250FE5
    .text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 01250025
    .text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 01250F83
    .text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 01250FB9
    .text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 01250FCA
    .text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 01250F9E
    .text C:\Windows\system32\svchost.exe[1188] WS2_32.dll!socket 765336D1 5 Bytes JMP 00B10000
    .text C:\Windows\system32\svchost.exe[1188] WININET.dll!InternetOpenA 77D6D47D 5 Bytes JMP 00B20FE5
    .text C:\Windows\system32\svchost.exe[1188] WININET.dll!InternetOpenW 77D6D7DA 5 Bytes JMP 00B20000
    .text C:\Windows\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 77D6FE4B 5 Bytes JMP 00B20FCA
    .text C:\Windows\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 77DB9139 5 Bytes JMP 00B20FB9
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1248] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1248] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 00B5008E
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 00B50F48
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 00B50F12
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 00B50F2D
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 00B50F7E
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 00B50011
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 00B50022
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 00B50F63
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 00B50058
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 00B5003D
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 00B50F9B
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 00B50FB6
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 00B50073
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 00B50F01
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 00B50000
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 00B50FEF
    .text C:\Windows\system32\svchost.exe[1332] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 00B500A9
    .text C:\Windows\system32\svchost.exe[1332] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 00EF005F
    .text C:\Windows\system32\svchost.exe[1332] msvcrt.dll!system 7786804B 5 Bytes JMP 00EF0044
    .text C:\Windows\system32\svchost.exe[1332] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 00EF0FDE
    .text C:\Windows\system32\svchost.exe[1332] msvcrt.dll!_open 7786D106 5 Bytes JMP 00EF0000
    .text C:\Windows\system32\svchost.exe[1332] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 00EF0029
    .text C:\Windows\system32\svchost.exe[1332] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 00EF0FEF
    .text C:\Windows\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExA 778F39AB 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 00F40FAF
    .text C:\Windows\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 00F40040
    .text C:\Windows\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 00F40FEF
    .text C:\Windows\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 00F40051
    .text C:\Windows\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 00F40F94
    .text C:\Windows\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 00F40FD4
    .text C:\Windows\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 00F4000A
    .text C:\Windows\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 00F40025
    .text C:\Windows\system32\svchost.exe[1332] WS2_32.dll!socket 765336D1 5 Bytes JMP 00690000
    .text C:\Windows\system32\svchost.exe[1332] WinInet.dll!InternetOpenA 77D6D47D 5 Bytes JMP 00FF0000
    .text C:\Windows\system32\svchost.exe[1332] WinInet.dll!InternetOpenW 77D6D7DA 5 Bytes JMP 00FF0FE5
    .text C:\Windows\system32\svchost.exe[1332] WinInet.dll!InternetOpenUrlA 77D6FE4B 5 Bytes JMP 00FF0FCA
    .text C:\Windows\system32\svchost.exe[1332] WinInet.dll!InternetOpenUrlW 77DB9139 5 Bytes JMP 00FF0025
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 006D00A5
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 006D0F69
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 006D00E2
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 006D00D1
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 006D0F8B
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 006D0FDE
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 006D0FC3
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 006D0F7A
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 006D0FA8
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 006D004A
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 006D005B
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 006D002F
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 006D0080
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 006D0F30
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 006D000A
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 006D0FEF
    .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 006D00B6
    .text C:\Windows\system32\svchost.exe[1540] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 008C0FAD
    .text C:\Windows\system32\svchost.exe[1540] msvcrt.dll!system 7786804B 5 Bytes JMP 008C002E
    .text C:\Windows\system32\svchost.exe[1540] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 008C0FC8
    .text C:\Windows\system32\svchost.exe[1540] msvcrt.dll!_open 7786D106 5 Bytes JMP 008C0FEF
    .text C:\Windows\system32\svchost.exe[1540] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 008C001D
    .text C:\Windows\system32\svchost.exe[1540] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 008C000C
    .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 0091005B
    .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 00910040
     
  6. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    GMER part 5 of 6


    .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 0091000A
    .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 00910FB9
    .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 00910F9E
    .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 00910FDE
    .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 00910FEF
    .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 0091002F
    .text C:\Windows\system32\svchost.exe[1540] WS2_32.dll!socket 765336D1 5 Bytes JMP 006C000A
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 00910F26
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 00910F4B
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 00910EE6
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 00910087
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 00910040
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 00910FB9
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 00910F9E
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 0091006C
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 0091002F
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 00910014
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 00910F72
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 00910F8D
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 00910051
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 00910ECB
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 00910FCA
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 00910FEF
    .text C:\Windows\system32\svchost.exe[1780] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 00910F15
    .text C:\Windows\system32\svchost.exe[1780] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 00960F70
    .text C:\Windows\system32\svchost.exe[1780] msvcrt.dll!system 7786804B 5 Bytes JMP 00960F8B
    .text C:\Windows\system32\svchost.exe[1780] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 00960FC1
    .text C:\Windows\system32\svchost.exe[1780] msvcrt.dll!_open 7786D106 5 Bytes JMP 00960FEF
    .text C:\Windows\system32\svchost.exe[1780] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 00960FA6
    .text C:\Windows\system32\svchost.exe[1780] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 00960FD2
    .text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 009B0036
    .text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 009B0FA5
    .text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 009B0000
    .text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 009B0F8A
    .text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 009B0047
    .text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 009B0FCA
    .text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 009B0FE5
    .text C:\Windows\system32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 009B001B
    .text C:\Windows\system32\svchost.exe[1780] WS2_32.dll!socket 765336D1 5 Bytes JMP 002F0FE5
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 001F0FA5
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 001F00EB
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 001F0121
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 001F00FC
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 001F00A1
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 001F001B
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 001F002C
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 001F0FB6
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 001F0090
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 001F0058
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 001F0073
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 001F0047
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 001F00BC
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 001F0F6F
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 001F000A
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 001F0FEF
    .text C:\Windows\system32\svchost.exe[2132] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 001F0F80
    .text C:\Windows\system32\svchost.exe[2132] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 0020008B
    .text C:\Windows\system32\svchost.exe[2132] msvcrt.dll!system 7786804B 5 Bytes JMP 00200070
    .text C:\Windows\system32\svchost.exe[2132] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 0020003A
    .text C:\Windows\system32\svchost.exe[2132] msvcrt.dll!_open 7786D106 5 Bytes JMP 0020000C
    .text C:\Windows\system32\svchost.exe[2132] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 00200055
    .text C:\Windows\system32\svchost.exe[2132] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 00200029
    .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 0076002F
    .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 00760FA1
    .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 00760FEF
    .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 0076001E
    .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 00760054
    .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 00760FCD
    .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 00760FDE
    .text C:\Windows\system32\svchost.exe[2132] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 00760FB2
    .text C:\Windows\system32\svchost.exe[2132] WS2_32.dll!socket 765336D1 5 Bytes JMP 001E0000
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 009600EB
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 00960FA5
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 00960F6F
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 00960106
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 00960FC0
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 00960025
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 00960036
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 009600D0
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 0096009A
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 00960062
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 0096007D
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 00960047
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 009600B5
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 00960F54
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 00960FEF
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 00960000
    .text C:\Windows\system32\svchost.exe[2216] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 00960F8A
    .text C:\Windows\system32\svchost.exe[2216] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 00970FAD
    .text C:\Windows\system32\svchost.exe[2216] msvcrt.dll!system 7786804B 5 Bytes JMP 00970042
    .text C:\Windows\system32\svchost.exe[2216] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 00970FC8
    .text C:\Windows\system32\svchost.exe[2216] msvcrt.dll!_open 7786D106 5 Bytes JMP 00970000
    .text C:\Windows\system32\svchost.exe[2216] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 00970027
    .text C:\Windows\system32\svchost.exe[2216] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 00970FEF
    .text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 00980F9E
    .text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 00980FCA
    .text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 00980000
     
  7. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    GMER part 6 of 6

    .text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 00980FB9
    .text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 00980051
    .text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 00980036
    .text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 0098001B
    .text C:\Windows\system32\svchost.exe[2216] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 00980FE5
    .text C:\Windows\system32\svchost.exe[2216] WS2_32.dll!socket 765336D1 5 Bytes JMP 00860000
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2480] ntdll.dll!KiUserApcDispatcher 77C35D18 5 Bytes JMP 00438CE0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2480] WS2_32.dll!getaddrinfo 7653418A 5 Bytes JMP 71670022
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2480] WS2_32.dll!gethostbyname 765462D4 5 Bytes JMP 716E0022
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 000500F0
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 000500D5
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 0005011C
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 0005010B
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 00050098
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 00050036
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 00050051
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 000500BA
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 00050FCA
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 0005006C
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 00050087
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 00050FE5
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 000500A9
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 00050F6A
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 0005001B
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 0005000A
    .text C:\Windows\System32\svchost.exe[2968] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 00050F8F
    .text C:\Windows\System32\svchost.exe[2968] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 00060FAA
    .text C:\Windows\System32\svchost.exe[2968] msvcrt.dll!system 7786804B 5 Bytes JMP 0006003F
    .text C:\Windows\System32\svchost.exe[2968] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 0006001D
    .text C:\Windows\System32\svchost.exe[2968] msvcrt.dll!_open 7786D106 5 Bytes JMP 00060000
    .text C:\Windows\System32\svchost.exe[2968] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 0006002E
    .text C:\Windows\System32\svchost.exe[2968] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 00060FE3
    .text C:\Windows\System32\svchost.exe[2968] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 00070033
    .text C:\Windows\System32\svchost.exe[2968] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 00070022
    .text C:\Windows\System32\svchost.exe[2968] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 00070000
    .text C:\Windows\System32\svchost.exe[2968] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 00070F91
    .text C:\Windows\System32\svchost.exe[2968] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 00070F80
    .text C:\Windows\System32\svchost.exe[2968] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 00070011
    .text C:\Windows\System32\svchost.exe[2968] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 00070FDB
    .text C:\Windows\System32\svchost.exe[2968] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 00070FB6
    .text C:\Windows\System32\svchost.exe[2968] WS2_32.dll!socket 765336D1 5 Bytes JMP 006D0000
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3064] USER32.dll!TrackPopupMenu 779C14F3 5 Bytes JMP 6081721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 000100B3
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 00010F6D
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 00010F26
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 00010F37
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 00010F9C
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 0001001B
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 00010FCA
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 000100A2
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 00010076
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 00010FB9
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 0001005B
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 00010036
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 00010087
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 000100D8
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 00010000
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 00010FE5
    .text C:\Windows\Explorer.EXE[4048] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 00010F52
    .text C:\Windows\Explorer.EXE[4048] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 0005005B
    .text C:\Windows\Explorer.EXE[4048] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 00050036
    .text C:\Windows\Explorer.EXE[4048] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 00050000
    .text C:\Windows\Explorer.EXE[4048] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 00050FAF
    .text C:\Windows\Explorer.EXE[4048] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 0005006C
    .text C:\Windows\Explorer.EXE[4048] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 00050FE5
    .text C:\Windows\Explorer.EXE[4048] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 0005001B
    .text C:\Windows\Explorer.EXE[4048] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 00050FD4
    .text C:\Windows\Explorer.EXE[4048] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 00060064
    .text C:\Windows\Explorer.EXE[4048] msvcrt.dll!system 7786804B 5 Bytes JMP 0006003F
    .text C:\Windows\Explorer.EXE[4048] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 0006001D
    .text C:\Windows\Explorer.EXE[4048] msvcrt.dll!_open 7786D106 5 Bytes JMP 0006000C
    .text C:\Windows\Explorer.EXE[4048] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 0006002E
    .text C:\Windows\Explorer.EXE[4048] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 00060FEF
    .text C:\Windows\Explorer.EXE[4048] WS2_32.dll!socket 765336D1 5 Bytes JMP 00090FEF
    .text C:\Windows\Explorer.EXE[4048] WININET.dll!InternetOpenA 77D6D47D 5 Bytes JMP 04F5000A
    .text C:\Windows\Explorer.EXE[4048] WININET.dll!InternetOpenW 77D6D7DA 5 Bytes JMP 04F50025
    .text C:\Windows\Explorer.EXE[4048] WININET.dll!InternetOpenUrlA 77D6FE4B 5 Bytes JMP 04F50036
    .text C:\Windows\Explorer.EXE[4048] WININET.dll!InternetOpenUrlW 77DB9139 5 Bytes JMP 04F50FE5
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 000100C2
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 000100A7
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 00010F4D
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 000100E4
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 00010067
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 0001000A
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 00010FB9
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!CreatePipe 76B08E6E 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 00010F72
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 00010F83
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 00010040
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 00010F94
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 0001001B
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 00010078
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 00010F32
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 00010FD4
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 00010FEF
    .text C:\Windows\system32\svchost.exe[4616] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 000100D3
    .text C:\Windows\system32\svchost.exe[4616] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 00050FB9
    .text C:\Windows\system32\svchost.exe[4616] msvcrt.dll!system 7786804B 5 Bytes JMP 00050044
    .text C:\Windows\system32\svchost.exe[4616] msvcrt.dll!_creat 7786BBE1 1 Byte [E9]
    .text C:\Windows\system32\svchost.exe[4616] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 00050FE5
    .text C:\Windows\system32\svchost.exe[4616] msvcrt.dll!_open 7786D106 5 Bytes JMP 00050000
    .text C:\Windows\system32\svchost.exe[4616] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 00050FD4
     
  8. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    GMER part, er, 7 of 6 (sorry)

    .text C:\Windows\system32\svchost.exe[4616] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 00050029
    .text C:\Windows\system32\svchost.exe[4616] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 00060039
    .text C:\Windows\system32\svchost.exe[4616] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 0006001E
    .text C:\Windows\system32\svchost.exe[4616] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 00060FEF
    .text C:\Windows\system32\svchost.exe[4616] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 00060FA1
    .text C:\Windows\system32\svchost.exe[4616] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 00060F72
    .text C:\Windows\system32\svchost.exe[4616] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 00060FC3
    .text C:\Windows\system32\svchost.exe[4616] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 00060FD4
    .text C:\Windows\system32\svchost.exe[4616] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 00060FB2
    .text C:\Windows\system32\svchost.exe[4616] WS2_32.dll!socket 765336D1 5 Bytes JMP 00070FE5
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 00010098
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 00010F52
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 00010F1C
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 00010F37
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 00010F92
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 0001001B
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 00010036
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 00010F63
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 0001006C
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 00010FC0
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 00010FAF
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 00010047
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 0001007D
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 00010F01
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 0001000A
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 00010FE5
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 000100A9
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 00090F8D
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 00090FA8
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 00090000
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 0009002F
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 00090040
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 00090FCA
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 00090FDB
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 00090FB9
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 00170FBE
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] msvcrt.dll!system 7786804B 5 Bytes JMP 00170049
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 0017001D
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] msvcrt.dll!_open 7786D106 5 Bytes JMP 00170000
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 0017002E
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 00170FE3
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] WS2_32.dll!socket 765336D1 5 Bytes JMP 001A0000
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] WININET.dll!InternetOpenA 77D6D47D 5 Bytes JMP 019B0FEF
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] WININET.dll!InternetOpenW 77D6D7DA 5 Bytes JMP 019B000A
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] WININET.dll!InternetOpenUrlA 77D6FE4B 5 Bytes JMP 019B0FD4
    .text C:\Program Files\Windows Media Player\wmplayer.exe[5772] WININET.dll!InternetOpenUrlW 77DB9139 5 Bytes JMP 019B0025
    .text C:\Program Files\Mozilla Firefox\firefox.exe[6472] ntdll.dll!LdrLoadDll 77BF9390 5 Bytes JMP 009B13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[6472] ntdll.dll!KiUserApcDispatcher 77C35D18 5 Bytes JMP 01DC79B0 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[6472] kernel32.dll!SetUnhandledExceptionFilter 76B0A84F 6 Bytes PUSH 71500022; RET
    .text C:\Program Files\Mozilla Firefox\firefox.exe[6472] USER32.dll!DdeInitializeW 779A7921 6 Bytes PUSH 714D0022; RET
    .text C:\Program Files\Mozilla Firefox\firefox.exe[6472] USER32.dll!RegisterClassExW 779ADA30 6 Bytes PUSH 716E0022; RET
    .text C:\Program Files\Mozilla Firefox\firefox.exe[6472] USER32.dll!GetMessageW 779BFEF7 6 Bytes PUSH 71470022; RET
    .text C:\Program Files\Mozilla Firefox\firefox.exe[6472] USER32.dll!TranslateMessage 779C01AD 6 Bytes PUSH 71400022; RET
    .text C:\Program Files\Mozilla Firefox\firefox.exe[6472] USER32.dll!GetClipboardData 779E715A 6 Bytes PUSH 714A0022; RET
    .text C:\Program Files\Mozilla Firefox\firefox.exe[6472] GDI32.dll!BitBlt 77D070A6 6 Bytes PUSH 71530022; RET
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!GetStartupInfoW 76AE1929 5 Bytes JMP 00010F7C
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!GetStartupInfoA 76AE19C9 5 Bytes JMP 000100C2
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!CreateProcessW 76AE1BF3 5 Bytes JMP 000100F8
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!CreateProcessA 76AE1C28 5 Bytes JMP 00010F57
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!VirtualProtect 76AE1DC3 5 Bytes JMP 00010F97
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!CreateNamedPipeA 76AE2EF5 5 Bytes JMP 00010014
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!CreateNamedPipeW 76AE5C0C 5 Bytes JMP 0001002F
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!CreatePipe 76B08E6E 5 Bytes JMP 000100A7
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!LoadLibraryExW 76B09109 5 Bytes JMP 00010071
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!LoadLibraryW 76B09362 5 Bytes JMP 0001004A
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!LoadLibraryExA 76B094B4 5 Bytes JMP 00010FA8
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!LoadLibraryA 76B094DC 5 Bytes JMP 00010FC3
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!VirtualProtectEx 76B0DBDA 5 Bytes JMP 00010082
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!GetProcAddress 76B2903B 5 Bytes JMP 00010F46
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!CreateFileW 76B2AECB 5 Bytes JMP 00010FDE
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!CreateFileA 76B2CE5F 5 Bytes JMP 00010FEF
    .text C:\Windows\system32\wuauclt.exe[7668] kernel32.dll!WinExec 76B75CF7 5 Bytes JMP 000100D3
    .text C:\Windows\system32\wuauclt.exe[7668] msvcrt.dll!_wsystem 77867F2F 5 Bytes JMP 00060040
    .text C:\Windows\system32\wuauclt.exe[7668] msvcrt.dll!system 7786804B 5 Bytes JMP 00060FAB
    .text C:\Windows\system32\wuauclt.exe[7668] msvcrt.dll!_creat 7786BBE1 5 Bytes JMP 00060FC6
    .text C:\Windows\system32\wuauclt.exe[7668] msvcrt.dll!_open 7786D106 5 Bytes JMP 00060000
    .text C:\Windows\system32\wuauclt.exe[7668] msvcrt.dll!_wcreat 7786D326 5 Bytes JMP 0006001B
    .text C:\Windows\system32\wuauclt.exe[7668] msvcrt.dll!_wopen 7786D501 5 Bytes JMP 00060FE3
    .text C:\Windows\system32\wuauclt.exe[7668] ADVAPI32.dll!RegCreateKeyExA 778F39AB 5 Bytes JMP 00070062
    .text C:\Windows\system32\wuauclt.exe[7668] ADVAPI32.dll!RegCreateKeyA 778F3BA9 5 Bytes JMP 00070051
    .text C:\Windows\system32\wuauclt.exe[7668] ADVAPI32.dll!RegOpenKeyA 778F89C7 5 Bytes JMP 00070000
    .text C:\Windows\system32\wuauclt.exe[7668] ADVAPI32.dll!RegCreateKeyW 7790391E 5 Bytes JMP 00070FC0
    .text C:\Windows\system32\wuauclt.exe[7668] ADVAPI32.dll!RegCreateKeyExW 779041F1 5 Bytes JMP 0007007D
    .text C:\Windows\system32\wuauclt.exe[7668] ADVAPI32.dll!RegOpenKeyExA 77907C42 5 Bytes JMP 00070FE5
    .text C:\Windows\system32\wuauclt.exe[7668] ADVAPI32.dll!RegOpenKeyW 7790E2B5 5 Bytes JMP 00070011
    .text C:\Windows\system32\wuauclt.exe[7668] ADVAPI32.dll!RegOpenKeyExW 77917BA1 5 Bytes JMP 00070040
    .text C:\Windows\system32\wuauclt.exe[7668] WS2_32.dll!socket 765336D1 5 Bytes JMP 00090000

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 71670000
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\GDI32.dll [USER32.dll!GetWindowRect] 71440000
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\ole32.dll [USER32.dll!GetWindowRect] 71440000
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetWindowRect] 71440000
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[6472] @ C:\Windows\system32\WININET.dll [USER32.dll!GetWindowRect] 71440000

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ????????????? ???????????????????x????????????G????????????????*???????x???x???????J?????????????????P??li??@battery.inf,%acpi\acpi0003.devicedesc%;Microsoft AC Adapter?7??\\?\HDAUDIO#FUNC_01&VEN_10EC&DEV_0268&SUBSYS_1179FF6A&REV_1000#4&1de63d5&0&0001#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\RtStereoMixWave??6.??????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ????????????? ?????????????tdcmdpst????? ????????????????????????????????E?????????????\\?\HDAUDIO#FUNC_01&VEN_10EC&DEV_0268&SUBSYS_1179FF6A&REV_1000#4&1de63d5&0&0001#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\RtMicInWave??????????$???4????? ??????? ????p???????????????????????????????????????? ???????????????td??? ?????????????????????#????????????&???????????????????????????????????????????????????$???4????? ??????? ??????????????? ????????????????????????????????????????? ????????????????????????????????????t??Mf???????????:??0.???????????p??\c?????????????????????????????*????@machine.inf,%*pnp0c0d.devicedesc%;

    ---- EOF - GMER 1.0.15 ----
     
  9. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    DDS Log 1 of 2


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Andrew at 16:55:36.27 on 14/08/2010
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_20
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2813.1623 [GMT 1:00]

    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\3\3Connect\BecHelperService.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Windows\system32\CTsvcCDA.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Kontiki\KService.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\O2 Assistant\bin\sprtsvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\O2 Assistant\bin\tgsrvc.exe
    C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\system32\TODDSrv.exe
    c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    c:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Windows\system32\Dwm.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Windows\WindowsMobile\wmdSync.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
    C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Program Files\Toshiba TEMPRO\TemproTray.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Windows\system32\wuauclt.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\taskeng.exe
    C:\Users\Andrew\Downloads\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.co.uk
    uDefault_Page_URL = hxxp://www.google.co.uk
    mDefault_Page_URL = hxxp://www.google.co.uk
    uInternet Settings,ProxyServer = http=127.0.0.1:6522
    uInternet Settings,ProxyOverride = <local>
    mURLSearchHooks: H - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
    TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [kdx] c:\program files\kontiki\KHost.exe -all
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Sony Ericsson PC Companion] "c:\program files\sony ericsson\sony ericsson pc companion\PCCompanion.exe" /systray /nologon
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [cfFncEnabler.exe] cfFncEnabler.exe
    mRun: [Toshiba TEMPO] c:\program files\toshiba tempro\Toshiba.Tempo.UI.TrayApplication.exe
    mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
    mRun: [Skytel] Skytel.exe
    mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
    mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [O2DA] "c:\program files\o2 assistant\bin\sprtcmd.exe" /P O2DA
    mRun: [Toshiba TEMPRO] c:\program files\toshiba tempro\TemproTray.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    StartupFolder: c:\users\andrew\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\users\andrew\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\update~1.lnk - c:\program files\3\3connect\AutoUpdateSrv.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &Winamp Search - c:\programdata\winamp toolbar\ietoolbar\resources\en-us\local\search.html
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
     
  10. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    DDS Log, 2 of 2

    IE: {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    DPF: {5334504D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpg4sax.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\onra4lta.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
    FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\onra4lta.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
    FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-5 214664]
    R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-1 59240]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-1 166632]
    R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2008-12-27 25896]
    R2 BecHelperService;BecHelperService;c:\program files\3\3connect\BecHelperService.exe [2010-6-12 1737464]
    R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-5-26 7168]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-5 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-5 35272]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-5 40552]
    R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2008-12-27 290304]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-9-7 7168]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-5 34248]
    S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-2-10 89256]
    S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-2-10 15016]
    S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-2-10 120744]
    S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-2-10 114216]
    S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-2-10 25512]
    S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-2-10 110632]
    S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-2-10 115752]
    S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2010-8-14 86824]
    S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2010-8-14 15016]
    S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2010-8-14 114728]
    S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2010-8-14 106208]
    S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2010-8-14 26024]
    S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2010-8-14 104744]
    S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2010-8-14 109864]

    =============== Created Last 30 ================

    2010-08-14 15:45:51 0 d-----w- c:\program files\Western Digital
    2010-08-14 14:50:00 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-08-14 14:44:48 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
    2010-08-14 14:39:07 26024 ----a-w- c:\windows\system32\drivers\s1018nd5.sys
    2010-08-14 14:39:07 12200 ----a-w- c:\windows\system32\drivers\s1018whnt.sys
    2010-08-14 14:39:07 12200 ----a-w- c:\windows\system32\drivers\s1018wh.sys
    2010-08-14 14:39:07 109864 ----a-w- c:\windows\system32\drivers\s1018unic.sys
    2010-08-14 14:39:07 104744 ----a-w- c:\windows\system32\drivers\s1018obex.sys
    2010-08-14 14:39:06 86824 ----a-w- c:\windows\system32\drivers\s1018bus.sys
    2010-08-14 14:39:06 15016 ----a-w- c:\windows\system32\drivers\s1018mdfl.sys
    2010-08-14 14:39:06 12200 ----a-w- c:\windows\system32\drivers\s1018cmnt.sys
    2010-08-14 14:39:06 12200 ----a-w- c:\windows\system32\drivers\s1018cm.sys
    2010-08-14 14:39:06 114728 ----a-w- c:\windows\system32\drivers\s1018mdm.sys
    2010-08-14 14:39:06 10792 ----a-w- c:\windows\system32\drivers\s1018cr.sys
    2010-08-14 14:39:06 106208 ----a-w- c:\windows\system32\drivers\s1018mgmt.sys
    2010-08-14 14:39:00 0 d-----w- c:\programdata\Sony Ericsson
    2010-08-14 14:39:00 0 d-----w- c:\program files\Sony Ericsson
    2010-08-14 14:06:36 0 d-----w- c:\users\andrew\appdata\roaming\Malwarebytes
    2010-08-14 14:06:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-14 14:06:30 0 d-----w- c:\programdata\Malwarebytes
    2010-08-14 14:06:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-14 14:06:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-14 12:34:49 0 d-----w- c:\users\andrew\appdata\roaming\McAfee
    2010-08-12 15:16:35 0 d--h--w- c:\programdata\CanonIJEGV
    2010-08-11 13:38:27 81920 ----a-w- c:\windows\system32\iccvid.dll
    2010-08-11 13:37:53 834048 ----a-w- c:\windows\system32\wininet.dll
    2010-08-11 13:37:50 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-08-11 13:37:20 274944 ----a-w- c:\windows\system32\schannel.dll
    2010-08-11 13:36:46 2037760 ----a-w- c:\windows\system32\win32k.sys
    2010-08-11 13:36:28 36864 ----a-w- c:\windows\system32\rtutils.dll
    2010-08-11 13:34:36 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-08-11 13:34:34 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-08-11 13:34:16 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2010-08-11 13:33:55 302080 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-11 13:33:55 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-08-11 13:33:35 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-08-05 08:53:35 0 d-----w- c:\users\andrew\New Folder
    2010-08-04 06:25:18 0 d-----w- c:\program files\Moleskinsoft Directory Size 2.4
    2010-07-22 05:59:16 0 d-----w- c:\program files\O2 Assistant
    2010-07-21 20:05:42 0 d-----w- c:\programdata\Apple Computer
    2010-07-21 14:31:17 0 d-----w- c:\programdata\O2

    ==================== Find3M ====================

    2010-08-14 14:46:08 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-08-14 14:46:07 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-08-14 14:43:22 143360 ----a-w- c:\windows\inf\infstor.dat
    2010-07-15 14:18:22 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
    2009-12-15 07:40:42 665600 ----a-w- c:\windows\inf\drvindex.dat
    2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

    ============= FINISH: 16:58:11.91 ===============
     
  11. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    DDS Attach Log

    (Attached as .txt)
     

    Attached Files:

  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  13. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    Combofix log

    Done. Please find attached.
     

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  15. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    MBR Check

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: TOSHIBA
    BIOS Manufacturer: Insyde Corp.
    System Manufacturer: TOSHIBA
    System Product Name: Satellite L300D
    Logical Drives Mask: 0x00000034

    Kernel Drivers (total 149):
    0x8344E000 \SystemRoot\system32\ntkrnlpa.exe
    0x8341B000 \SystemRoot\system32\hal.dll
    0x8040F000 \SystemRoot\system32\kdcom.dll
    0x80416000 \SystemRoot\system32\PSHED.dll
    0x80427000 \SystemRoot\system32\BOOTVID.dll
    0x8042F000 \SystemRoot\system32\CLFS.SYS
    0x80470000 \SystemRoot\system32\CI.dll
    0x80550000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x805CC000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x8060B000 \SystemRoot\system32\drivers\acpi.sys
    0x80651000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x8065A000 \SystemRoot\system32\drivers\msisadrv.sys
    0x80662000 \SystemRoot\system32\drivers\pci.sys
    0x80689000 \SystemRoot\System32\drivers\partmgr.sys
    0x80698000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x8069B000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x806A5000 \SystemRoot\system32\drivers\volmgr.sys
    0x806B4000 \SystemRoot\System32\drivers\volmgrx.sys
    0x806FE000 \SystemRoot\system32\drivers\pciide.sys
    0x80705000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x80713000 \SystemRoot\System32\drivers\mountmgr.sys
    0x80723000 \SystemRoot\system32\drivers\atapi.sys
    0x8072B000 \SystemRoot\system32\drivers\ataport.SYS
    0x80749000 \SystemRoot\system32\drivers\msahci.sys
    0x80753000 \SystemRoot\system32\drivers\fltmgr.sys
    0x80785000 \SystemRoot\system32\drivers\fileinfo.sys
    0x80795000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x83A02000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x83A73000 \SystemRoot\system32\drivers\ndis.sys
    0x83B7E000 \SystemRoot\system32\drivers\msrpc.sys
    0x83BA9000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8AA0D000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8AB1D000 \SystemRoot\system32\drivers\volsnap.sys
    0x8AB56000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
    0x8AB5B000 \SystemRoot\system32\DRIVERS\tos_sps32.sys
    0x8ABA6000 \SystemRoot\System32\Drivers\spldr.sys
    0x8ABAE000 \SystemRoot\System32\Drivers\mup.sys
    0x8ABBD000 \SystemRoot\System32\drivers\ecache.sys
    0x8ABE4000 \SystemRoot\system32\drivers\disk.sys
    0x8079E000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x8ABF5000 \SystemRoot\system32\DRIVERS\AtiPcie.sys
    0x8AA00000 \SystemRoot\system32\drivers\crcdisk.sys
    0x807C9000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x807D4000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x807DD000 \SystemRoot\system32\DRIVERS\FwLnk.sys
    0x807E5000 \SystemRoot\system32\DRIVERS\processr.sys
    0x8AA09000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x8E600000 \SystemRoot\system32\DRIVERS\atikmdag.sys
    0x8EACF000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8EB70000 \SystemRoot\System32\drivers\watchdog.sys
    0x8EB7C000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
    0x8EB9D000 \SystemRoot\system32\DRIVERS\tdcmdpst.sys
    0x8EBA1000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8EBB9000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0x8EC02000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8EC40000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8EC4F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8ECDC000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8ECEF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8ECFA000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8ED29000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8ED2B000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8ED36000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8ED65000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8EDA6000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8EDB1000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8EDC8000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8EDD3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8EBC3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8EBD2000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8EBE6000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x805D9000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8EDF6000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8F005000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8F02F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8F039000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8F046000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8F07B000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8F200000 \SystemRoot\system32\drivers\RTKVHDA.sys
    0x8F08C000 \SystemRoot\system32\drivers\portcls.sys
    0x8F0B9000 \SystemRoot\system32\drivers\drmk.sys
    0x8F0DE000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0x805E9000 \SystemRoot\system32\drivers\modem.sys
    0x807F4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8EDF8000 \SystemRoot\System32\Drivers\Null.SYS
    0x80600000 \SystemRoot\System32\Drivers\Beep.SYS
    0x80400000 \SystemRoot\System32\drivers\vga.sys
    0x8F40A000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8F42B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8F433000 \SystemRoot\system32\DRIVERS\RTL8187B.sys
    0x8F483000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8F48B000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8F496000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8F4A4000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8F4AD000 \SystemRoot\System32\drivers\tcpip.sys
    0x8F597000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8F5B2000 \SystemRoot\System32\Drivers\Mpfp.sys
    0x8F5DB000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8F602000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
    0x8F614000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8F646000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8F65A000 \SystemRoot\system32\drivers\afd.sys
    0x8F6A2000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8F6B8000 \SystemRoot\system32\DRIVERS\rtlprot.sys
    0x8F6C2000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8F6D0000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8F6E3000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8F71F000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
    0x8F747000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys
    0x8F755000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8F75F000 \SystemRoot\system32\drivers\mfehidk.sys
    0x8F792000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8F7A9000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x8F7C0000 \SystemRoot\System32\Drivers\UVCFTR_S.SYS
    0x8F7C9000 \SystemRoot\System32\Drivers\usbvideo.sys
    0x9080C000 \SystemRoot\system32\DRIVERS\udfs.sys
    0x90847000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x90854000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x9085F000 \SystemRoot\System32\Drivers\dump_msahci.sys
    0x98810000 \SystemRoot\System32\win32k.sys
    0x90869000 \SystemRoot\System32\drivers\Dxapi.sys
    0x90873000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x98A30000 \SystemRoot\System32\TSDDD.dll
    0x98A50000 \SystemRoot\System32\cdd.dll
    0x90882000 \SystemRoot\system32\drivers\luafv.sys
    0x9089D000 \SystemRoot\system32\drivers\spsys.sys
    0x9094D000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x9095D000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x90987000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x90991000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x9B808000 \SystemRoot\system32\drivers\HTTP.sys
    0x9B875000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x9B892000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x9B8AB000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x9B8C0000 \SystemRoot\system32\drivers\mrxdav.sys
    0x9B8E1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x9B900000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x9B939000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x9B951000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x9B978000 \SystemRoot\System32\DRIVERS\srv.sys
    0x9D40B000 \SystemRoot\system32\drivers\peauth.sys
    0x9D4E9000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x9D4F3000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x9D4FF000 \SystemRoot\system32\drivers\mfebopk.sys
    0x9D506000 \SystemRoot\system32\drivers\mfeavfk.sys
    0x9D518000 \??\C:\Users\Andrew\AppData\Local\Temp\catchme.sys
    0x9D520000 \??\C:\Windows\system32\Drivers\PROCEXP113.SYS
    0x9D537000 \SystemRoot\system32\drivers\mfesmfk.sys
    0x76E00000 \Windows\System32\ntdll.dll

    Processes (total 74):
    0 System Idle Process
    4 System
    444 C:\Windows\System32\smss.exe
    572 csrss.exe
    632 C:\Windows\System32\wininit.exe
    640 csrss.exe
    676 C:\Windows\System32\services.exe
    688 C:\Windows\System32\lsass.exe
    696 C:\Windows\System32\lsm.exe
    832 C:\Windows\System32\svchost.exe
    864 C:\Windows\System32\winlogon.exe
    916 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    960 C:\Windows\System32\svchost.exe
    1004 C:\Windows\System32\svchost.exe
    1096 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    1176 C:\Windows\System32\Ati2evxx.exe
    1188 C:\Windows\System32\svchost.exe
    1220 C:\Windows\System32\svchost.exe
    1248 C:\Windows\System32\svchost.exe
    1316 C:\Windows\System32\audiodg.exe
    1348 C:\Windows\System32\SLsvc.exe
    1388 C:\Windows\System32\svchost.exe
    1544 C:\Windows\System32\Ati2evxx.exe
    1592 C:\Windows\System32\svchost.exe
    1836 C:\Windows\System32\spoolsv.exe
    1884 C:\Windows\System32\svchost.exe
    356 C:\Windows\System32\agrsmsvc.exe
    360 C:\Program Files\3\3Connect\BecHelperService.exe
    376 C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    496 C:\Windows\System32\CTSVCCDA.EXE
    580 C:\Program Files\Canon\IJPLM\ijplmsvc.exe
    668 C:\Program Files\Kontiki\KService.exe
    1272 C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
    1688 C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
    460 C:\Program Files\McAfee\MPF\MpfSrv.exe
    2104 C:\Program Files\McAfee\MSK\msksrver.exe
    2188 C:\Windows\System32\svchost.exe
    2296 C:\Program Files\O2 Assistant\bin\sprtsvc.exe
    2344 C:\Windows\System32\svchost.exe
    2752 C:\Program Files\O2 Assistant\bin\tgsrvc.exe
    2868 C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    2916 C:\Windows\System32\TODDSrv.exe
    2944 C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    3060 C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    3136 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    3172 C:\Windows\System32\svchost.exe
    3216 C:\Windows\System32\SearchIndexer.exe
    3412 C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
    3432 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    3568 C:\Windows\System32\taskeng.exe
    1756 C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
    3860 C:\Windows\System32\svchost.exe
    1232 C:\Program Files\McAfee.com\Agent\mcagent.exe
    3676 C:\Windows\System32\taskeng.exe
    2052 C:\Windows\System32\dwm.exe
    4120 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    4312 C:\Windows\System32\wuauclt.exe
    7752 C:\Windows\explorer.exe
    7396 C:\Program Files\Windows Media Player\wmpnscfg.exe
    2652 C:\Program Files\Windows Media Player\wmpnetwk.exe
    9932 C:\Program Files\Mozilla Firefox\firefox.exe
    8916 C:\Program Files\Mozilla Firefox\plugin-container.exe
    1428 C:\Windows\System32\taskeng.exe
    8332 C:\PROGRA~1\McAfee\MQC\QcConsol.exe
    8292 C:\Windows\System32\Defrag.exe
    1492 MpCmdRun.exe
    9092 C:\Windows\System32\DfrgNtfs.exe
    8404 C:\Windows\System32\taskmgr.exe
    8776 C:\Program Files\McAfee Security Scan\2.0.181\mcuicnt.exe
    9644 C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
    9212 C:\Program Files\McAfee\VirusScan\mcsysmon.exe
    8296 C:\Windows\System32\SearchProtocolHost.exe
    3784 C:\Windows\System32\SearchFilterHost.exe
    4476 C:\Users\Andrew\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)
    \\.\E: --> \\.\PhysicalDrive0 at offset 0x00000012`f5700000 (NTFS)

    PhysicalDrive0 Model Number: HitachiHTS543216L9SA00, Rev: FB2OC43C

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
    SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


    Done!
     
  16. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    That looks good.

    Please, re-run Combofix again and post its log.
     
  17. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    problems on day 2..

    Hi

    Thanks for the help so far.

    This afternoon, abruptly, the problem came back. I re-ran the original diagnostics: they're all attached. The Combofix didn't seem to work so I'll try it after I post the others.
     

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Delete your Combofix file, download fresh one, but rename combofix.exe to broni.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Now, run broni.exe
     
  19. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    exehelper and Broni.exe log

    Hi - I ran rkill (no difficulty getting it to work)

    Then I ran exehelper, log attached.

    And then a renamed Combofix, log also attached in case you need it.

    (I did re-run the same Combofix program I downloaded the first time, before I read your comment, but it ran very quickly whereas running it the second time as Broni it ran much more slowly).
     

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Navigate to C:\Qoobox
    You'll see ComboFix2.txt and ComboFix3.txt files there.
    I need to see them.
    Please, attach them to your next reply.
     
  21. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    combofix 2 and 3

    OK.

    It's telling me that Combofix3 has already been attached in this thread - so it won't let me reattach it. I'm not sure why it thinks this.
     

    Attached Files:

  22. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    Combofix 3 (part 1 of 2)

    Here's the content of the file though:

    ComboFix 10-08-14.02 - Andrew 14/08/2010 23:15:02.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2813.1441 [GMT 1:00]
    Running from: c:\users\Andrew\Downloads\ComboFix.exe
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
    c:\programdata\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

    ----- BITS: Possible infected sites -----

    hxxp://sync.broadband.o2.co.uk:8080
    hxxp://sync.mobilebroadband.o2.co.uk:8080
    .
    ((((((((((((((((((((((((( Files Created from 2010-07-14 to 2010-08-14 )))))))))))))))))))))))))))))))
    .

    2010-08-14 15:45 . 2010-08-14 15:45 -------- d-----w- c:\program files\Western Digital
    2010-08-14 15:45 . 2010-08-14 15:45 -------- d-----w- c:\users\Andrew\AppData\Local\Sony Ericsson
    2010-08-14 14:50 . 2010-05-21 13:14 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-08-14 14:06 . 2010-08-14 14:06 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes
    2010-08-14 14:06 . 2010-08-14 14:06 -------- d-----w- c:\programdata\Malwarebytes
    2010-08-14 14:06 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-14 14:06 . 2010-08-14 14:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-14 14:06 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-14 12:34 . 2010-08-14 12:34 -------- d-----w- c:\users\Andrew\AppData\Roaming\McAfee
    2010-08-12 15:16 . 2010-08-12 15:16 -------- d--h--w- c:\programdata\CanonIJEGV
    2010-08-11 13:38 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
    2010-08-11 13:37 . 2010-06-29 15:47 834048 ----a-w- c:\windows\system32\wininet.dll
    2010-08-11 13:37 . 2010-06-28 16:13 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-08-11 13:37 . 2010-06-11 16:16 274944 ----a-w- c:\windows\system32\schannel.dll
    2010-08-11 13:36 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
    2010-08-11 13:36 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
    2010-08-11 13:34 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-08-11 13:34 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-08-11 13:34 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2010-08-11 13:33 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-11 13:33 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-08-11 13:33 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-08-05 08:53 . 2010-08-05 08:53 -------- d-----w- c:\users\Andrew\New Folder
    2010-08-04 06:37 . 2010-08-04 06:37 -------- d-----w- c:\users\Andrew\AppData\Roaming\Apple Computer
    2010-08-04 06:25 . 2010-08-04 06:25 -------- d-----w- c:\program files\Moleskinsoft Directory Size 2.4
    2010-07-22 05:59 . 2010-07-22 05:59 -------- d-----w- c:\program files\O2 Assistant
    2010-07-21 20:05 . 2010-07-21 20:06 -------- d-----w- c:\program files\QuickTime
    2010-07-21 20:05 . 2010-07-21 20:05 -------- d-----w- c:\programdata\Apple Computer
    2010-07-21 14:31 . 2010-07-21 14:31 -------- d-----w- c:\programdata\O2

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-14 22:36 . 2009-01-05 22:07 -------- d-----w- c:\programdata\Kontiki
    2010-08-14 22:28 . 2008-12-27 22:28 -------- d-----w- c:\users\Andrew\AppData\Roaming\Skype
    2010-08-14 16:56 . 2008-12-27 22:30 -------- d-----w- c:\users\Andrew\AppData\Roaming\skypePM
    2010-08-14 15:45 . 2010-08-14 14:39 -------- d-----w- c:\program files\Sony Ericsson
    2010-08-14 15:45 . 2008-05-26 14:00 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-08-14 14:44 . 2010-08-14 14:44 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
    2010-08-14 14:39 . 2010-08-14 14:39 -------- d-----w- c:\programdata\Sony Ericsson
    2010-08-14 12:50 . 2009-01-22 22:40 1 ----a-w- c:\users\Andrew\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-08-14 12:33 . 2009-09-05 09:14 -------- d-----w- c:\program files\McAfee
    2010-08-14 12:33 . 2008-05-26 14:29 -------- d-----w- c:\programdata\McAfee
    2010-08-14 11:40 . 2008-05-26 14:33 -------- d-----w- c:\program files\Common Files\Adobe
    2010-08-14 10:51 . 2009-10-31 11:56 -------- d-----w- c:\users\Andrew\AppData\Roaming\Coyps
    2010-08-14 10:51 . 2009-12-04 12:55 -------- d-----w- c:\users\Andrew\AppData\Roaming\Nubi
    2010-08-14 10:29 . 2009-02-23 19:52 -------- d-----w- c:\users\Andrew\AppData\Roaming\Vaab
    2010-08-14 10:29 . 2009-02-06 02:39 -------- d-----w- c:\users\Andrew\AppData\Roaming\Faiqo
    2010-08-12 15:20 . 2010-01-30 15:57 -------- d-----w- c:\programdata\CanonIJPLM
    2010-08-11 21:00 . 2008-05-29 10:52 -------- d-----w- c:\program files\Microsoft Works
    2010-08-11 20:44 . 2008-05-29 10:58 -------- d-----w- c:\programdata\Microsoft Help
    2010-08-11 20:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-08-10 10:39 . 2010-05-16 20:57 -------- d-----w- c:\users\Andrew\AppData\Roaming\Spotify
    2010-08-06 08:51 . 2009-12-11 12:12 -------- d-----w- c:\program files\Whale Communications
    2010-08-04 06:18 . 2008-05-26 14:32 -------- d-----w- c:\program files\Toshiba TEMPRO
    2010-08-04 06:18 . 2008-05-26 14:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-07-29 08:18 . 2008-12-29 16:45 680 ----a-w- c:\users\Andrew\AppData\Local\d3d9caps.dat
    2010-07-22 05:59 . 2009-09-05 09:29 -------- d-----w- c:\programdata\SupportSoft
    2010-07-22 05:58 . 2009-09-05 09:27 -------- d-----w- c:\program files\O2
    2010-07-15 19:51 . 2008-12-27 22:26 -------- d-----r- c:\program files\Skype
    2010-07-15 19:51 . 2010-07-15 19:51 -------- d-----w- c:\program files\Common Files\Skype
    2010-07-15 19:51 . 2008-12-27 22:26 -------- d-----w- c:\programdata\Skype
    2010-07-15 14:18 . 2009-09-05 09:15 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2010-07-13 07:02 . 2008-05-26 14:34 -------- d-----w- c:\program files\Google
    2010-07-12 18:18 . 2008-05-29 10:59 -------- d-----w- c:\program files\Microsoft.NET
    2010-07-01 11:07 . 2010-07-01 11:07 434176 ----a-w- c:\programdata\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
    2010-05-26 17:06 . 2010-06-11 19:35 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-26 14:47 . 2010-06-11 19:35 289792 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-17 20:53 . 2010-08-14 12:36 300384 ----a-w- c:\users\Andrew\AppData\Roaming\McAfee\Supportability\MVTLogs\Results\detect.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-27 39408]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
    "Sony Ericsson PC Companion"="c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe" [2009-12-08 774144]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-26 1836544]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
    "Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2008-01-11 574864]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
    "4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-17 198160]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
    "Skytel"="Skytel.exe" [2007-11-20 1826816]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
    "O2DA"="c:\program files\O2 Assistant\bin\sprtcmd.exe" [2010-04-23 206120]
    "Toshiba TEMPRO"="c:\program files\Toshiba TEMPRO\TemproTray.exe" [2010-05-12 1050072]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

    c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):a8,0c,9c,0b,15,7c,ca,01

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\Toshiba TEMPRO\TemproSvc.exe [2010-05-12 124368]
    R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-09-07 7168]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys [2008-05-16 89256]
    R3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0016mdfl.sys [2008-05-16 15016]
    R3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0016mdm.sys [2008-05-16 120744]
    R3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0016mgmt.sys [2008-05-16 114216]
    R3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\DRIVERS\s0016nd5.sys [2008-05-16 25512]
    R3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0016obex.sys [2008-05-16 110632]
    R3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\DRIVERS\s0016unic.sys [2008-05-16 115752]
    R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2009-03-25 86824]
    R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [2009-03-25 15016]
    R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [2009-03-25 114728]
    R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [2009-03-25 106208]
    R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [2009-03-25 26024]
    R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [2009-03-25 104744]
    R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [2009-03-25 109864]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-07-01 59240]
    S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-07-01 166632]
    S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
    S2 BecHelperService;BecHelperService;c:\program files\3\3Connect\BecHelperService.exe [2010-01-28 1737464]
    S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-16 40960]
    S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-07-01 840936]
    S2 sprtsvc_O2DA;SupportSoft Sprocket Service (O2DA);c:\program files\O2 Assistant\bin\sprtsvc.exe [2010-04-23 206120]
    S2 tgsrvc_O2DA;SupportSoft Repair Service (O2DA);c:\program files\O2 Assistant\bin\tgsrvc.exe [2010-04-23 185640]
    S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
    S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-12-26 290304]
    S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-24 73728]
     
  23. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    Combofix 3 (part 2 of 2)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-05 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

    2010-02-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

    2010-08-14 c:\windows\Tasks\User_Feed_Synchronization-{A9E5FD71-4963-4A33-9558-4C73504F0B80}.job
    - c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk
    uInternet Settings,ProxyServer = http=127.0.0.1:6522
    uInternet Settings,ProxyOverride = <local>
    IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
    IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\onra4lta.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
    FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\onra4lta.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
    FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
    HKLM-Run-Toshiba TEMPO - c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    SafeBoot-mfehidk
    SafeBoot-mferkdk
    SafeBoot-mfetdik
    SafeBoot-mfetdik.sys
    AddRemove-Winamp Toolbar for Firefox - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\onra4lta.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\uninstall.exe



    **************************************************************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(7752)
    c:\program files\Trusteer\Rapport\bin\rooksbas.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\agrsmsvc.exe
    c:\windows\system32\CTsvcCDA.exe
    c:\program files\Canon\IJPLM\IJPLMSVC.EXE
    c:\program files\Kontiki\KService.exe
    c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\program files\McAfee\MPF\MPFSrv.exe
    c:\program files\McAfee\MSK\MskSrver.exe
    c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\vssvc.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-14 23:41:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-14 22:41

    Pre-Run: 36,475,551,744 bytes free
    Post-Run: 36,426,637,312 bytes free

    - - End Of File - - ADFFD9534850F06417EF9F8BC45C2901
     
  24. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    OK, go on....
     
  25. alfrot

    alfrot TS Rookie Topic Starter Posts: 30

    I don't understand - what else are you looking for?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...