Affected by www.6700.cn, need help

(2 Pages)
1
2
→

You cannot start a new topic
This topic is locked

Affected by www.6700.cn, need help my hijack log

#1 hshi

Member

Group: Full Member
Posts: 11
Joined: 04-March 09

Posted 04 March 2009 - 10:07 AM

Can someone please take a look and give me some hints. I am starting to pull my hair off now...
Thanks a lot

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:45 AM, on 04/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Astea Alliance 8.0\Bin\Framework\Astea.AO.API.Service.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\gjntxa.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98Service.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\xbehk.exe
C:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe
C:\oracle\product\10.2.0\db_1\bin\isqlplussvc.exe
C:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\xbehk.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\product\10.2.0\db_1\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
C:\oracle\product\10.2.0\db_1\bin\emagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\huis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\EyeDefender\EyeDefender.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\DOWNLO~1\SQLDEV~2\SQLDEV~1\SQLDEV~1.EXE
C:\program files\Internet Explorer\IEXPLORE.EXE
C:\program files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.6700.cn?tn=1027252
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=C:\WINDOWS\system32\DEB0.exe
O2 - BHO: IESuper - {1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} - C:\PROGRA~1\IESuper\iesuper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [UUSEE] C:\Program Files\Common Files\uusee\UUSeeMediaCenter.exe
O4 - HKLM\..\Run: [LBPlatform] C:\Program Files\Boobaa10\LBPlatform.exe
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKLM\..\RunOnce: [ZucB] %systemroot%\system32\rundll32.exe %systemroot%\system32\uRMu.dll,DllRegisterServer
O4 - HKLM\..\RunOnce: [CPushSetup] "C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files\Common Files\PushWare\cpush.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\huis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Mikogo] "C:\Program Files\Mikogo\Mikogo.exe"
O4 - HKCU\..\Run: [EyeDefender] "C:\Program Files\EyeDefender\EyeDefender.exe" /silent
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [TaskMon] C:\Documents and Settings\huis\Application Data\taskmon.exe
O4 - HKCU\..\Run: [winlegon.exe] C:\WINDOWS\system32\winlegon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O15 - Trusted Zone: http://www.rms-inc.com
O16 - DPF: {51E5ED4D-49A4-46BB-8379-FE64657E8037} (TC40Time Control) - http://camptc1/tc4/i...ct/TCTime40.cab
O16 - DPF: {6B6D11BB-3594-11D5-8691-0080C8D67C8B} (TC40Admin Control) - http://camptc1/tc4/i...t/TCAdmin40.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://uslafsastudio...ads/arview2.cab
O16 - DPF: {D5218894-C398-412B-8790-721291A10AA6} (AsteaTreeView.TV) - http://uslafsastudio...teaTreeView.CAB
O16 - DPF: {E1E97E56-0E53-11D5-8685-0080C8D67C8B} (TC40Tables Control) - http://camptc1/tc4/i.../TCTables40.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stratosglobal.net
O17 - HKLM\Software\..\Telephony: DomainName = stratosglobal.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stratosglobal.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = stratosglobal.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\D32D9ABFBE354AC8A84F07C309C1E3AF\Skype4COM.dll
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\system32\hsppp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: 65BCFFC0 - Unknown owner - C:\WINDOWS\Fonts\3BFAE800.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Astea Alliance API (AsteaAlliance80) - Astea International Inc. - C:\Program Files\Astea Alliance 8.0\Bin\Framework\Astea.AO.API.Service.exe
O23 - Service: Astea Alliance BMService (AsteaAlliance80) - Astea International Inc - C:\Program Files\Astea Alliance 8.0\Bin\Framework\Astea.AO.BMService.exe
O23 - Service: Astea DSE Engine (AsteaAlliance80) - Astea International Inc. - C:\Program Files\Astea Alliance 8.0\Bin\External\Dse\Astea.DSE.Engine.Service.exe
O23 - Service: Astea DSE Loader (AsteaAlliance80) - Astea International Inc. - C:\Program Files\Astea Alliance 8.0\Bin\External\Dse\Astea.DSE.Loader.Service.exe
O23 - Service: Astea Utility Service (AsteaAlliance80) - Astea International Inc. - C:\Program Files\Astea Alliance 8.0\Bin\Framework\Astea.AO.UtilityService.exe
O23 - Service: Astea.AO.Escalation.Service (AsteaAlliance80) - Astea International Inc. - C:\Program Files\Astea Alliance 8.0\Bin\Framework\Astea.AO.Escalation.Service.exe
O23 - Service: AsteaRemoteInbound (AsteaAlliance80) - Astea International Inc. - C:\Program Files\Astea Alliance 8.0\Bin\External\Astea.EO.Remote.Inbound.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - CA - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - C:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - C:\oracle\product\10.2.0\db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 15036 bytes

Back to top of the page up there ^
MultiQuote
Reply

#2 shaferintl

Forum Deity

Group: Trusted Advisor
Posts: 1,445
Joined: 29-July 04

Posted 06 March 2009 - 06:35 AM

hshi,

Thanks for your patience. Your log indicates that you have Malware on your system. Let's get started.

Your log reveals a backdoor bot. These can severely compromise personal information which could lead to identity theft.

If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Should you have any questions, please feel free to ask.

Download SDFix and save it to your Desktop. Do not execute it.

Download Dr.Web CureIt to the desktop. Do not execute it.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode at the top, on the screen that appears. Sign in with your normal user account.

Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)

Run SDFix as follows:

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.

Boot your PC into Safe Mode, as before.

Run Dr.Web CureIt as follows:

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

Please post the SDFix Report.txt, the DrWeb.csv report, and a new HijackThis log in your next reply. Please also say how your computer is running now.

shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

Back to top of the page up there ^
MultiQuote
Reply

#3 hshi

Member

Group: Full Member
Posts: 11
Joined: 04-March 09

Posted 12 March 2009 - 03:28 PM

Thanks, but seems I can't boot into safemode. It says the hardware has some changes. If I can't boot into safe mode, how can I clean up those virus?
thanks

shaferintl, on Mar 6 2009, 07:35 AM, said:

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.

Boot your PC into Safe Mode, as before.

Run Dr.Web CureIt as follows:

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

Please post the SDFix Report.txt, the DrWeb.csv report, and a new HijackThis log in your next reply. Please also say how your computer is running now.

Back to top of the page up there ^
MultiQuote
Reply

#4 shaferintl

Forum Deity

Group: Trusted Advisor
Posts: 1,445
Joined: 29-July 04

Posted 13 March 2009 - 05:34 AM

hshi,

Thanks for the reply. When you reply to a post, use the "Add Reply" button all the way at the bottom of the thread (instead of the "Reply"). This will eliminate having a copy of my original post to you. Thanks.

Go ahead and execute my complete instructions, except without booting into Safe mode. Post your results.

Thanks! :thumbsup:

This post has been edited by shaferintl: 13 March 2009 - 05:35 AM

Back to top of the page up there ^
MultiQuote
Reply

#5 hshi

Member

Group: Full Member
Posts: 11
Joined: 04-March 09

Posted 17 March 2009 - 11:19 AM

thanks , I tried to run the first bat file without rebooting into the safemode, the program won't run as it requires to run under the safe mode. Seems the virus corrupt the safemode start up, is there any way to get it fixed?
Thanks

Back to top of the page up there ^
MultiQuote
Reply

#6 shaferintl

Forum Deity

Group: Trusted Advisor
Posts: 1,445
Joined: 29-July 04

Posted 17 March 2009 - 11:54 AM

hshi,

Thanks for your post. Ignore my previous instructions. Execute the instructions below.

Please visit this webpage familiarize yourself with downloading and running ComboFix: http://www.bleepingc...to-use-combofix.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts. Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please post the C:\Combofix.txt and a new HijackThis log in your next reply. Please also say how your computer is running now.

Back to top of the page up there ^
MultiQuote
Reply

#7 hshi

Member

Group: Full Member
Posts: 11
Joined: 04-March 09

Posted 19 March 2009 - 09:36 AM

Hi below is the combofix.txt and new hijackthis log

ComboFix 09-03-15.01 - huis 2009-03-17 18:24:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.917 [GMT -2.5:30]
Running from: c:\antivius\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Common Files\PushWare
c:\program files\Common Files\PushWare\cpush.dll
c:\program files\Common Files\PushWare\Uninst.exe
c:\program files\IESuper
c:\program files\IESuper\ies_uni.exe
c:\program files\IESuper\iesuper.dll
c:\windows\IE4 Error Log.txt
c:\windows\sysrcid.ini
c:\windows\system32\_000110_.tmp.dll
c:\windows\system32\00505.exe
c:\windows\system32\18b9a26501.dll
c:\windows\system32\Cache
c:\windows\system32\mssrcid.ini

----- BITS: Possible infected sites -----

hxxp://campsccm1.stratosglobal.net:8530
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NLPSA
-------\Service_NLPSA

((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.

2009-03-16 23:27 . 2009-03-16 23:27 0 --a------ c:\windows\system32\nmesrvc_core_2009_3_16_23_27_49.dmp
2009-03-16 23:20 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-16 23:14 . 2009-03-16 23:21 <DIR> d-------- c:\documents and settings\huis\Application Data\HouseCall 6.6
2009-03-16 22:38 . 2009-03-16 22:38 <DIR> d-------- c:\documents and settings\huis\DoctorWeb
2009-03-16 22:27 . 2009-03-16 22:27 15,904 --a------ c:\windows\system32\nmesrvc_core_2009_3_16_22_27_46.dmp
2009-03-16 22:13 . 2009-03-16 22:35 <DIR> d-------- C:\SDFix
2009-03-16 22:13 . 2009-03-17 14:36 <DIR> d-------- C:\AntiVius
2009-03-16 10:03 . 2009-03-16 10:04 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-16 10:03 . 2009-03-16 11:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-13 12:30 . 2009-03-13 12:30 0 --a------ c:\windows\system32\nmesrvc_core_2009_3_13_12_30_37.dmp
2009-03-12 03:13 . 2009-03-12 03:13 0 --a------ c:\windows\system32\nmesrvc_core_2009_3_12_3_13_49.dmp
2009-03-09 17:10 . 2009-03-09 17:10 0 --a------ c:\windows\system32\nmesrvc_core_2009_3_9_17_10_51.dmp
2009-03-08 23:37 . 2009-03-08 23:37 15,642 --a------ c:\windows\system32\nmesrvc_core_2009_3_8_23_37_47.dmp
2009-03-08 23:20 . 2009-03-08 23:20 <DIR> d-------- c:\windows\system32\codecs
2009-03-08 23:14 . 2009-03-08 23:14 15,642 --a------ c:\windows\system32\nmesrvc_core_2009_3_8_23_13_25.dmp
2009-03-04 12:19 . 2009-03-04 12:19 <DIR> d-------- C:\spoolerlogs
2009-03-04 11:56 . 2009-03-04 11:56 25,398 --a------ c:\windows\system32\qq2.bmp
2009-03-03 13:11 . 2009-03-03 13:11 <DIR> d-------- c:\program files\Trend Micro
2009-03-03 13:11 . 2009-03-03 13:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 13:11 . 2009-03-03 13:11 <DIR> d-------- c:\documents and settings\huis\Application Data\Malwarebytes
2009-03-03 13:11 . 2009-03-03 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 13:11 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 13:11 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-03 12:05 . 2009-03-03 12:05 <DIR> d-------- c:\program files\Lavasoft
2009-03-03 12:05 . 2009-03-03 12:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-03 12:05 . 2009-03-03 12:05 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-03 11:52 . 2009-03-03 11:52 <DIR> d-------- c:\program files\Zamaan's Software
2009-03-03 11:15 . 2009-03-09 17:11 10,245 --a------ c:\windows\system32\adorder.ini
2009-03-02 12:36 . 2009-03-02 17:11 <DIR> d-------- c:\documents and settings\march
2009-03-02 11:14 . 2009-03-12 03:07 60 --a------ c:\windows\dzcid.ini
2009-03-02 00:42 . 2009-03-02 00:43 <DIR> d-------- c:\program files\Boobaa10
2009-03-02 00:38 . 2009-03-02 00:39 446,464 --ahs---- C:\ntldre.exe
2009-03-02 00:38 . 2009-03-17 09:28 114,688 ---h----- c:\windows\system32\24AB.exe
2009-03-02 00:38 . 2009-03-02 00:38 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-03-02 00:38 . 2009-03-02 00:38 89,600 --a------ c:\windows\system32\DEB0.exe
2009-03-02 00:04 . 2009-03-02 00:48 <DIR> d-------- C:\casestudio
2009-03-01 23:34 . 2004-08-04 09:30 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-03-01 13:13 . 2009-03-01 13:13 44 --a------ c:\windows\system32\dzwtq.ini
2009-03-01 13:12 . 2009-03-01 13:12 69,632 --a------ c:\windows\system32\cyvsp.dll
2009-02-27 16:46 . 2009-03-10 08:55 <DIR> d-------- c:\documents and settings\huis\stop_start
2009-02-26 11:30 . 2009-02-26 11:30 72 --a------ c:\windows\urnhda.ini
2009-02-25 13:55 . 2009-02-25 13:55 16,384 --a------ c:\windows\tqmgcz.exe
2009-02-24 14:58 . 2009-02-24 14:58 <DIR> d-------- c:\documents and settings\huis\Application Data\ComputerAssociates
2009-02-24 14:31 . 2009-02-24 14:34 <DIR> d-------- C:\ERWin
2009-02-20 07:30 . 2009-02-20 07:30 34 --a------ c:\windows\dzwtq.ini
2009-02-18 22:21 . 2009-02-18 22:21 15,854 --a------ c:\windows\system32\nmesrvc_core_2009_2_18_21_21_31.dmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 21:43 --------- d-----w c:\documents and settings\huis\Application Data\Skype
2009-03-17 21:01 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-03-17 21:01 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2009-03-17 20:36 --------- d-----w c:\documents and settings\huis\Application Data\SQL Developer
2009-03-17 18:31 --------- d-----w c:\documents and settings\huis\Application Data\skypePM
2009-03-16 16:49 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-16 16:46 --------- d-----w c:\program files\Microsoft SQL Server
2009-03-09 12:00 --------- d-----w c:\program files\Mikogo
2009-03-02 13:43 --------- d-----w c:\program files\MSXML 6.0
2009-03-02 03:09 --------- d-----w c:\program files\Intel
2009-03-02 03:09 --------- d-----w c:\program files\GNU
2009-02-25 18:01 --------- d-----w c:\program files\RKSoft
2009-02-24 17:22 --------- d-----w c:\program files\CA
2009-02-24 15:26 --------- d-----w c:\program files\Notepad++
2009-02-24 14:45 --------- d-----w c:\documents and settings\huis\Application Data\Quest Software
2009-02-24 14:43 --------- d-----w c:\program files\Quest Software
2009-02-16 16:30 --------- d-----w c:\documents and settings\All Users\Application Data\TomTom
2009-02-16 16:29 --------- d-----w c:\documents and settings\huis\Application Data\TomTom
2009-02-16 16:28 --------- d-----w c:\program files\TomTom HOME 2
2009-02-16 16:27 --------- d-----w c:\program files\TomTom DesktopSuite
2009-02-09 19:00 --------- d-----w c:\documents and settings\All Users\Application Data\NETg
2009-02-09 18:59 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 17:23 --------- d-----w c:\program files\Microsoft Visual Studio .NET
2009-01-29 12:43 --------- d-----w c:\documents and settings\huis\Application Data\VMware
2009-01-27 17:15 --------- d-----w c:\program files\Dell_HostCD
2009-01-26 04:34 --------- d-----w c:\program files\MSECache
2008-10-24 12:32 60,744 ----a-w c:\documents and settings\huis\g2mdlhlpx.exe
2008-11-19 15:13 27,976 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-11-19 15:13 126,360 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-10-23 15:59 46,408 -c--a-w c:\program files\mozilla firefox\plugins\atmccli.dll
2008-10-23 15:59 98,712 -c--a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-08-04 17:29 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-12-22 14:21 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-22 14:21 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-22 14:21 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-22 14:21 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-22 14:21 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-05-30 21718312]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\huis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"Mikogo"="c:\program files\Mikogo\Mikogo.exe" [2009-02-12 1121600]
"EyeDefender"="c:\program files\EyeDefender\EyeDefender.exe" [2008-09-12 185856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-12-09 234856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-25 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-14 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-06 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-04 29744]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-03-26 5723656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-09 185632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2008-09-19 64048]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BHR"="c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe" [2006-10-24 9375744]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2006-12-13 6144]

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\DevSuiteHome_1\\jdk\\bin\\java.exe"=
"c:\\DevSuiteHome_1\\BIN\\frmweb.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ornq;ornq;c:\windows\system32\drivers\qjh.sys [2004-08-04 30944]
R2 Astea Alliance API (AsteaAlliance80);Astea Alliance API (AsteaAlliance80);c:\program files\Astea Alliance 8.0\Bin\Framework\Astea.AO.API.Service.exe [2008-01-30 28672]
R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2007-12-15 75016]
R2 OracleServiceORCL;OracleServiceORCL;c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE ORCL --> c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE ORCL [?]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2006-02-02 204800]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-09-19 54960]
S2 Astea Alliance BMService (AsteaAlliance80);Astea Alliance BMService (AsteaAlliance80);c:\program files\Astea Alliance 8.0\Bin\Framework\Astea.AO.BMService.exe [2007-02-12 28672]
S2 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR --> c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR [?]
S3 Astea DSE Engine (AsteaAlliance80);Astea DSE Engine (AsteaAlliance80);c:\program files\Astea Alliance 8.0\Bin\External\Dse\Astea.DSE.Engine.Service.exe [2008-01-17 16384]
S3 Astea DSE Loader (AsteaAlliance80);Astea DSE Loader (AsteaAlliance80);c:\program files\Astea Alliance 8.0\Bin\External\Dse\Astea.DSE.Loader.Service.exe [2008-01-23 155648]
S3 Astea Utility Service (AsteaAlliance80);Astea Utility Service (AsteaAlliance80);c:\program files\Astea Alliance 8.0\Bin\Framework\Astea.AO.UtilityService.exe [2007-02-12 28672]
S3 Astea.AO.Escalation.Service (AsteaAlliance80);Astea.AO.Escalation.Service (AsteaAlliance80);c:\program files\Astea Alliance 8.0\Bin\Framework\Astea.AO.Escalation.Service.exe [2008-01-30 28672]
S3 AsteaRemoteInbound (AsteaAlliance80);AsteaRemoteInbound (AsteaAlliance80);c:\program files\Astea Alliance 8.0\Bin\External\Astea.EO.Remote.Inbound.exe [2007-02-12 24576]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-04 29744]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2006-09-05 217600]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;c:\oracle\product\10.2.0\db_1\Bin\extjob.exe ORCL --> c:\oracle\product\10.2.0\db_1\Bin\extjob.exe ORCL [?]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - 65BCFFC0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8453f60e-efa6-11dd-b871-0016cf2e1881}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab010b0b-4a2e-11dd-b820-0015c547f644}]
\Shell\AutoRun\command - E:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-12 c:\windows\Tasks\At1.job
- c:\program files\GNU\ttvxxwzc.dll [2009-03-02 00:39]

2009-03-17 c:\windows\Tasks\At2.job
- c:\program files\GNU\ttvxxwzc.dll [2009-03-02 00:39]

2009-03-17 c:\windows\Tasks\At3.job
- c:\program files\GNU\ttvxxwzc.dll [2009-03-02 00:39]

2009-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2143376676-1450524284-314601362-29850.job
- c:\documents and settings\huis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 18:44]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TaskMon - c:\documents and settings\huis\Application Data\taskmon.exe
HKCU-Run-winlegon.exe - c:\windows\system32\winlegon.exe
HKLM-Run-UUSEE - c:\program files\Common Files\uusee\UUSeeMediaCenter.exe
HKLM-Run-LBPlatform - c:\program files\Boobaa10\LBPlatform.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = www.6700.cn?tn=1027252
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
Trusted Zone: rms-inc.com\www
DPF: {51E5ED4D-49A4-46BB-8379-FE64657E8037} - hxxp://camptc1/tc4/inc/object/TCTime40.cab
DPF: {6B6D11BB-3594-11D5-8691-0080C8D67C8B} - hxxp://camptc1/tc4/inc/object/TCAdmin40.cab
DPF: {D5218894-C398-412B-8790-721291A10AA6} - hxxp://uslafsastudio6/asteaalliance80/downloads/AsteaTreeView.CAB
DPF: {E1E97E56-0E53-11D5-8685-0080C8D67C8B} - hxxp://camptc1/tc4/inc/object/TCTables40.cab
FF - ProfilePath - c:\documents and settings\huis\Application Data\Mozilla\Firefox\Profiles\r2lhn8b4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ybf&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.oracle.com/webapps/online-help/forms/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ybf&p=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-17 19:14:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\product\10.2.0\db_1\BIN\TNSLSNR "
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\CA\SharedComponents\CA_LIC\lic98Service.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft Analysis Services\Bin\msmdsrv.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\oracle\product\10.2.0\db_1\BIN\isqlplussvc.exe
c:\oracle\product\10.2.0\db_1\BIN\oracle.exe
c:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
c:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-17 19:23:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-17 21:53:43

Pre-Run: 4,782,411,776 bytes free
Post-Run: 5,273,681,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

317 --- E O F --- 2009-03-13 11:48:50

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04, on 2009-03-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Astea Alliance 8.0\Bin\Framework\Astea.AO.API.Service.exe
C:\Program Files\Astea Alliance 8.0\Bin\Framework\Astea.AO.BMService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98Service.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\oracle\product\10.2.0\db_1\bin\isqlplussvc.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE
C:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\huis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mikogo\Mikogo.exe
C:\Program Files\EyeDefender\EyeDefender.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\DOWNLO~1\SQLDEV~2\SQLDEV~1\SQLDEV~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
\stj26722\c$\PROGRA~1\QUESTS~1\TOADFO~1\toad.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\clipbrd.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\program files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\ssmsee.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKLM\..\Run: [UUSEE] C:\Program Files\Common Files\uusee\UUSeeMediaCenter.exe
O4 - HKLM\..\Run: [LBPlatform] C:\Program Files\Boobaa10\LBPlatform.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\huis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Mikogo] "C:\Program Files\Mikogo\Mikogo.exe"
O4 - HKCU\..\Run: [EyeDefender] "C:\Program Files\EyeDefender\EyeDefender.exe" /silent
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TaskMon] C:\Documents and Settings\huis\Application Data\taskmon.exe
O4 - HKCU\..\Run: [winlegon.exe] C:\WINDOWS\system32\winlegon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O15 - Trusted Zone: http://www.rms-inc.com
O16 - DPF: {51E5ED4D-49A4-46BB-8379-FE64657E8037} (TC40Time Control) - http://camptc1/tc4/i...ct/TCTime40.cab
O16 - DPF: {6B6D11BB-3594-11D5-8691-0080C8D67C8B} (TC40Admin Control) - http://camptc1/tc4/i...t/TCAdmin40.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://uslafsastudio...ads/arview2.cab
O16 - DPF: {D5218894-C398-412B-8790-721291A10AA6} (AsteaTreeView.TV) - http://uslafsastudio...teaTreeView.CAB
O16 - DPF: {E1E97E56-0E53-11D5-8685-0080C8D67C8B} (TC40Tables Control) - http://camptc1/tc4/i.../TCTables40.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stratosglobal.net
O17 - HKLM\Software\..\Telephony: DomainName = stratosglobal.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stratosglobal.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = stratosglobal.net
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = stratosglobal.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\D32D9ABFBE354AC8A84F07C309C1E3AF\Skype4COM.dll
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\system32\hsppp.dll
O23 - Service: 65BCFFC0 - Unknown owner - C:\WINDOWS\Fonts\3BFAE800.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Astea Alliance API (AsteaAlliance80) - Astea International Inc. - C:\Program Files\Astea Alliance 8.0\Bin\Framework\Astea.AO.API.Service.exe
O23 - Service: Astea Alliance BMService (AsteaAlliance80) - Astea International Inc - C:\Program Files\Astea Alliance 8.0\Bin\Framework\Astea.AO.BMService.exe
O23 - Service: Astea DSE Engine (AsteaAlliance80) - Astea International Inc. - C:\Program Files\Astea Alliance 8.0\Bin\External\Dse\Astea.DSE.Engine.Service.exe
O23 - Service: Astea DSE Loader (AsteaAlliance80) - Astea International Inc. - C:\Program Files\Astea Alliance 8.0\Bin\External\Dse\Astea.DSE.Loader.Service.exe
O23 - Service: Astea Utility Service (AsteaAlliance80) - Astea International Inc. - C:\Program Files\Astea Alliance 8.0\Bin\Framework\Astea.AO.UtilityService.exe
O23 - Service: Astea.AO.Escalation.Service (AsteaAlliance80) - Astea International Inc. - C:\Program Files\Astea Alliance 8.0\Bin\Framework\Astea.AO.Escalation.Service.exe
O23 - Service: AsteaRemoteInbound (AsteaAlliance80) - Astea International Inc. - C:\Program Files\Astea Alliance 8.0\Bin\External\Astea.EO.Remote.Inbound.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - CA - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - C:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - C:\oracle\product\10.2.0\db_1\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 15167 bytes

However, my machine still has the 6700.cn issue. When I open the IE, it points to the 6700.cn directly. The good part is that I could set it as blank and clost it.
When I open the IE again, the website of 6700.cn was replaced by a blank page. When I restarted the machine, the annoying 6700.cn comes back again.

Any comments on that?

Thanks alot

Hui

Back to top of the page up there ^
MultiQuote
Reply

#8 shaferintl

Forum Deity

Group: Trusted Advisor
Posts: 1,445
Joined: 29-July 04

Posted 20 March 2009 - 05:54 AM

hshi,

Quote

However, my machine still has the 6700.cn issue. When I open the IE, it points to the 6700.cn directly. The good part is that I could set it as blank and clost it.
When I open the IE again, the website of 6700.cn was replaced by a blank page. When I restarted the machine, the annoying 6700.cn comes back again.

Any comments on that?

You have a rather nasty rootkit type infection that is causing this. We will go after it below.

Using Start > Control Panel > Add or remove programs. Look for and uninstall something called CA Antivirus (if it exists).

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Run another ComboFix scan and post the results here.

Please post the GMER log, the Combofix log, and a new HijackThis log in your next reply. Please also say how your computer is running now.

Back to top of the page up there ^
MultiQuote
Reply

#9 hshi

Member

Group: Full Member
Posts: 11
Joined: 04-March 09

Posted 20 March 2009 - 11:50 PM

hi below is the gmer log

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-21 01:38:49
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA80771AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA807712B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA80771D5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA807713F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA807716B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA80771FF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA8077117]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA80771BF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA8077155]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA8077181]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA8077197]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA8077215]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA80771E9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AB0 7 Bytes JMP A80771ED \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577F8E 5 Bytes JMP A80771AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0E36 7 Bytes JMP A8077203 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B1C44 2 Bytes JMP A8077219 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection + 3 805B1C47 2 Bytes [AC, 27] {LODSB ; DAA }
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B7216 7 Bytes JMP A80771C3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805CFF26 5 Bytes JMP A80771D9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D167A 5 Bytes JMP A807719B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80620C3E 7 Bytes JMP A8077185 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey + 57 80620C95 4 Bytes CALL BAB40B9B qjh.sys
PAGE ntkrnlpa.exe!ZwRenameKey 80621FA4 7 Bytes JMP A8077159 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8062257E 5 Bytes JMP A807712F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80622A0E 7 Bytes JMP A8077143 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622BDE 7 Bytes JMP A807716F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80623914 5 Bytes JMP A807711B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwYieldExecution + 37EC 80504AB0 7 Bytes JMP A80771ED \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577F8E 5 Bytes JMP A80771AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0E36 7 Bytes JMP A8077203 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!MmUnmapViewOfSection + 1C 805B1C44 2 Bytes JMP A8077219 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!MmUnmapViewOfSection + 1F 805B1C47 2 Bytes [AC, 27] {LODSB ; DAA }
PAGE ntkrnlpa.exe!NtFreeVirtualMemory + 5468 805B7216 7 Bytes JMP A80771C3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!PsCreateSystemProcess + 2A 805CFF26 5 Bytes JMP A80771D9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!PsGetProcessExitTime + A0A 805D167A 5 Bytes JMP A807719B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + 9956 80620C3E 7 Bytes JMP A8077185 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + 99AD 80620C95 4 Bytes CALL BAB40B9B qjh.sys
PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + ACBC 80621FA4 7 Bytes JMP A8077159 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + B296 8062257E 5 Bytes JMP A807712F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!LsaDeregisterLogonProcess + B726 80622A0E 7 Bytes JMP A8077143 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00740FE5
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00740082
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00740067
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0074004C
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00740F83
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00740FA5
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007400A9
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00740F57
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00740F24
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00740F35
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 007400E2
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00740F94
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00740000
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00740F72
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0074001B
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00740FCA
.text C:\WINDOWS\system32\svchost.exe[192] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00740F46
.text C:\WINDOWS\system32\svchost.exe[192] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00730FC0
.text C:\WINDOWS\system32\svchost.exe[192] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00730F8A
.text C:\WINDOWS\system32\svchost.exe[192] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00730FD1
.text C:\WINDOWS\system32\svchost.exe[192] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00730011
.text C:\WINDOWS\system32\svchost.exe[192] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00730047
.text C:\WINDOWS\system32\svchost.exe[192] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00730036
.text C:\WINDOWS\system32\svchost.exe[192] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00730000
.text C:\WINDOWS\system32\svchost.exe[192] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00730FAF
.text C:\WINDOWS\system32\svchost.exe[192] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00720F9C
.text C:\WINDOWS\system32\svchost.exe[192] msvcrt.dll!system 77C293C7 5 Bytes JMP 00720031
.text C:\WINDOWS\system32\svchost.exe[192] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00720FD2
.text C:\WINDOWS\system32\svchost.exe[192] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00720FEF
.text C:\WINDOWS\system32\svchost.exe[192] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00720FB7
.text C:\WINDOWS\system32\svchost.exe[192] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0072000C
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A80FB6
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A800AB
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A80090
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A80073
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A80058
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A80F8A
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A80F9B
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A80F65
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A80108
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A80F54
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A80FD1
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A80025
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A800C6
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A80047
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A80036
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A800ED
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A70FCA
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A7002C
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A70FDB
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A7001B
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A70F79
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A70F94
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A70FA5
.text C:\WINDOWS\system32\svchost.exe[272] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A6006E
.text C:\WINDOWS\system32\svchost.exe[272] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60053
.text C:\WINDOWS\system32\svchost.exe[272] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A6002E
.text C:\WINDOWS\system32\svchost.exe[272] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[272] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60FE3
.text C:\WINDOWS\system32\svchost.exe[272] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A60011
.text C:\WINDOWS\system32\svchost.exe[272] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A50000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DC0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DC00A4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DC0093
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DC0076
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DC0FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00DC004A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DC00C6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DC00B5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DC0F4F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DC00E8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00DC0F34
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00DC005B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00DC0014
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00DC0F94
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00DC002F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00DC0FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00DC00D7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00DB0FAF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00DB0F72
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00DB0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00DB000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00DB0F83
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00DB0F94
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00DB0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00DB001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DA0053
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DA0038
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DA001D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DA0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DA0FC8
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DA0FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[392] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D90FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 028A0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 028A0F63
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 028A0F74
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 028A0F91
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 028A004E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 028A002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 028A0F37
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 028A007F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 028A00B5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 028A0F1C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 028A0F01
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 028A003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 028A001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 028A0F52
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 028A0FC0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 028A0FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 028A009A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02890011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02890F91
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02890FC0
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02890FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0289004E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0289003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02890000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02890022
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02880031
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] msvcrt.dll!system 77C293C7 5 Bytes JMP 02880FA6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02880FC1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02880FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02880016
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02880FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[468] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02870FEF
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C80069
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C80F7E
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C80058
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C80047
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C80FAF
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C80095
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C80F59
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C800B0
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C80F17
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00C80EFC
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00C8002C
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00C80084
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00C80FCA
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00C80011
.text C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00C80F32
.text C:\WINDOWS\system32\svchost.exe[564] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00C50FC3
.text C:\WINDOWS\system32\svchost.exe[564] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00C50F8D
.text C:\WINDOWS\system32\svchost.exe[564] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\system32\svchost.exe[564] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\svchost.exe[564] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00C5004A
.text C:\WINDOWS\system32\svchost.exe[564] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00C5002F
.text C:\WINDOWS\system32\svchost.exe[564] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00C50FE5
.text C:\WINDOWS\system32\svchost.exe[564] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00C50FB2
.text C:\WINDOWS\system32\svchost.exe[564] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C40FC6
.text C:\WINDOWS\system32\svchost.exe[564] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C40FD7
.text C:\WINDOWS\system32\svchost.exe[564] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C4002C
.text C:\WINDOWS\system32\svchost.exe[564] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[564] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C40047
.text C:\WINDOWS\system32\svchost.exe[564] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C40011
.text C:\WINDOWS\system32\svchost.exe[564] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[564] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[564] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00C70011
.text C:\WINDOWS\system32\svchost.exe[564] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00C70022
.text C:\WINDOWS\system32\svchost.exe[564] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00C70FC7
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01690FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01690028
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01690F33
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01690F44
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01690F6B
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01690F97
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01690060
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01690F18
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01690085
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01690EEC
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01690096
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01690F7C
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01690FD4
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01690039
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01690FB2
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01690FC3
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01690EFD
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01670F8B
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] msvcrt.dll!system 77C293C7 5 Bytes JMP 01670F9C
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01670FD2
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01670000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01670FAD
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01670FE3
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01680FCD
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01680065
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01680FDE
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0168000A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01680FA8
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0168004A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01680FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01680039
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1016] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01660FEF
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0000
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0F6F
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0F80
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A004E
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0033
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0FAC
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F3C
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0F4D
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A0EF5
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F06
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001A009F
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001A0F9B
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001A0011
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001A0F5E
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001A0022
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001A0FDB
.text C:\WINDOWS\Explorer.EXE[1080] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001A0F21
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0028001B
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00280062
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00280FCA
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00280FEF
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00280F9B
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0028003D
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0028000A
.text C:\WINDOWS\Explorer.EXE[1080] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0028002C
.text C:\WINDOWS\Explorer.EXE[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0029002C
.text C:\WINDOWS\Explorer.EXE[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FA1
.text C:\WINDOWS\Explorer.EXE[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FBC
.text C:\WINDOWS\Explorer.EXE[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0029001B
.text C:\WINDOWS\Explorer.EXE[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FE3
.text C:\WINDOWS\Explorer.EXE[1080] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[1080] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002B000A
.text C:\WINDOWS\Explorer.EXE[1080] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002B001B
.text C:\WINDOWS\Explorer.EXE[1080] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\Explorer.EXE[1080] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01210FEF
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E30F83
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E30F94
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E30062
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E30051
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E30FAF
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E30F61
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E30F72
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E30F35
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E300CE
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00E30F24
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00E30036
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00E30011
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00E30093
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00E30FCA
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00E30FDB
.text C:\WINDOWS\system32\services.exe[1432] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00E30F50
.text C:\WINDOWS\system32\services.exe[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00980053
.text C:\WINDOWS\system32\services.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00980FC8
.text C:\WINDOWS\system32\services.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0098001D
.text C:\WINDOWS\system32\services.exe[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00980FEF
.text C:\WINDOWS\system32\services.exe[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00980042
.text C:\WINDOWS\system32\services.exe[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0098000C
.text C:\WINDOWS\system32\services.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00990FD1
.text C:\WINDOWS\system32\services.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00990F76
.text C:\WINDOWS\system32\services.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00990022
.text C:\WINDOWS\system32\services.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00990011
.text C:\WINDOWS\system32\services.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00990F9B
.text C:\WINDOWS\system32\services.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00990FAC
.text C:\WINDOWS\system32\services.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00990000
.text C:\WINDOWS\system32\services.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00990033
.text C:\WINDOWS\system32\services.exe[1432] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00970FEF
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00ED0098
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00ED0087
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00ED0FAD
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00ED0076
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00ED0036
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00ED0F74
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00ED00BA
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00ED0F59
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00ED00F2
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00ED0F3E
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00ED005B
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00ED001B
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00ED00A9
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00ED0FD4
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00ED0FE5
.text C:\WINDOWS\system32\lsass.exe[1444] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00ED00E1
.text C:\WINDOWS\system32\lsass.exe[1444] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\lsass.exe[1444] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00EC0F61
.text C:\WINDOWS\system32\lsass.exe[1444] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00EC0FC3
.text C:\WINDOWS\system32\lsass.exe[1444] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00EC0FD4
.text C:\WINDOWS\system32\lsass.exe[1444] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00EC0F72
.text C:\WINDOWS\system32\lsass.exe[1444] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00EC0F8D
.text C:\WINDOWS\system32\lsass.exe[1444] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\lsass.exe[1444] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\system32\lsass.exe[1444] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EB0FAD
.text C:\WINDOWS\system32\lsass.exe[1444] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EB0FBE
.text C:\WINDOWS\system32\lsass.exe[1444] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EB001D
.text C:\WINDOWS\system32\lsass.exe[1444] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\lsass.exe[1444] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EB002E
.text C:\WINDOWS\system32\lsass.exe[1444] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EB0FE3
.text C:\WINDOWS\system32\lsass.exe[1444] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009A0082
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009A0071
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009A0F97
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009A004A
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009A0FC3
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009A00C2
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009A00A7
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009A00EE
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009A00DD
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009A00FF
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 009A0FA8
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009A001B
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009A0F7C
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 009A0FD4
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 009A0FE5
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009A0F5F
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0099001B
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00990051
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00990FD4
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00990F94
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00990036
.text C:\WINDOWS�

Back to top of the page up there ^
MultiQuote
Reply

#10 shaferintl

Forum Deity

Group: Trusted Advisor
Posts: 1,445
Joined: 29-July 04

Posted 21 March 2009 - 07:23 AM

hshi,

Your post was cutoff. Please supply the remainder. If it is too long, you can attach it. Here's how:

Please attach the GMER log to your next post. You will have to Zip it to attach it.
The reason for attaching it is the file size.
To attach a file, you need to be viewing the full version of the site.
In a Reply window, the option to attach a file is just below the box where you type in your reply.
Browse for the attachment, then click "UPLOAD".

Thanks!

This post has been edited by shaferintl: 21 March 2009 - 07:26 AM

Back to top of the page up there ^
MultiQuote
Reply

#11 hshi

Member

Group: Full Member
Posts: 11
Joined: 04-March 09

Posted 21 March 2009 - 12:24 PM

Thanks, I was trying to upload the zip file but could not find the attache button. What do you mean by viewing hte full version of the site?
Do I have to upgrade my account?

thanks

shaferintl, on Mar 21 2009, 08:23 AM, said:

hshi,

Your post was cutoff. Please supply the remainder. If it is too long, you can attach it. Here's how:

Thanks!

Back to top of the page up there ^
MultiQuote
Reply

#12 shaferintl

Forum Deity

Group: Trusted Advisor
Posts: 1,445
Joined: 29-July 04

Posted 22 March 2009 - 08:06 AM

hshi,

Quote

What do you mean by viewing hte full version of the site?

Scroll all the way to the bottom of the page. If you see this:

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.

Otherwise, you are already viewing the full version.

Back to top of the page up there ^
MultiQuote
Reply

#13 shaferintl

Forum Deity

Group: Trusted Advisor
Posts: 1,445
Joined: 29-July 04

Posted 22 March 2009 - 07:10 PM

hshi,

If you are still having trouble attaching the zip file, try this.

If you can't attach the file, go to http://savefile.com and you can upload the zipped log file there. There is no need to register, just click the "UPLOAD MY FILE" button. After you upload the file, please post the link to the file in your topic. That way, anyone on the board can see the log almost as easily as if it were posted here. :thumbup:

Back to top of the page up there ^
MultiQuote
Reply

#14 hshi

Member

Group: Full Member
Posts: 11
Joined: 04-March 09

Posted 22 March 2009 - 09:28 PM

Thanks shaferintl, I tried the savefile.com, but it kept telling the security code is wrong. Odd... I still can't upload the zip file

hui

shaferintl, on Mar 22 2009, 08:10 PM, said:

Back to top of the page up there ^
MultiQuote
Reply

#15 shaferintl

Forum Deity

Group: Trusted Advisor
Posts: 1,445
Joined: 29-July 04

Posted 23 March 2009 - 05:43 AM

hshi.

Try http://yousendit.com/. It will require an email address. Just send it to yourself. Then, post the URL here. :thumbsup:

Back to top of the page up there ^
MultiQuote
Reply

(2 Pages)
1
2
→

You cannot start a new topic
This topic is locked

SpywareInfo Forum: Affected by www.6700.cn, need help - SpywareInfo Forum

Affected by www.6700.cn, need help my hijack log

#1 hshi

#2 shaferintl

#3 hshi

#4 shaferintl

#5 hshi

#6 shaferintl

#7 hshi

#8 shaferintl

#9 hshi

#10 shaferintl

#11 hshi

#12 shaferintl

#13 shaferintl

#14 hshi

#15 shaferintl

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

Skin and Language

Execution Stats

SpywareInfo Forum: Affected by www.6700.cn, need help - SpywareInfo Forum

Affected by www.6700.cn, need help my hijack log

1 User(s) are reading this topic 0 members, 1 guests, 0 anonymous users

Skin and Language

Execution Stats

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users