Search links redirected

Dell Studio 1535
November 24, 2009 at 19:34:48
Specs: Microsoft Windows Vista Home Premium, 2 GHz / 3069 MB
Clicking on any search links from Google and Yahoo automatically redirects me to retail or unrelated search engine pages. The new pages usually have a cursive Q symbol as their icon. Happens in IE8 and Firefox 3.6b3. Spybot, MalwareBytes, and McAfee failed to find anything odd but something is at work here. Please help.

See More: Search links redirected

Report •


#1
November 24, 2009 at 20:10:55
Please save this file to your desktop.

Win32kDiag.exe

Please double click on the Win32kDiag file and post the log it produces. This log might be quite lengthy and may take more than one post to get all of it posted.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply.


Report •

#2
November 26, 2009 at 12:07:30
win32kdiag log below:

Running from: C:\Users\Scott\Desktop\Win32kDiag.exe

Log file at : C:\Users\Scott\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Cannot access: C:\Windows\bthservsdp.dat

[1] 2009-11-25 21:32:28 1076 C:\Windows\bthservsdp.dat ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-11-25 21:34:27 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-11-25 21:34:02 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-11-25 21:34:02 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-11-25 21:34:02 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-11-25 21:35:05 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()

Finished!


Report •

#3
November 26, 2009 at 12:12:14
rsit log file below:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Scott at 2009-11-26 14:56:08
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 168 GB (57%) free of 295 GB
Total RAM: 3069 MB (54% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:33 PM, on 11/26/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell V305\dldtmon.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Dell V305\dldtMsdMon.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Users\Scott\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Scott.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DigitalPersona Fingerprint Software Extension - {395610AE-C624-4f58-B89E-23733EA00F9A} - C:\Program Files\DigitalPersona\Bin\DpOtsPluginIe8.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dldtmon.exe] "C:\Program Files\Dell V305\dldtmon.exe"
O4 - HKLM\..\Run: [dldtamon] "C:\Program Files\Dell V305\dldtamon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://www.apple.com
O15 - Trusted Zone: http://www.facebook.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Program Files\Fingerprint Sensor\AtService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: dldtCATSCustConnectService - Unknown owner - C:\Windows\system32\spool\DRIVERS\W32X86\3\\dldtserv.exe
O23 - Service: dldt_device - - C:\Windows\system32\dldtcoms.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: @C:\Program Files\DigitalPersona\Bin\DpHostW.exe,-128 (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10052 bytes

======Scheduled tasks folder======

C:\Windows\tasks\McDefragTask.job
C:\Windows\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{395610AE-C624-4f58-B89E-23733EA00F9A}]
DigitalPersona Fingerprint Software Extension - C:\Program Files\DigitalPersona\Bin\DpOtsPluginIe8.dll [2009-05-12 1256512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2009-05-19 137600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2009-11-14 321312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-09-16 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-03-30 403824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\Dell\BAE\BAE.dll [2006-11-09 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-11-14 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]
Locked

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"ECenter"=C:\Dell\E-Center\EULALauncher.exe [2008-02-28 17920]
"Apoint"=C:\Program Files\DellTPad\Apoint.exe [2008-06-30 196608]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-01-21 61440]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2007-10-03 178712]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2008-03-11 16384]
"PCMService"=C:\Program Files\Dell\MediaDirect\PCMService.exe [2008-05-09 126976]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-10-29 1218008]
"dldtmon.exe"=C:\Program Files\Dell V305\dldtmon.exe [2008-06-24 668912]
"dldtamon"=C:\Program Files\Dell V305\dldtamon.exe [2008-06-24 16624]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"DpAgent"=C:\Program Files\DigitalPersona\Bin\dpagent.exe [2009-05-12 842816]
"SysTrayApp"=C:\Program Files\IDT\WDM\sttray.exe [2009-03-16 483428]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-10-28 141600]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-11-14 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-20 125952]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2009-11-08 323392]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 202240]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2009-11-14 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [2008-08-28 10536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]


Report •

Related Solutions

#4
November 26, 2009 at 12:13:00
rsit log continued (wouldn't accept the length of the previous report)

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 3 months======

2009-11-26 14:56:08 ----D---- C:\rsit
2009-11-26 11:39:12 ----A---- C:\Windows\system32\tdlcmd.dll
2009-11-25 21:30:40 ----A---- C:\Windows\system32\tzres.dll
2009-11-25 21:29:23 ----A---- C:\Windows\system32\msxml6.dll
2009-11-25 21:29:22 ----A---- C:\Windows\system32\msxml3.dll
2009-11-22 17:20:03 ----D---- C:\Program Files\Trend Micro
2009-11-16 23:25:13 ----A---- C:\Windows\ntbtlog.txt
2009-11-14 19:27:27 ----D---- C:\Program Files\CCleaner
2009-11-14 19:21:31 ----A---- C:\Windows\system32\javaws.exe
2009-11-14 19:21:31 ----A---- C:\Windows\system32\javaw.exe
2009-11-14 19:21:31 ----A---- C:\Windows\system32\java.exe
2009-11-14 19:21:31 ----A---- C:\Windows\system32\deploytk.dll
2009-11-13 00:26:29 ----D---- C:\Users\Scott\AppData\Roaming\Mozilla
2009-11-13 00:26:19 ----D---- C:\Program Files\Mozilla Firefox 3.6 Beta 2
2009-11-11 01:56:22 ----A---- C:\Windows\system32\WSDApi.dll
2009-11-08 23:36:09 ----D---- C:\Program Files\iPod
2009-11-06 02:46:40 ----A---- C:\ComboFix.txt
2009-11-06 02:23:25 ----A---- C:\Windows\NIRCMD.exe
2009-11-06 02:23:25 ----A---- C:\Windows\MBR.exe
2009-11-06 02:23:22 ----A---- C:\Windows\zip.exe
2009-11-06 02:23:22 ----A---- C:\Windows\SWXCACLS.exe
2009-11-06 02:23:22 ----A---- C:\Windows\SWSC.exe
2009-11-06 02:23:22 ----A---- C:\Windows\SWREG.exe
2009-11-06 02:23:22 ----A---- C:\Windows\sed.exe
2009-11-06 02:23:22 ----A---- C:\Windows\PEV.exe
2009-11-06 02:23:22 ----A---- C:\Windows\grep.exe
2009-11-06 02:23:06 ----D---- C:\Windows\ERDNT
2009-11-06 02:22:36 ----D---- C:\Qoobox
2009-11-04 19:10:37 ----A---- C:\Windows\system32\mshtml.dll
2009-11-01 12:33:05 ----D---- C:\Program Files\Windows Portable Devices
2009-11-01 12:21:48 ----A---- C:\Windows\system32\UIAnimation.dll
2009-11-01 12:21:46 ----A---- C:\Windows\system32\UIRibbonRes.dll
2009-11-01 12:21:46 ----A---- C:\Windows\system32\UIRibbon.dll
2009-11-01 12:21:12 ----A---- C:\Windows\system32\WMPhoto.dll
2009-11-01 12:21:09 ----A---- C:\Windows\system32\cdd.dll
2009-11-01 12:21:06 ----A---- C:\Windows\system32\printfilterpipelineprxy.dll
2009-11-01 12:21:06 ----A---- C:\Windows\system32\d3d10warp.dll
2009-11-01 12:21:05 ----A---- C:\Windows\system32\xpsservices.dll
2009-11-01 12:21:05 ----A---- C:\Windows\system32\XpsRasterService.dll
2009-11-01 12:21:05 ----A---- C:\Windows\system32\XpsPrint.dll
2009-11-01 12:21:05 ----A---- C:\Windows\system32\XpsGdiConverter.dll
2009-11-01 12:21:05 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2009-11-01 12:21:05 ----A---- C:\Windows\system32\WindowsCodecs.dll
2009-11-01 12:21:05 ----A---- C:\Windows\system32\printfilterpipelinesvc.exe
2009-11-01 12:21:05 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2009-11-01 12:21:05 ----A---- C:\Windows\system32\OpcServices.dll
2009-11-01 12:21:05 ----A---- C:\Windows\system32\dxdiagn.dll
2009-11-01 12:21:05 ----A---- C:\Windows\system32\dxdiag.exe
2009-11-01 12:21:05 ----A---- C:\Windows\system32\d2d1.dll
2009-11-01 12:21:04 ----A---- C:\Windows\system32\FntCache.dll
2009-11-01 12:21:04 ----A---- C:\Windows\system32\dxgi.dll
2009-11-01 12:21:04 ----A---- C:\Windows\system32\DWrite.dll
2009-11-01 12:21:04 ----A---- C:\Windows\system32\d3d11.dll
2009-11-01 12:21:04 ----A---- C:\Windows\system32\d3d10level9.dll
2009-11-01 12:21:04 ----A---- C:\Windows\system32\d3d10core.dll
2009-11-01 12:21:04 ----A---- C:\Windows\system32\d3d10_1core.dll
2009-11-01 12:21:04 ----A---- C:\Windows\system32\d3d10_1.dll
2009-11-01 12:21:04 ----A---- C:\Windows\system32\d3d10.dll
2009-11-01 12:20:40 ----A---- C:\Windows\system32\WPDShextAutoplay.exe
2009-11-01 12:20:40 ----A---- C:\Windows\system32\wpdbusenum.dll
2009-11-01 12:20:40 ----A---- C:\Windows\system32\BthMtpContextHandler.dll
2009-11-01 12:20:33 ----A---- C:\Windows\system32\PortableDeviceConnectApi.dll
2009-11-01 12:20:29 ----A---- C:\Windows\system32\WPDShServiceObj.dll
2009-11-01 12:20:29 ----A---- C:\Windows\system32\wpdshext.dll
2009-11-01 12:20:29 ----A---- C:\Windows\system32\WpdMtpUS.dll
2009-11-01 12:20:29 ----A---- C:\Windows\system32\WpdConns.dll
2009-11-01 12:20:29 ----A---- C:\Windows\system32\wpd_ci.dll
2009-11-01 12:20:28 ----A---- C:\Windows\system32\WPDSp.dll
2009-11-01 12:20:28 ----A---- C:\Windows\system32\WpdMtp.dll
2009-11-01 12:20:28 ----A---- C:\Windows\system32\PortableDeviceWMDRM.dll
2009-11-01 12:20:28 ----A---- C:\Windows\system32\PortableDeviceTypes.dll
2009-11-01 12:20:28 ----A---- C:\Windows\system32\PortableDeviceClassExtension.dll
2009-11-01 12:20:28 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2009-11-01 12:19:27 ----A---- C:\Windows\system32\oleaccrc.dll
2009-11-01 12:19:26 ----A---- C:\Windows\system32\UIAutomationCore.dll
2009-11-01 12:19:26 ----A---- C:\Windows\system32\oleacc.dll
2009-11-01 12:17:22 ----A---- C:\Windows\system32\wmp.dll
2009-11-01 12:17:20 ----A---- C:\Windows\system32\unregmp2.exe
2009-11-01 12:17:18 ----A---- C:\Windows\system32\wmploc.DLL
2009-10-26 21:39:55 ----A---- C:\Windows\system32\wups2.dll
2009-10-26 21:39:55 ----A---- C:\Windows\system32\wucltux.dll
2009-10-26 21:39:55 ----A---- C:\Windows\system32\wuaueng.dll
2009-10-26 21:39:55 ----A---- C:\Windows\system32\wuauclt.exe
2009-10-26 21:39:16 ----A---- C:\Windows\system32\wups.dll
2009-10-26 21:39:16 ----A---- C:\Windows\system32\wudriver.dll
2009-10-26 21:39:16 ----A---- C:\Windows\system32\wuapi.dll
2009-10-26 21:39:04 ----A---- C:\Windows\system32\wuwebv.dll
2009-10-26 21:39:04 ----A---- C:\Windows\system32\wuapp.exe
2009-10-15 21:28:17 ----A---- C:\Windows\system32\msv1_0.dll
2009-10-15 21:27:56 ----A---- C:\Windows\system32\ntoskrnl.exe
2009-10-15 21:27:56 ----A---- C:\Windows\system32\ntkrnlpa.exe
2009-10-15 21:27:51 ----A---- C:\Windows\system32\ieframe.dll
2009-10-15 21:27:50 ----A---- C:\Windows\system32\wininet.dll
2009-10-15 21:27:50 ----A---- C:\Windows\system32\urlmon.dll
2009-10-15 21:27:50 ----A---- C:\Windows\system32\occache.dll
2009-10-15 21:27:50 ----A---- C:\Windows\system32\msfeeds.dll
2009-10-15 21:27:50 ----A---- C:\Windows\system32\iertutil.dll
2009-10-15 21:27:50 ----A---- C:\Windows\system32\iedkcs32.dll
2009-10-15 21:27:49 ----A---- C:\Windows\system32\msfeedssync.exe
2009-10-15 21:27:49 ----A---- C:\Windows\system32\msfeedsbs.dll
2009-10-15 21:27:49 ----A---- C:\Windows\system32\jsproxy.dll
2009-10-15 21:27:49 ----A---- C:\Windows\system32\ieUnatt.exe
2009-10-15 21:27:49 ----A---- C:\Windows\system32\ieui.dll
2009-10-15 21:27:49 ----A---- C:\Windows\system32\iesysprep.dll
2009-10-15 21:27:49 ----A---- C:\Windows\system32\iesetup.dll
2009-10-15 21:27:49 ----A---- C:\Windows\system32\iernonce.dll
2009-10-15 21:27:49 ----A---- C:\Windows\system32\iepeers.dll
2009-10-15 21:27:49 ----A---- C:\Windows\system32\ie4uinit.exe
2009-10-15 21:27:31 ----A---- C:\Windows\system32\msasn1.dll
2009-10-15 21:25:51 ----A---- C:\Windows\system32\WMSPDMOD.DLL
2009-10-12 01:39:02 ----D---- C:\Users\Scott\AppData\Roaming\com.fox.dollhouse.VirtualEcho.8DB2FB41E3AF9617470F9C3E78FDAAA51EF66383.1
2009-10-12 01:38:53 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-10-04 12:34:49 ----N---- C:\Windows\system32\MpSigStub.exe
2009-09-25 11:41:26 ----A---- C:\Windows\system32\divx_xx16.dll
2009-09-25 11:41:26 ----A---- C:\Windows\system32\divx_xx11.dll
2009-09-25 11:41:26 ----A---- C:\Windows\system32\divx_xx0c.dll
2009-09-25 11:41:26 ----A---- C:\Windows\system32\divx_xx0a.dll
2009-09-25 11:41:26 ----A---- C:\Windows\system32\divx_xx07.dll
2009-09-25 11:41:26 ----A---- C:\Windows\system32\DivX.dll
2009-09-22 23:59:23 ----D---- C:\Program Files\WinRAR
2009-09-22 22:47:36 ----D---- C:\Windows\WinRAR
2009-09-22 21:45:49 ----D---- C:\vghd
2009-09-22 21:42:24 ----D---- C:\Users\Scott\AppData\Roaming\vghd
2009-09-14 23:57:03 ----A---- C:\Windows\system32\GEARAspi.dll
2009-09-14 23:56:06 ----D---- C:\ProgramData\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-14 23:43:42 ----D---- C:\Program Files\QuickTime
2009-09-12 16:40:49 ----A---- C:\Windows\system32\jscript.dll
2009-09-12 16:40:45 ----A---- C:\Windows\system32\wlansec.dll
2009-09-12 16:40:45 ----A---- C:\Windows\system32\wlanmsm.dll
2009-09-12 16:40:45 ----A---- C:\Windows\system32\wlanapi.dll
2009-09-12 16:40:45 ----A---- C:\Windows\system32\L2SecHC.dll
2009-09-12 16:40:42 ----A---- C:\Windows\system32\wlansvc.dll
2009-09-12 16:40:31 ----A---- C:\Windows\system32\netiohlp.dll
2009-09-12 16:40:28 ----A---- C:\Windows\system32\NETSTAT.EXE
2009-09-12 16:40:28 ----A---- C:\Windows\system32\ARP.EXE
2009-09-12 16:40:27 ----A---- C:\Windows\system32\TCPSVCS.EXE
2009-09-12 16:40:27 ----A---- C:\Windows\system32\HOSTNAME.EXE
2009-09-12 16:40:27 ----A---- C:\Windows\system32\finger.exe
2009-09-12 16:40:25 ----A---- C:\Windows\system32\ROUTE.EXE
2009-09-12 16:40:25 ----A---- C:\Windows\system32\MRINFO.EXE
2009-09-12 16:40:21 ----A---- C:\Windows\system32\netevent.dll
2009-09-12 16:39:29 ----A---- C:\Windows\system32\WMVCORE.DLL
2009-09-12 16:39:28 ----A---- C:\Windows\system32\mf.dll
2009-09-12 16:39:05 ----A---- C:\Windows\system32\Apphlpdm.dll
2009-09-12 16:39:03 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2009-09-02 18:56:28 ----D---- C:\Program Files\Mozilla Firefox
2009-08-31 00:24:16 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-08-31 00:24:03 ----D---- C:\Program Files\SUPERAntiSpyware
2009-08-31 00:24:02 ----D---- C:\Users\Scott\AppData\Roaming\SUPERAntiSpyware.com
2009-08-31 00:23:13 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-08-31 00:12:31 ----D---- C:\Windows\system32\SRSLabs
2009-08-31 00:11:39 ----A---- C:\Windows\system32\stcplx.dll
2009-08-31 00:11:39 ----A---- C:\Windows\system32\stapi32.dll
2009-08-31 00:11:39 ----A---- C:\Windows\system32\st326162.dll
2009-08-28 12:47:31 ----D---- C:\Users\Scott\AppData\Roaming\Malwarebytes
2009-08-28 12:47:25 ----D---- C:\ProgramData\Malwarebytes
2009-08-28 12:47:24 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-28 12:20:17 ----D---- C:\ProgramData\Office Genuine Advantage

======List of files/folders modified in the last 3 months======

2009-11-26 14:56:21 ----D---- C:\Windows\Prefetch
2009-11-26 14:56:13 ----D---- C:\Windows\Temp
2009-11-26 14:47:33 ----D---- C:\Users\Scott\AppData\Roaming\DNA
2009-11-26 11:39:12 ----D---- C:\Windows\System32
2009-11-25 22:01:05 ----D---- C:\Windows\rescache
2009-11-25 21:42:40 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-11-25 21:42:39 ----D---- C:\Windows\inf
2009-11-25 21:37:30 ----RD---- C:\Program Files
2009-11-25 21:35:49 ----D---- C:\Program Files\DNA
2009-11-25 21:34:36 ----AD---- C:\Windows
2009-11-25 21:32:25 ----D---- C:\Windows\system32\en-US
2009-11-25 21:31:49 ----D---- C:\Windows\winsxs
2009-11-25 21:31:27 ----D---- C:\Windows\system32\catroot
2009-11-25 21:30:04 ----SHD---- C:\System Volume Information
2009-11-25 21:28:31 ----D---- C:\Windows\system32\catroot2
2009-11-24 02:59:32 ----D---- C:\Users\Scott\AppData\Roaming\Vso
2009-11-22 16:52:47 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-11-22 16:51:33 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-11-22 16:50:27 ----D---- C:\Windows\system32\drivers
2009-11-22 12:45:08 ----D---- C:\Windows\Debug
2009-11-22 12:03:54 ----D---- C:\ProgramData\Roxio
2009-11-22 10:45:31 ----D---- C:\Users\Scott\AppData\Roaming\uTorrent
2009-11-21 20:39:24 ----D---- C:\Program Files\McAfee
2009-11-21 19:24:42 ----D---- C:\ProgramData
2009-11-17 21:46:47 ----D---- C:\Windows\system32\LogFiles
2009-11-15 13:33:17 ----D---- C:\ProgramData\Dl_cats
2009-11-14 19:24:33 ----SHD---- C:\Windows\Installer
2009-11-14 19:24:30 ----D---- C:\Program Files\Common Files
2009-11-14 19:20:52 ----D---- C:\Program Files\Java
2009-11-12 23:47:07 ----D---- C:\Users\Scott\AppData\Roaming\Move Networks
2009-11-11 08:06:11 ----D---- C:\Program Files\Windows Mail
2009-11-11 02:03:25 ----A---- C:\Windows\win.ini
2009-11-08 23:36:49 ----D---- C:\Program Files\iTunes
2009-11-08 23:36:09 ----D---- C:\Program Files\Common Files\Apple
2009-11-08 18:28:08 ----D---- C:\ProgramData\DVD Shrink
2009-11-08 17:21:07 ----D---- C:\Windows\system32\wbem
2009-11-08 17:20:22 ----D---- C:\Windows\system32\config
2009-11-08 17:20:10 ----D---- C:\Windows\Tasks
2009-11-08 17:20:10 ----D---- C:\Windows\system32\spool
2009-11-08 17:20:10 ----D---- C:\Windows\system32\Msdtc
2009-11-08 17:20:10 ----D---- C:\Windows\system32\CodeIntegrity
2009-11-08 17:20:10 ----D---- C:\Program Files\Windows Media Player
2009-11-08 17:20:10 ----D---- C:\Program Files\Internet Explorer
2009-11-08 17:20:09 ----D---- C:\Windows\registration
2009-11-08 17:20:09 ----D---- C:\DELL
2009-11-08 17:08:27 ----D---- C:\$Recycle.Bin
2009-11-08 17:07:43 ----RD---- C:\Users
2009-11-06 02:41:47 ----A---- C:\Windows\system.ini
2009-11-06 02:39:45 ----SD---- C:\Users\Scott\AppData\Roaming\Microsoft
2009-11-06 02:34:52 ----D---- C:\Windows\AppPatch
2009-11-05 09:36:22 ----A---- C:\Windows\system32\mrt.exe
2009-11-04 21:43:43 ----D---- C:\TuneTwisterEditor
2009-11-01 18:39:16 ----D---- C:\Windows\system32\Tasks
2009-11-01 12:33:01 ----D---- C:\Windows\system32\zh-HK
2009-11-01 12:33:01 ----D---- C:\Windows\system32\uk-UA
2009-11-01 12:33:01 ----D---- C:\Windows\system32\tr-TR
2009-11-01 12:33:01 ----D---- C:\Windows\system32\th-TH
2009-11-01 12:33:01 ----D---- C:\Windows\system32\sv-SE
2009-11-01 12:33:01 ----D---- C:\Windows\system32\sr-Latn-CS
2009-11-01 12:33:01 ----D---- C:\Windows\system32\sl-SI
2009-11-01 12:33:01 ----D---- C:\Windows\system32\pt-PT
2009-11-01 12:33:01 ----D---- C:\Windows\system32\pt-BR
2009-11-01 12:33:01 ----D---- C:\Windows\system32\pl-PL
2009-11-01 12:33:01 ----D---- C:\Windows\system32\nl-NL
2009-11-01 12:33:01 ----D---- C:\Windows\system32\ko-KR
2009-11-01 12:33:01 ----D---- C:\Windows\system32\it-IT
2009-11-01 12:33:01 ----D---- C:\Windows\system32\hu-HU
2009-11-01 12:33:01 ----D---- C:\Windows\system32\hr-HR
2009-11-01 12:33:01 ----D---- C:\Windows\system32\he-IL
2009-11-01 12:33:01 ----D---- C:\Windows\system32\fr-FR
2009-11-01 12:33:01 ----D---- C:\Windows\system32\fi-FI
2009-11-01 12:33:01 ----D---- C:\Windows\system32\el-GR
2009-11-01 12:33:01 ----D---- C:\Windows\system32\bg-BG
2009-11-01 12:33:00 ----D---- C:\Windows\system32\zh-TW
2009-11-01 12:33:00 ----D---- C:\Windows\system32\zh-CN
2009-11-01 12:33:00 ----D---- C:\Windows\system32\sk-SK
2009-11-01 12:33:00 ----D---- C:\Windows\system32\ru-RU
2009-11-01 12:33:00 ----D---- C:\Windows\system32\ro-RO
2009-11-01 12:33:00 ----D---- C:\Windows\system32\nb-NO
2009-11-01 12:33:00 ----D---- C:\Windows\system32\lv-LV
2009-11-01 12:33:00 ----D---- C:\Windows\system32\lt-LT
2009-11-01 12:33:00 ----D---- C:\Windows\system32\ja-JP
2009-11-01 12:33:00 ----D---- C:\Windows\system32\et-EE
2009-11-01 12:33:00 ----D---- C:\Windows\system32\es-ES
2009-11-01 12:33:00 ----D---- C:\Windows\system32\de-DE
2009-11-01 12:33:00 ----D---- C:\Windows\system32\da-DK
2009-11-01 12:33:00 ----D---- C:\Windows\system32\cs-CZ
2009-11-01 12:33:00 ----D---- C:\Windows\system32\ar-SA
2009-10-24 06:34:35 ----D---- C:\Program Files\DivX
2009-10-24 06:34:15 ----D---- C:\Program Files\Common Files\DivX Shared
2009-10-16 22:25:09 ----D---- C:\Windows\Microsoft.NET
2009-10-16 22:25:00 ----RSD---- C:\Windows\assembly
2009-10-15 22:35:39 ----D---- C:\Windows\ehome
2009-10-15 22:35:37 ----D---- C:\Windows\system32\migration
2009-10-12 01:39:03 ----D---- C:\ProgramData\Adobe
2009-10-12 01:38:16 ----D---- C:\Users\Scott\AppData\Roaming\Adobe
2009-09-19 15:38:44 ----D---- C:\ProgramData\McAfee
2009-09-14 23:57:03 ----DC---- C:\Windows\system32\DRVSTORE
2009-09-14 23:52:58 ----D---- C:\Program Files\Safari
2009-09-12 16:53:47 ----D---- C:\Program Files\Microsoft Silverlight
2009-08-31 00:11:38 ----D---- C:\Program Files\IDT
2009-08-31 00:11:33 ----HD---- C:\Program Files\InstallShield Installation Information
2009-08-30 20:56:57 ----D---- C:\Users\Scott\AppData\Roaming\FrostWire

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2009-09-16 214664]
R1 MPFP;MPFP; C:\Windows\System32\Drivers\Mpfp.sys [2009-07-16 130424]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
R2 dvdmmg;dvdmmg; \??\C:\Windows\system32\drivers\dvdmmg.sys [2007-09-06 5504]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2008-03-11 46592]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2008-03-11 43008]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2008-03-11 38400]
R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP/Vista; C:\Windows\system32\DRIVERS\Apfiltr.sys [2008-06-30 170032]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-05-04 3548672]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver; C:\Windows\System32\Drivers\ATSwpWDF.sys [2008-06-30 475136]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2008-07-02 1207288]
R3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-04-10 22528]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-20 92160]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2009-04-10 29696]
R3 btwaudio;Bluetooth Audio Device Service; C:\Windows\system32\drivers\btwaudio.sys [2008-03-11 81960]
R3 btwavdt;Bluetooth AVDT; C:\Windows\system32\drivers\btwavdt.sys [2008-03-11 100392]
R3 btwl2cap;Bluetooth L2CAP Service; C:\Windows\system32\DRIVERS\btwl2cap.sys [2008-03-11 29736]
R3 btwrchid;btwrchid; C:\Windows\system32\DRIVERS\btwrchid.sys [2008-03-11 17448]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2009-04-10 236544]
R3 itecir;ITECIR Infrared Receiver; C:\Windows\system32\DRIVERS\itecir.sys [2008-03-14 54784]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\k57nd60x.sys [2008-03-11 203264]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\Windows\system32\drivers\mfeavfk.sys [2009-09-16 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\Windows\system32\drivers\mfebopk.sys [2009-09-16 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\Windows\system32\drivers\mfesmfk.sys [2009-09-16 40552]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver; C:\Windows\system32\DRIVERS\OA001Ufd.sys [2009-03-06 133632]
R3 OA001Vid;Creative Camera OA001 Function Driver; C:\Windows\system32\DRIVERS\OA001Vid.sys [2009-03-08 280096]
R3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2009-08-21 47360]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-04-10 148992]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-10 89088]
R3 STHDA;IDT High Definition Audio CODEC; C:\Windows\system32\DRIVERS\stwrt.sys [2009-03-16 398336]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264]
R3 wsvad_driver;WS Audio Device; C:\Windows\system32\drivers\VirtualAudio.sys [2008-10-17 16896]
S3 asbp2poa;asbp2poa; \??\C:\Users\Scott\AppData\Local\Temp\asbp2poa.sys []
S3 AVerBDA6x;AVerBDA6x service; C:\Windows\system32\DRIVERS\AVerBDA716x.sys [2007-11-21 1290240]
S3 BthPort;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2009-04-10 507904]
S3 catchme;catchme; \??\C:\Users\Scott\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2008-01-20 220672]
S3 fssfltr;FssFltr; C:\Windows\system32\DRIVERS\fssfltr.sys [2009-02-06 55280]
S3 mferkdk;McAfee Inc. mferkdk; C:\Windows\system32\drivers\mferkdk.sys [2009-09-16 34248]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-05-04 3548672]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S3 UMSSSTOR;C-Media Storage; C:\Windows\system32\DRIVERS\UMSS.SYS [2004-07-13 48512]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AESTFilters;Andrea ST Filters Service; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-16 81920]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2008-05-04 667648]
R2 ATService;AuthenTec Fingerprint Service; C:\Program Files\Fingerprint Sensor\AtService.exe [2008-05-05 1168632]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2008-02-08 518696]
R2 dldt_device;dldt_device; C:\Windows\system32\dldtcoms.exe [2008-02-25 595184]
R2 DockLoginService;Dock Login Service; C:\Program Files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]
R2 DpHost;@C:\Program Files\DigitalPersona\Bin\DpHostW.exe,-128; C:\Program Files\DigitalPersona\Bin\DpHostW.exe [2009-05-12 322624]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2007-10-03 358936]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-07-09 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-09-16 144704]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-05-19 240512]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-13 201968]
R2 STacSV;Audio Service; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe [2009-03-16 254042]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-10-28 545568]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-09-16 606736]
S2 dldtCATSCustConnectService;dldtCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\dldtserv.exe [2009-07-09 98984]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S3 fsssvc;Windows Live Family Safety; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [2008-08-28 16680]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-09-16 365072]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2008-03-24 74384]

-----------------EOF-----------------


Report •

#5
November 26, 2009 at 19:26:11

Be sure to turn off or disable your antivirus and any anti-apyware that that you have, Malwarebytes does not need to be turned off.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#6
November 27, 2009 at 11:17:25
I keep getting an error that I need permission to access the folder for ComboFix[1]. I also keep getting Trojan notices from the attached sites. Is there a better download location?

okay, finally got the file downloaded and installed. When I run Combo-Fix, it sets up a restore point, then comes back with a statement of "rootkit activity" discovered, whatever that means, and forces a reboot. When I sign in again, Combo-Fix comes up and continues its scan, and it gets to Stage_3_Completed but suddenly cuts to a BSOD and reboots again. Suggestions?


Report •

#7
November 27, 2009 at 15:21:58
you may want to post the EXACT error message on the blue screen

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#8
November 27, 2009 at 16:28:12
First we are going to uninstall Combofix. Go to start> run> type in the bolded text ComboFix /Uninstall (note the space after ComboFix is needed)> click ok. Give the uninstaller a minute to run.

Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip

1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Copy all the text contained in the code box below between the X's to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Drivers to delete:
asbp2poa

Files to delete:
C:\Users\Scott\AppData\Local\Temp\asbp2poa.sys



XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
Click the Execute button
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Download ComboFix again but do not run it yet. Reboot the computer into safe mode using the F8 method only, any other method could lock up the computer with the root kit functiioning.

Remember:::Spybot, Windows Defender and McAfee must be Turned off or disabled before running ComboFix.

Now try to run ComboFix again from safe mode and post its log.


Report •

#9
November 27, 2009 at 21:01:17
Have you been able to correct this. I am now having the same issue. I upgraded my IE to Explorer 8 and now all of my search results are redirected with the same curly Q symbol.

Report •

#10
November 28, 2009 at 06:39:28
Still haven't been able to resolve this. Disabled all virus/malware aps, ran Avenger. Unfortunately, when the system tried to reboot after discovering the rootkit, I got a statup repair screen which required a system restore. I rebooted again after the system restore, ran Avenger again, this time flagged to disable rootkits upon detection, log will post below.

Upon reboot, I hit F8 to go into safe mode. Even in safe mode, Combo-Fix detected rootkit activity and had to reboot. If I reboot to safe mode again, it starts the cycle up in a perpetual loop - rootkit detected, reboot. Rootkit detected, reboot. If I just do a regular reboot, Combo-Fix kicks in just as it had done before - where i gets to Completed Stage_3, then I get a quick BSOD that flashes for a moment before my system reboots again.

The searches are still corrupted.

If I uninstall FireFox, and Re-Install IE v8 from Microsoft, will that resolve this? Or does it seem like the problem file is something external to these aps that keeps flaring up? I've tried changing search programs within my defaults, and I've tried all manner of bots, scans, checks, onlines, offlines, safe modes, and prayer - none of which seem to find the issue. (To be fair, the prayer was a long shot, but sometimes the Goddess listens.)

Still no Combo-Fix log, because it never finishes running.

Anyway, here's the Avenger post from before (btw it just occurred to me that after the system restore, the .sys file I was supposed to delete is probably still on my pc again.):

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.



Report •

#11
November 28, 2009 at 09:25:09
Please run win32kdiag.exe again, with the following command to fix some malware related changes.
Please make sure that a copy of win32kdiag.exe is located on your desktop.

Click on Start->Run, and copy-paste (or type) the following command (the bolded text) into the "Open" box, and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Download Gmer.exe from the following link.

Link1

1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.


Report •

#12
November 28, 2009 at 17:49:32
win32kdiag log file (11/28/09):


Running from: C:\Users\Scott\Desktop\Win32kDiag.exe

Log file at : C:\Users\Scott\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Cannot access: C:\Windows\bthservsdp.dat

Attempting to restore permissions of : C:\Windows\bthservsdp.dat

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Finished!


Report •

#13
November 28, 2009 at 18:02:07
Please run this tool also.

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.


Report •

#14
November 28, 2009 at 18:34:09
gmer.log:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-28 21:25:40
Windows 6.0.6002 Service Pack 2
Running: su1x3v39.exe; Driver: C:\Users\Scott\AppData\Local\Temp\pxdcrfob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8F9A779E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F9A7738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F9A774C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F9A77DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8F9A781F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8F9A7710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8F9A7724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8F9A77B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8F9A7847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8F9A7833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8F9A778A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F9A7776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8F9A780B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F9A77F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F9A77C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F9A7762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess


Report •

#15
November 28, 2009 at 18:39:53
gmer.log part 2:

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82036982 5 Bytes JMP 8F9A77CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 821CA5B5 5 Bytes JMP 8F9A7823 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 821D4B82 5 Bytes JMP 8F9A7766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 821FBD5D 5 Bytes JMP 8F9A780F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8221B446 7 Bytes JMP 8F9A77E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8221B709 5 Bytes JMP 8F9A77F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 8221F474 5 Bytes JMP 8F9A777A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82224E7D 7 Bytes JMP 8F9A77B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 8222709A 5 Bytes JMP 8F9A7728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 8222BB48 5 Bytes JMP 8F9A7714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8224CD59 5 Bytes JMP 8F9A77A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8225D7B2 5 Bytes JMP 8F9A7837 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8225E9B6 5 Bytes JMP 8F9A784B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 8229C74B 5 Bytes JMP 8F9A773C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 8229C796 7 Bytes JMP 8F9A7750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 8229D253 5 Bytes JMP 8F9A778E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x826CD000]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8EA10000, 0x1FB0FA, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[320] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 01350F7E
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 013500C4
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 01350F41
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 01350F52
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 01350087
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 01350FCA
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 0135001B
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 013500B3
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 01350076
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 01350FB9
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 01350065
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 01350040
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 013500A2
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 01350F26
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 01350FEF
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 01350000
.text C:\Windows\system32\svchost.exe[320] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 01350F63
.text C:\Windows\system32\svchost.exe[320] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 014B004E
.text C:\Windows\system32\svchost.exe[320] msvcrt.dll!system 7700804B 5 Bytes JMP 014B003D
.text C:\Windows\system32\svchost.exe[320] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 014B0022
.text C:\Windows\system32\svchost.exe[320] msvcrt.dll!_open 7700D106 5 Bytes JMP 014B0000
.text C:\Windows\system32\svchost.exe[320] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 014B0FC3
.text C:\Windows\system32\svchost.exe[320] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 014B0011
.text C:\Windows\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 014A0F89
.text C:\Windows\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 014A0FAB
.text C:\Windows\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 014A0FEF
.text C:\Windows\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 014A0F9A
.text C:\Windows\system32\svchost.exe[320] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 014A0F6E
.text C:\Windows\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 014A0FCD
.text C:\Windows\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 014A0FDE
.text C:\Windows\system32\svchost.exe[320] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 014A0FBC
.text C:\Windows\system32\svchost.exe[320] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 01600000
.text C:\Windows\system32\svchost.exe[320] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 01600025
.text C:\Windows\system32\svchost.exe[320] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 01600FEF
.text C:\Windows\system32\svchost.exe[320] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 0160004A
.text C:\Windows\system32\svchost.exe[320] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 01340FEF
.text C:\Windows\system32\services.exe[632] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 003E0076
.text C:\Windows\system32\services.exe[632] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 003E0F3A
.text C:\Windows\system32\services.exe[632] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 003E0087
.text C:\Windows\system32\services.exe[632] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 003E0EFA
.text C:\Windows\system32\services.exe[632] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 003E0F66
.text C:\Windows\system32\services.exe[632] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 003E0FD4
.text C:\Windows\system32\services.exe[632] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 003E0025
.text C:\Windows\system32\services.exe[632] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 003E0065
.text C:\Windows\system32\services.exe[632] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 003E004A
.text C:\Windows\system32\services.exe[632] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 003E0FA8
.text C:\Windows\system32\services.exe[632] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 003E0F97
.text C:\Windows\system32\services.exe[632] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 003E0FC3
.text C:\Windows\system32\services.exe[632] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 003E0F55
.text C:\Windows\system32\services.exe[632] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 003E0098
.text C:\Windows\system32\services.exe[632] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 003E0FEF
.text C:\Windows\system32\services.exe[632] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 003E0000
.text C:\Windows\system32\services.exe[632] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 003E0F15
.text C:\Windows\system32\services.exe[632] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 003F0047
.text C:\Windows\system32\services.exe[632] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 003F002C
.text C:\Windows\system32\services.exe[632] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 003F0FE5
.text C:\Windows\system32\services.exe[632] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 003F0FA5
.text C:\Windows\system32\services.exe[632] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 003F0058
.text C:\Windows\system32\services.exe[632] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 003F0011
.text C:\Windows\system32\services.exe[632] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 003F0000
.text C:\Windows\system32\services.exe[632] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 003F0FC0
.text C:\Windows\system32\services.exe[632] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 0040002C
.text C:\Windows\system32\services.exe[632] msvcrt.dll!system 7700804B 5 Bytes JMP 00400F97
.text C:\Windows\system32\services.exe[632] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 00400FC3
.text C:\Windows\system32\services.exe[632] msvcrt.dll!_open 7700D106 5 Bytes JMP 00400FEF
.text C:\Windows\system32\services.exe[632] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 00400FA8
.text C:\Windows\system32\services.exe[632] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 00400FDE
.text C:\Windows\system32\services.exe[632] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 00410FE5
.text C:\Windows\system32\services.exe[632] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 00410FD4
.text C:\Windows\system32\services.exe[632] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 00410000
.text C:\Windows\system32\services.exe[632] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 00410011
.text C:\Windows\system32\services.exe[632] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 00390FEF
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 00120F5A
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 00120F6B
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 00120F2E
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 001200C5
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 00120FA8
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 00120025
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 00120FDE
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 00120F86
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 00120FB9
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 0012005B
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 00120076
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 0012004A
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 00120F97
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 001200D6
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 00120FEF
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 0012000A
.text C:\Windows\system32\lsass.exe[648] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 00120F49
.text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 00130054
.text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 00130FCD
.text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 00130FEF
.text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 00130FA8
.text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 00130F97
.text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 00130025
.text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 00130014
.text C:\Windows\system32\lsass.exe[648] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 00130FDE
.text C:\Windows\system32\lsass.exe[648] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 009F004E
.text C:\Windows\system32\lsass.exe[648] msvcrt.dll!system 7700804B 5 Bytes JMP 009F0033
.text C:\Windows\system32\lsass.exe[648] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 009F0022
.text C:\Windows\system32\lsass.exe[648] msvcrt.dll!_open 7700D106 5 Bytes JMP 009F0000
.text C:\Windows\system32\lsass.exe[648] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 009F0FC3
.text C:\Windows\system32\lsass.exe[648] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 009F0011
.text C:\Windows\system32\lsass.exe[648] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 00110FEF
.text C:\Windows\system32\lsass.exe[648] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 00A10FEF
.text C:\Windows\system32\lsass.exe[648] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 00A10014
.text C:\Windows\system32\lsass.exe[648] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 00A10FDE
.text C:\Windows\system32\lsass.exe[648] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 00A10FC3


Report •

#16
November 28, 2009 at 18:40:56
gmer.log part 3:

.text C:\Windows\system32\svchost.exe[840] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 008A0F24
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 008A0F35
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 008A00A0
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 008A0F13
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 008A0056
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 008A0FC3
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 008A0FA8
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 008A0F46
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 008A0039
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 008A0F8D
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 008A0F7C
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 008A0014
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 008A0F61
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 008A0EE4
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 008A0FD4
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 008A0FE5
.text C:\Windows\system32\svchost.exe[840] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 008A008F
.text C:\Windows\system32\svchost.exe[840] msvcrt.dll!_wsystem 77007F2F 3 Bytes JMP 008C0038
.text C:\Windows\system32\svchost.exe[840] msvcrt.dll!_wsystem + 4 77007F33 1 Byte [89]
.text C:\Windows\system32\svchost.exe[840] msvcrt.dll!system 7700804B 3 Bytes JMP 008C0FA3
.text C:\Windows\system32\svchost.exe[840] msvcrt.dll!system + 4 7700804F 1 Byte [89]
.text C:\Windows\system32\svchost.exe[840] msvcrt.dll!_creat 7700BBE1 3 Bytes JMP 008C001D
.text C:\Windows\system32\svchost.exe[840] msvcrt.dll!_creat + 4 7700BBE5 1 Byte [89]
.text C:\Windows\system32\svchost.exe[840] msvcrt.dll!_open 7700D106 5 Bytes JMP 008C0000
.text C:\Windows\system32\svchost.exe[840] msvcrt.dll!_wcreat 7700D326 3 Bytes JMP 008C0FC8
.text C:\Windows\system32\svchost.exe[840] msvcrt.dll!_wcreat + 4 7700D32A 1 Byte [89]
.text C:\Windows\system32\svchost.exe[840] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 008C0FE3
.text C:\Windows\system32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 008B0FB9
.text C:\Windows\system32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 008B005B
.text C:\Windows\system32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 008B000A
.text C:\Windows\system32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 008B0FD4
.text C:\Windows\system32\svchost.exe[840] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 008B0FA8
.text C:\Windows\system32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 008B0FE5
.text C:\Windows\system32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 008B001B
.text C:\Windows\system32\svchost.exe[840] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 008B0036
.text C:\Windows\system32\svchost.exe[840] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 0092000A
.text C:\Windows\system32\svchost.exe[840] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 0092001B
.text C:\Windows\system32\svchost.exe[840] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 00920036
.text C:\Windows\system32\svchost.exe[840] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 00920FE5
.text C:\Windows\system32\svchost.exe[840] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 00890000
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 009D0070
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 009D0F34
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 009D00B7
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 009D009C
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 009D004E
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 009D000A
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 009D001B
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 009D005F
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 009D0F74
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 009D002C
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 009D003D
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 009D0FAF
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 009D0F4F
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 009D0EFB
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 009D0FDE
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 009D0FEF
.text C:\Windows\system32\svchost.exe[856] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 009D008B
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 00C00049
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!system 7700804B 5 Bytes JMP 00C00038
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 00C00FE3
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_open 7700D106 5 Bytes JMP 00C00000
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 00C00FC8
.text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 00C0001D
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 009F0F83
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 009F0FAF
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 009F0000
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 009F0F94
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 009F0F72
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 009F0FCA
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 009F0FE5
.text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 009F001B
.text C:\Windows\system32\svchost.exe[856] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 00FE0000
.text C:\Windows\system32\svchost.exe[856] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 00FE0011
.text C:\Windows\system32\svchost.exe[856] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 00FE0022
.text C:\Windows\system32\svchost.exe[856] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 00FE0033
.text C:\Windows\system32\svchost.exe[856] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 008C0FEF
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 0096008B
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 0096007A
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 009600B7
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 0096009C
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 00960069
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 0096001B
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 00960FCA
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 00960F4F
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 00960F85
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 0096003D
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 0096004E
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 0096002C
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 00960F6A
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 009600C8
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 00960000
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 00960FEF
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 00960F2A
.text C:\Windows\system32\svchost.exe[928] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 009D0FBC
.text C:\Windows\system32\svchost.exe[928] msvcrt.dll!system 7700804B 5 Bytes JMP 009D0047
.text C:\Windows\system32\svchost.exe[928] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 009D0011
.text C:\Windows\system32\svchost.exe[928] msvcrt.dll!_open 7700D106 5 Bytes JMP 009D0FE3
.text C:\Windows\system32\svchost.exe[928] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 009D002C
.text C:\Windows\system32\svchost.exe[928] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 009D0000
.text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExA 76D939AB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 009C0FAF
.text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 009C0FC0
.text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 009C0000
.text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 009C0047
.text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 009C0F94
.text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 009C0FDB
.text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 009C001B
.text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 009C002C
.text C:\Windows\system32\svchost.exe[928] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 009E0FEF
.text C:\Windows\system32\svchost.exe[928] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 009E0014
.text C:\Windows\system32\svchost.exe[928] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 009E0025
.text C:\Windows\system32\svchost.exe[928] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 009E0FCA
.text C:\Windows\system32\svchost.exe[928] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 00950FEF
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 00D80F43
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 00D80F5E
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 00D80EFC
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 00D80F17
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 00D80F80
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 00D80FCA
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 00D8001B
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 00D80F6F
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 00D8004E
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 00D8002C
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 00D8003D
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 00D80FAF
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 00D80075
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 00D80EE1
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 00D80000
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 00D80FE5
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 00D80F28


Report •

#17
November 28, 2009 at 18:42:05
gmer.log part 4 (sorry, it won't take it unless I break it up into really small parts ... don't know how to publish a downloadable file on here, let alone know if it would be accepted.):

.text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 00DA0047
.text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!system 7700804B 5 Bytes JMP 00DA002C
.text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 00DA0FC6
.text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_open 7700D106 5 Bytes JMP 00DA0000
.text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 00DA001B
.text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 00DA0FE3
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 00D90051
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 00D9001B
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 00D90000
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 00D9002C
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 00D90062
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 00D90FD4
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 00D90FEF
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 00D90FB9
.text C:\Windows\System32\svchost.exe[1040] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 00DB0000
.text C:\Windows\System32\svchost.exe[1040] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 00DB0FEF
.text C:\Windows\System32\svchost.exe[1040] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 00DB002F
.text C:\Windows\System32\svchost.exe[1040] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 00DB0FDE
.text C:\Windows\System32\svchost.exe[1040] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 00D7000A
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 01120FAF
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 011200F5
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 01120F83
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 01120110
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 011200AE
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 01120025
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 01120036
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 011200E4
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 01120091
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 0112005B
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 01120080
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 01120FD4
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 011200C9
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 0112012B
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 01120FEF
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 0112000A
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 01120F94
.text C:\Windows\System32\svchost.exe[1072] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 01150F6B
.text C:\Windows\System32\svchost.exe[1072] msvcrt.dll!system 7700804B 5 Bytes JMP 01150000
.text C:\Windows\System32\svchost.exe[1072] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 01150FAB
.text C:\Windows\System32\svchost.exe[1072] msvcrt.dll!_open 7700D106 5 Bytes JMP 01150FEF
.text C:\Windows\System32\svchost.exe[1072] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 01150F90
.text C:\Windows\System32\svchost.exe[1072] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 01150FD2
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 0114006C
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 01140040
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 01140000
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 0114005B
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 01140087
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 01140FE5
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 0114001B
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 01140FD4
.text C:\Windows\System32\svchost.exe[1072] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 011A000A
.text C:\Windows\System32\svchost.exe[1072] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 011A0025
.text C:\Windows\System32\svchost.exe[1072] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 011A0FEF
.text C:\Windows\System32\svchost.exe[1072] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 011A0036
.text C:\Windows\System32\svchost.exe[1072] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 01100000
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 011300BD
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 01130098
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 011300E2
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 01130F4B
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 01130076
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 01130FDB
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 01130FCA
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 01130087
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 0113005B
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 01130FAF
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 01130F9E
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 01130036
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 01130F77
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 011300FD
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 01130011
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 01130000
.text C:\Windows\system32\svchost.exe[1104] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 01130F5C
.text C:\Windows\system32\svchost.exe[1104] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 011D0F8B
.text C:\Windows\system32\svchost.exe[1104] msvcrt.dll!system 7700804B 5 Bytes JMP 011D0016
.text C:\Windows\system32\svchost.exe[1104] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 011D0FC1
.text C:\Windows\system32\svchost.exe[1104] msvcrt.dll!_open 7700D106 5 Bytes JMP 011D0FEF
.text C:\Windows\system32\svchost.exe[1104] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 011D0F9C
.text C:\Windows\system32\svchost.exe[1104] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 011D0FD2
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 01140062
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 01140FCA
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 01140000
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 01140051
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 01140087
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 01140036
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 0114001B
.text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 01140FE5
.text C:\Windows\system32\svchost.exe[1104] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 011E0FE5
.text C:\Windows\system32\svchost.exe[1104] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 011E0000
.text C:\Windows\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 011E0FCA
.text C:\Windows\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 011E001B
.text C:\Windows\system32\svchost.exe[1104] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 01120000
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 00890F48
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 0089008E
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 00890F01
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 00890F1C
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 00890062
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 00890FDB
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 00890FCA
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 00890F63
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 00890F88
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 00890040
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 00890051
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 00890FAF
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 00890073
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 008900BD
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 00890011
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 00890000
.text C:\Windows\system32\svchost.exe[1380] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 00890F37
.text C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 008F0014
.text C:\Windows\system32\svchost.exe[1380] msvcrt.dll!system 7700804B 5 Bytes JMP 008F0F89
.text C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 008F0FB5
.text C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_open 7700D106 5 Bytes JMP 008F0FEF
.text C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 008F0F9A
.text C:\Windows\system32\svchost.exe[1380] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 008F0FC6
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 008A0051
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 008A0FAF
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 008A0000
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 008A0036
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 008A0F94
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 008A0FE5
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 008A001B
.text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 008A0FD4
.text C:\Windows\system32\svchost.exe[1380] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 00900FEF
.text C:\Windows\system32\svchost.exe[1380] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 00900FCA
.text C:\Windows\system32\svchost.exe[1380] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 00900000
.text C:\Windows\system32\svchost.exe[1380] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 0090001B
.text C:\Windows\system32\svchost.exe[1380] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 00350000
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 002D0F4B
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 002D0F5C
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 002D0F1F
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 002D0F30
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 002D006C
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 002D002C
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 002D0047
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 002D0091
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 002D0F92
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 002D0FC0
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 002D0FAF
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 002D0FDB
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 002D0F81
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 002D00D1
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 002D001B
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 002D0000
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 002D00AC
.text C:\Windows\system32\svchost.exe[1484] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 00970038
.text C:\Windows\system32\svchost.exe[1484] msvcrt.dll!system 7700804B 5 Bytes JMP 00970FAD
.text C:\Windows\system32\svchost.exe[1484] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 00970FE3
.text C:\Windows\system32\svchost.exe[1484] msvcrt.dll!_open 7700D106 5 Bytes JMP 00970000
.text C:\Windows\system32\svchost.exe[1484] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 00970FD2
.text C:\Windows\system32\svchost.exe[1484] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 00970011
.text C:\Windows\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 00960F9B
.text C:\Windows\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 0096002C
.text C:\Windows\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 00960FEF
.text C:\Windows\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 0096003D
.text C:\Windows\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 00960F80
.text C:\Windows\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 0096000A
.text C:\Windows\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 00960FD4
.text C:\Windows\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 0096001B
.text C:\Windows\system32\svchost.exe[1484] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 009C0FE5
.text C:\Windows\system32\svchost.exe[1484] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 009C0FD4
.text C:\Windows\system32\svchost.exe[1484] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 009C0FB9
.text C:\Windows\system32\svchost.exe[1484] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 009C000A


Report •

#18
November 28, 2009 at 18:42:39
gmer.log part 5 (last part):

.text C:\Windows\system32\svchost.exe[1484] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 00260FEF
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 008F0F7E
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 008F00C4
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 008F011F
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 008F00FA
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 008F008E
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 008F0036
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 008F005B
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 008F0F8F
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 008F0FC0
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 008F006C
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 008F007D
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 008F0FE5
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 008F009F
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 008F0F6D
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 008F0025
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 008F000A
.text C:\Windows\system32\svchost.exe[1708] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 008F00E9
.text C:\Windows\system32\svchost.exe[1708] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 0091004B
.text C:\Windows\system32\svchost.exe[1708] msvcrt.dll!system 7700804B 5 Bytes JMP 0091003A
.text C:\Windows\system32\svchost.exe[1708] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 00910018
.text C:\Windows\system32\svchost.exe[1708] msvcrt.dll!_open 7700D106 5 Bytes JMP 00910FEF
.text C:\Windows\system32\svchost.exe[1708] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 00910029
.text C:\Windows\system32\svchost.exe[1708] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 00910FDE
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 00900FA8
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 00900036
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 00900000
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 00900FB9
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 00900F97
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 0090001B
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 00900FDB
.text C:\Windows\system32\svchost.exe[1708] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 00900FCA
.text C:\Windows\system32\svchost.exe[1708] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 00930FEF
.text C:\Windows\system32\svchost.exe[1708] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 00930FD4
.text C:\Windows\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[1708] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 0093001B
.text C:\Windows\system32\svchost.exe[1708] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 008D0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2220] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2220] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 007B00B8
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 007B009D
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 007B00EE
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 007B00D3
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 007B0F9E
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 007B0FCA
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 007B001B
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!CreatePipe 75CA8E6E 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 007B0F72
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 007B0FAF
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 007B0051
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 007B0062
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 007B002C
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 007B0F83
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 007B00FF
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 007B0FDB
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 007B0000
.text C:\Windows\system32\svchost.exe[2472] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 007B0F61
.text C:\Windows\system32\svchost.exe[2472] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 00900069
.text C:\Windows\system32\svchost.exe[2472] msvcrt.dll!system 7700804B 5 Bytes JMP 00900058
.text C:\Windows\system32\svchost.exe[2472] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 00900FDE
.text C:\Windows\system32\svchost.exe[2472] msvcrt.dll!_open 7700D106 5 Bytes JMP 00900000
.text C:\Windows\system32\svchost.exe[2472] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 0090003D
.text C:\Windows\system32\svchost.exe[2472] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 00900FEF
.text C:\Windows\system32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 008F008E
.text C:\Windows\system32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 008F0058
.text C:\Windows\system32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 008F0000
.text C:\Windows\system32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 008F0069
.text C:\Windows\system32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 008F009F
.text C:\Windows\system32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 008F002C
.text C:\Windows\system32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 008F001B
.text C:\Windows\system32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 008F003D
.text C:\Windows\system32\svchost.exe[2472] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 00950FE5
.text C:\Windows\system32\svchost.exe[2472] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 00950FD4
.text C:\Windows\system32\svchost.exe[2472] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 0095000A
.text C:\Windows\system32\svchost.exe[2472] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 0095001B
.text C:\Windows\system32\svchost.exe[2472] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 00750FE5
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 00CE0F3A
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 00CE0F4B
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 00CE0F04
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 00CE0F1F
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 00CE0F66
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 00CE0FE5
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 00CE0FD4
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 00CE0080
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 00CE0040
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 00CE0F9E
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 00CE0F8D
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 00CE0FB9
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 00CE005B
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 00CE0EF3
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 00CE001B
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 00CE0000
.text C:\Windows\system32\svchost.exe[2760] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 00CE009B
.text C:\Windows\system32\svchost.exe[2760] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 00D00049
.text C:\Windows\system32\svchost.exe[2760] msvcrt.dll!system 7700804B 5 Bytes JMP 00D0002E
.text C:\Windows\system32\svchost.exe[2760] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 00D00FC8
.text C:\Windows\system32\svchost.exe[2760] msvcrt.dll!_open 7700D106 5 Bytes JMP 00D00000
.text C:\Windows\system32\svchost.exe[2760] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 00D0001D
.text C:\Windows\system32\svchost.exe[2760] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 00D00FEF
.text C:\Windows\system32\svchost.exe[2760] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 00CF004A
.text C:\Windows\system32\svchost.exe[2760] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 00CF0FC3
.text C:\Windows\system32\svchost.exe[2760] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 00CF0FEF
.text C:\Windows\system32\svchost.exe[2760] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 00CF0FB2
.text C:\Windows\system32\svchost.exe[2760] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 00CF0065
.text C:\Windows\system32\svchost.exe[2760] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 00CF0014
.text C:\Windows\system32\svchost.exe[2760] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 00CF0FDE
.text C:\Windows\system32\svchost.exe[2760] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 00CF002F
.text C:\Windows\system32\svchost.exe[2760] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 00D50FEF
.text C:\Windows\system32\svchost.exe[2760] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 00D50000
.text C:\Windows\system32\svchost.exe[2760] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 00D50011
.text C:\Windows\system32\svchost.exe[2760] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 00D5002C
.text C:\Windows\system32\svchost.exe[2760] WS2_32.dll!socket 75BF36D1 5 Bytes JMP 00C9000A
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 00C20F23
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 00C20F3E
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!CreateProcessW 75C81BF3 5 Bytes JMP 00C2009F
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!CreateProcessA 75C81C28 5 Bytes JMP 00C2008E
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!VirtualProtect 75C81DC3 5 Bytes JMP 00C20F77
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!CreateNamedPipeA 75C82EF5 5 Bytes JMP 00C20FCA
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!CreateNamedPipeW 75C85C0C 5 Bytes JMP 00C2001B
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!CreatePipe 75CA8E6E 5 Bytes JMP 00C20073
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!LoadLibraryExW 75CA9109 5 Bytes JMP 00C20051
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!LoadLibraryW 75CA9362 5 Bytes JMP 00C20F94
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!LoadLibraryExA 75CA94B4 5 Bytes JMP 00C20036
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!LoadLibraryA 75CA94DC 5 Bytes JMP 00C20FAF
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!VirtualProtectEx 75CADBDA 5 Bytes JMP 00C20062
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!GetProcAddress 75CC903B 5 Bytes JMP 00C20EED
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!CreateFileW 75CCAECB 5 Bytes JMP 00C20000
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!CreateFileA 75CCCE5F 5 Bytes JMP 00C20FE5
.text C:\Windows\System32\svchost.exe[2868] kernel32.dll!WinExec 75D15CF7 5 Bytes JMP 00C20F12
.text C:\Windows\System32\svchost.exe[2868] msvcrt.dll!_wsystem 77007F2F 5 Bytes JMP 00C40058
.text C:\Windows\System32\svchost.exe[2868] msvcrt.dll!system 7700804B 5 Bytes JMP 00C40FCD
.text C:\Windows\System32\svchost.exe[2868] msvcrt.dll!_creat 7700BBE1 5 Bytes JMP 00C40022
.text C:\Windows\System32\svchost.exe[2868] msvcrt.dll!_open 7700D106 5 Bytes JMP 00C40000
.text C:\Windows\System32\svchost.exe[2868] msvcrt.dll!_wcreat 7700D326 5 Bytes JMP 00C4003D
.text C:\Windows\System32\svchost.exe[2868] msvcrt.dll!_wopen 7700D501 5 Bytes JMP 00C40011
.text C:\Windows\System32\svchost.exe[2868] ADVAPI32.dll!RegCreateKeyExA 76D939AB 5 Bytes JMP 00C3005B
.text C:\Windows\System32\svchost.exe[2868] ADVAPI32.dll!RegCreateKeyA 76D93BA9 5 Bytes JMP 00C30039
.text C:\Windows\System32\svchost.exe[2868] ADVAPI32.dll!RegOpenKeyA 76D989C7 5 Bytes JMP 00C30FEF
.text C:\Windows\System32\svchost.exe[2868] ADVAPI32.dll!RegCreateKeyW 76DA391E 5 Bytes JMP 00C3004A
.text C:\Windows\System32\svchost.exe[2868] ADVAPI32.dll!RegCreateKeyExW 76DA41F1 5 Bytes JMP 00C30076
.text C:\Windows\System32\svchost.exe[2868] ADVAPI32.dll!RegOpenKeyExA 76DA7C42 5 Bytes JMP 00C30FDE
.text C:\Windows\System32\svchost.exe[2868] ADVAPI32.dll!RegOpenKeyW 76DAE2B5 5 Bytes JMP 00C3000A
.text C:\Windows\System32\svchost.exe[2868] ADVAPI32.dll!RegOpenKeyExW 76DB7BA1 5 Bytes JMP 00C30FCD
.text C:\Windows\System32\svchost.exe[2868] WININET.dll!InternetOpenA 7734D690 5 Bytes JMP 00C60000
.text C:\Windows\System32\svchost.exe[2868] WININET.dll!InternetOpenW 7734DB09 5 Bytes JMP 00C6001B
.text C:\Windows\System32\svchost.exe[2868] WININET.dll!InternetOpenUrlA 7734F3A4 5 Bytes JMP 00C60036
.text C:\Windows\System32\svchost.exe[2868] WININET.dll!InternetOpenUrlW 77396DDF 5 Bytes JMP 00C60FE5

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73CD7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73D2A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73CDBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73CCF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73CD75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73CCE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73D08395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73CDDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73CCFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73CCFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73CC71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73D5CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73CFC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73CCD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73CC6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73CC687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3524] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73CD2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\001644ff022a
Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\001644ff022a@001f5d4c00a2 0xAC 0x0B 0xE3 0xF0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\001644ff022a (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BthPort\Parameters\Keys\001644ff022a@001f5d4c00a2 0xAC 0x0B 0xE3 0xF0 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x84 0x91 0x25 0xA1 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D91D12F6-FDD1-7FD7-D825-224E3779983F}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D91D12F6-FDD1-7FD7-D825-224E3779983F}@haaijnolnhdpbljl 0x6B 0x61 0x68 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D91D12F6-FDD1-7FD7-D825-224E3779983F}@iagipooekngnjgphlm 0x6B 0x61 0x68 0x68 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Report •

#19
November 28, 2009 at 18:56:02
You must have a different version of GooredFix.exe ... there isn't a Goored.exe file included, just the GooredFix.exe which doesn't install anything, it just launches straight into the application and doesn't give me a chance to enter 1,2, or otherwise - just says "GooredFix will automatically scan for malware, click yes to continue or no to exit."

Log is attached:

GooredFix by jpshortstuff (27.11.09.1)
Log created at 21:57 on 28/11/2009 (Scott)
Firefox version 3.6b3 (en-US)

========== Script ==========

Unable to open script [2].

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [01:54 31/01/2009]
"otis@digitalpersona.com"="C:\Program Files\DigitalPersona\Bin\FirefoxExt\" [20:36 27/06/2009]

---------- Old Logs ----------
GooredFix[02.49.00_29-11-2009].txt
GooredFix[02.53.11_29-11-2009].txt

-=E.O.F=-


Report •

#20
November 28, 2009 at 21:06:05
Yea, looks like I have an older copy.

Download SystemLook.exe from the following link.


SystemLook.exe


1. Double-click SystemLook.exe to run it.
2. Copy the content of the following code between the X's into the main textfield:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
:filefind
iaStor*
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
3. Click the Look button to start the scan.
4. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Report •

#21
November 28, 2009 at 22:38:22
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 01:37 on 29/11/2009 by Scott (Administrator - Elevation successful)

========== filefind ==========

Searching for "iaStor*"
C:\Drivers\storage\R180982\iastor.cat --a--- 11128 bytes [02:09 29/08/2008] [06:44 11/03/2008] 13E7374A879A8EE74EEDB032118DE0D4
C:\Drivers\storage\R180982\iastor.inf --a--- 7676 bytes [02:09 29/08/2008] [06:44 11/03/2008] A3687F81896CD69048320583E2E70CBC
C:\Drivers\storage\R180982\iastor.sys --a--- 305176 bytes [02:09 29/08/2008] [06:44 11/03/2008] 2358C53F30CB9DCD1D3843C4E2F299B2
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\iastor.cat --a--- 11694 bytes [23:36 28/08/2008] [02:32 18/10/2007] D381B5B3A6037096D6163A37AC1FAC93
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\iastor.inf --a--- 7676 bytes [23:36 28/08/2008] [02:38 30/09/2007] 7B045FDC2DE32615D924734BCDDEB3DE
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 384024 bytes [23:36 28/08/2008] [04:03 30/09/2007] 16A4671255CFB842225F0FDB6DBDB414
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iastor.cat --a--- 11694 bytes [23:36 28/08/2008] [02:32 18/10/2007] 648DC3401A410A1A15DB9AB5FD0D61A6
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iastor.inf --a--- 7676 bytes [23:36 28/08/2008] [02:38 30/09/2007] 7B045FDC2DE32615D924734BCDDEB3DE
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys --a--- 308248 bytes [23:36 28/08/2008] [04:03 30/09/2007] E5A0034847537EAEE3C00349D5C34C5F
C:\Qoobox\Quarantine\C\Windows\System32\drivers\iaStor.sys.vir --a--- 305176 bytes [05:25 28/11/2009] [06:44 11/03/2008] 2358C53F30CB9DCD1D3843C4E2F299B2
C:\Windows\inf\iastorv.inf --a--- 12918 bytes [10:25 02/11/2006] [02:30 21/01/2008] 9B38AC49C462638C49D90294DCB201D4
C:\Windows\inf\iastorv.PNF --a--- 15764 bytes [10:25 02/11/2006] [00:23 14/08/2009] E56BB87428CE9C66DAD3060790C32CB9
C:\Windows\System32\DriverStore\en-US\iastorv.inf_loc --a--- 1996 bytes [02:25 21/01/2008] [02:25 21/01/2008] 952CB91EA90A81DE9504A3DCB8B03D73
C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_cfa1dde4\iaStor.sys --a--- 305176 bytes [02:16 29/08/2008] [06:44 11/03/2008] 2358C53F30CB9DCD1D3843C4E2F299B2
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_ec8a8d1b\iaStor.cat --a--- 11128 bytes [02:16 29/08/2008] [06:44 11/03/2008] 13E7374A879A8EE74EEDB032118DE0D4
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_ec8a8d1b\iastor.inf --a--- 7676 bytes [02:16 29/08/2008] [06:44 11/03/2008] A3687F81896CD69048320583E2E70CBC
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_ec8a8d1b\iaStor.sys --a--- 305176 bytes [02:16 29/08/2008] [06:44 11/03/2008] 2358C53F30CB9DCD1D3843C4E2F299B2
C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iastorv.inf --a--- 12922 bytes [10:25 02/11/2006] [06:35 02/11/2006] BB4598DC979AD7AEFD50CA833000AC70
C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys --a--- 232040 bytes [10:25 02/11/2006] [09:51 02/11/2006] C957BF4B5D80B46C5017BF0101E6C906
C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iastorv.inf --a--- 12918 bytes [02:23 21/01/2008] [02:23 21/01/2008] 9B38AC49C462638C49D90294DCB201D4
C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys --a--- 235064 bytes [02:23 21/01/2008] [02:23 21/01/2008] 54155EA1B0DF185878E0FC9EC3AC3A14
C:\Windows\System32\drivers\iaStor(86).sys --a--- 305176 bytes [02:16 29/08/2008] [06:44 11/03/2008] 2358C53F30CB9DCD1D3843C4E2F299B2
C:\Windows\System32\drivers\iaStor.sys --a--- 305176 bytes [02:16 29/08/2008] [06:44 11/03/2008] 2358C53F30CB9DCD1D3843C4E2F299B2
C:\Windows\System32\drivers\iaStorV.sys --a--- 235064 bytes [07:36 02/11/2006] [02:23 21/01/2008] 54155EA1B0DF185878E0FC9EC3AC3A14
C:\Windows\winsxs\x86_iastorv.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_e6bd39778512b6f3\iastorv.inf_loc --a--- 2000 bytes [12:41 02/11/2006] [12:41 02/11/2006] C56F136AF74F80A8FE00311E1506C073
C:\Windows\winsxs\x86_iastorv.inf.resources_31bf3856ad364e35_6.0.6001.18000_en-us_e8f3fb7381fdc7c7\iastorv.inf_loc --a--- 1996 bytes [02:25 21/01/2008] [02:25 21/01/2008] 952CB91EA90A81DE9504A3DCB8B03D73
C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iastorv.inf --a--- 12918 bytes [02:23 21/01/2008] [02:23 21/01/2008] 9B38AC49C462638C49D90294DCB201D4
C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys --a--- 235064 bytes [02:23 21/01/2008] [02:23 21/01/2008] 54155EA1B0DF185878E0FC9EC3AC3A14

-=End Of File=-


Report •

#22
November 28, 2009 at 23:18:40
Open a command window (Start -> Run, type CMD and click OK, vista may be a little different). At the prompt copy and paste the following command and press Enter :

Copy /Y C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_cfa1dde4\iaStor.sys C:\ (note the space after copy,/Y and iaStor.sys are needed)

Exit

You should received a message, 1 file copied. This is important as the next set of instructions wont work unless this message is received.

Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip

1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Copy all the text contained in the code box below between the X's to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to move::
C:\iastor.sys | C:\WINDOWS\system32\Drivers\iastor.sys


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
Click the Execute button
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.


Report •

#23
November 29, 2009 at 08:52:48
Avenger says that's an invalid script, and that scripts must begin with a directive...?

Should I click the box option that says "automatically disable any rootkits found"?


Report •

#24
November 29, 2009 at 09:01:11
Looks like I had the code wrong, try it again using the code below.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to move:
C:\iastor.sys | C:\WINDOWS\system32\Drivers\iastor.sys


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


Report •

#25
November 29, 2009 at 12:52:14
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\iastor.sys|C:\WINDOWS\system32\Drivers\iastor.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


Report •

#26
November 29, 2009 at 14:37:43
Please run Gmer again and post its log.

Are you still being redirected?


Report •

#27
November 30, 2009 at 22:17:12
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit quick scan 2009-12-01 01:13:03
Windows 6.0.6002 Service Pack 2
Running: su1x3v39.exe; Driver: C:\Users\Scott\AppData\Local\Temp\pxdcrfob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8FCC379E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8FCC3738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8FCC374C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8FCC37DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8FCC381F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8FCC3710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8FCC3724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8FCC37B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8FCC3847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8FCC3833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8FCC378A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8FCC3776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8FCC380B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8FCC37F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8FCC37C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8FCC3762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

and that seems to have done it, because I am no longer getting redirected! :) Thanks!!!


Report •

#28
December 1, 2009 at 05:49:12
Your Gmer log is clean.

A little clean-up to do.

Delete RSIT, Gmer and Win32kDiag from your desktop.

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#29
December 1, 2009 at 22:13:47
Cleaned, polished, and running like a shiny new toy again. Thanks for your help.

Report •


Ask Question