Jump to content

rstev3

Members
  • Posts

    19
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Mieke -- Wonderful. Thank you again for all your help! -- Bob
  2. OK, that was completed. Things look good , but how can we tell if we're finished?
  3. Mieke, Yes, I completed those steps. Here is the new result: SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 10:26 on 30/11/2009 by Bob (Administrator - Elevation successful) ========== filefind ========== Searching for "*iastor.sys*" C:\drivers\storage\R130118\iastor.sys --a--- 246784 bytes [21:43 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A C:\i386\iaStor.sys --a--c 246784 bytes [16:32 01/07/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 484864 bytes [22:02 22/06/2007] [11:01 06/07/2006] 6A3C354BFC163B81F6EF2FC421280DB5 C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A C:\WINDOWS\iastor.sys --a--- 246784 bytes [20:44 29/11/2009] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A C:\WINDOWS\system32\drivers\iastor.sys --a--- 246784 bytes [09:32 30/11/2009] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A C:\WINDOWS\system32\drivers\iaStor.sys.bad --a--- 246784 bytes [21:43 22/06/2007] [10:59 06/07/2006] 40B0DDEC8AA55004C92A20A20C03C410 C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A -=End Of File=-
  4. OK, the Hiren site was back up today. I completed all the steps...what's next?
  5. The Hiren download site seems to be down, unless I have an issue at this end. I thought I had a boot CD around here from a previous adventure but I can't find it. Is there another site to try?
  6. The Recovery Console was installed during the first ComboFix process. SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 15:51 on 29/11/2009 by Bob (Administrator - Elevation successful) ========== filefind ========== Searching for "*iastor.sys*" C:\drivers\storage\R130118\iastor.sys --a--- 246784 bytes [21:43 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A C:\i386\iaStor.sys --a--c 246784 bytes [16:32 01/07/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 484864 bytes [22:02 22/06/2007] [11:01 06/07/2006] 6A3C354BFC163B81F6EF2FC421280DB5 C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A C:\WINDOWS\iastor.sys --a--- 246784 bytes [20:44 29/11/2009] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A C:\WINDOWS\system32\drivers\iaStor.sys --a--- 246784 bytes [21:43 22/06/2007] [10:59 06/07/2006] D042881CC82E83708C647E51FB19A2B7 C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A -=End Of File=-
  7. Mieke -- I was a bit nervous because it hung while booting the first time. Second attempt worked normally though. Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\utppfafc ******************* Script file located at: \??\C:\WINDOWS\system32\wwabownd.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File c:\windows\system32\calc.dll deleted successfully. Completed script processing. ******************* Finished! Terminate. Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: could not move file "C:\drivers\storage\R130118\iastor.sys" File move operation "C:\drivers\storage\R130118\iastor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" failed! Status: 0xc0000022 (STATUS_ACCESS_DENIED) Completed script processing. ******************* Finished! Terminate.
  8. SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 14:23 on 29/11/2009 by Bob (Administrator - Elevation successful) ========== filefind ========== Searching for "*iastor.sys*" C:\drivers\storage\R130118\iastor.sys --a--- 246784 bytes [21:43 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A C:\i386\iaStor.sys --a--c 246784 bytes [16:32 01/07/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 484864 bytes [22:02 22/06/2007] [11:01 06/07/2006] 6A3C354BFC163B81F6EF2FC421280DB5 C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A C:\WINDOWS\system32\drivers\iaStor.sys --a--- 246784 bytes [21:43 22/06/2007] [10:59 06/07/2006] D042881CC82E83708C647E51FB19A2B7 C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A -=End Of File=-
  9. Mieke, Here it is with McAfee uninstalled. It doesn't look any different to me. What is catchme.sys? Bob ComboFix 09-11-28.04 - Bob 11/29/2009 12:11.5.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.649 [GMT -5:00] Running from: c:\documents and settings\Bob\My Documents\Downloads\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 ))))))))))))))))))))))))))))))) . 2009-11-28 17:36 . 2009-11-28 17:36 -------- d-----w- c:\program files\QuickTime 2009-11-28 17:22 . 2008-04-25 01:05 33088 ----a-w- c:\documents and settings\Bob\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-11-28 17:13 . 2009-11-28 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan 2009-11-28 16:53 . 2009-11-28 16:52 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-28 16:52 . 2009-11-28 16:52 152576 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-28 16:51 . 2009-11-28 16:51 79488 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-11-27 22:06 . 2009-11-28 03:33 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\wlrmac 2009-11-25 02:50 . 2009-11-25 02:50 -------- d-sh--w- c:\documents and settings\Visitor\IECompatCache 2009-11-24 22:24 . 2009-11-24 22:24 130 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\fusioncache.dat 2009-11-24 22:24 . 2009-11-24 22:24 -------- d-----w- c:\documents and settings\Visitor\Application Data\Malwarebytes 2009-11-24 21:39 . 2009-11-24 22:17 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\mwrsno 2009-11-23 03:24 . 2009-11-23 03:24 -------- d-----w- c:\program files\Trend Micro 2009-11-22 05:46 . 2009-11-22 05:46 -------- d-----w- C:\2955debf4329043d5977 2009-11-22 05:46 . 2009-11-29 16:40 -------- d-----w- c:\program files\MS Malicious SW Remover 2009-11-12 13:16 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-12 13:16 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-12 13:16 . 2009-11-12 13:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-12 01:45 . 2009-11-12 13:54 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\esddko 2009-11-08 21:38 . 2009-11-08 21:38 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\Mozilla 2009-11-08 16:43 . 2009-11-08 16:43 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\Yahoo 2009-11-06 02:16 . 2009-11-06 02:16 73728 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe 2009-11-05 14:09 . 2009-11-05 14:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2009-10-31 17:11 . 2009-10-31 17:11 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo! . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-29 16:57 . 2009-10-22 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-11-29 16:56 . 2009-10-22 18:21 -------- d-----w- c:\program files\McAfee 2009-11-29 13:59 . 2009-02-02 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-11-28 17:31 . 2008-07-14 23:49 -------- d-----w- c:\program files\Safari 2009-11-28 16:52 . 2007-06-22 21:58 -------- d-----w- c:\program files\Java 2009-11-27 20:31 . 2007-07-01 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2009-11-27 20:31 . 2007-07-01 15:05 -------- d-----w- c:\program files\Viewpoint 2009-11-15 00:45 . 2008-07-17 11:52 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-11-12 02:30 . 2007-06-22 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-11-11 18:17 . 2007-07-04 15:22 -------- d-----w- c:\program files\Activision Value 2009-11-11 18:17 . 2007-06-22 22:02 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-11-11 18:14 . 2009-07-20 15:28 -------- d-----w- c:\program files\Coupons 2009-11-08 22:54 . 2007-07-01 16:25 35240 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-07 17:38 . 2009-07-03 13:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore 2009-11-04 21:54 . 2009-10-22 18:21 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2009-11-04 21:54 . 2009-10-22 18:21 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys 2009-11-04 21:54 . 2009-10-22 18:21 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2009-11-04 21:54 . 2009-09-16 14:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2009-10-22 18:25 . 2009-10-22 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor 2009-10-22 15:36 . 2007-08-11 03:26 -------- d-----w- c:\documents and settings\Bob\Application Data\Apple Computer 2009-10-22 00:50 . 2009-10-22 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix 2009-10-21 15:58 . 2009-10-21 15:58 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan 2009-10-21 15:58 . 2009-10-21 15:58 -------- d-----w- c:\documents and settings\Bob\Application Data\Canon 2009-10-16 01:36 . 2009-10-13 19:01 -------- d-----w- c:\documents and settings\Bob\Application Data\Canon Easy-WebPrint EX 2009-10-13 19:54 . 2009-10-13 18:53 -------- d-----w- c:\program files\Canon 2009-10-13 19:54 . 2009-10-13 19:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ 2009-10-13 19:54 . 2009-10-13 19:54 -------- d--h--w- c:\program files\CanonBJ 2009-10-13 19:00 . 2009-10-13 19:00 -------- d-----w- c:\program files\Common Files\CANON 2009-09-04 21:03 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\msasn1.dll . ((((((((((((((((((((((((((((( SnapShot@2009-11-28_22.06.52 ))))))))))))))))))))))))))))))))))))))))) . + 2009-11-29 17:02 . 2009-11-29 17:02 16384 c:\windows\temp\Perflib_Perfdata_6b0.dat - 2009-11-27 22:26 . 2009-11-28 21:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-11-27 22:26 . 2009-11-29 17:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2007-07-01 02:10 . 2009-11-29 17:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2007-07-01 02:10 . 2009-11-28 21:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-11-27 22:26 . 2009-11-29 17:02 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-11-27 22:26 . 2009-11-28 21:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-05-04 07:22 . 2009-11-28 21:04 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2009-05-04 07:22 . 2009-11-29 17:02 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "easylinkadvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "dellsupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304] "iaanotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "hotkeyscmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016] "dmxlauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "dla"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816] "applesyncnotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] c:\documents and settings\Visitor\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] c:\documents and settings\Bob\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-22 24576] Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "MSK80Service"=2 (0x2) "MpfService"=2 (0x2) "McShield"=2 (0x2) "McProxy"=2 (0x2) "McODS"=3 (0x3) "McNASvc"=2 (0x2) "mcmscsvc"=2 (0x2) "McAfee SiteAdvisor Service"=2 (0x2) "MBackMonitor"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Easy PC Transfer\\mDNSResponder.exe"= "c:\\Program Files\\Easy PC Transfer\\ProgressionDesktop.exe"= "c:\\Program Files\\Easy PC Transfer\\ProgressionDesktopCore.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\16E.tmp --> c:\windows\system32\16E.tmp [?] . Contents of the 'Scheduled Tasks' folder 2009-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-11-29 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-02 23:32] 2009-11-29 c:\windows\Tasks\User_Feed_Synchronization-{734BD70F-F5F2-4B79-A903-9BE24F998783}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31] . . ------- Supplementary Scan ------- . mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070622 uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s Trusted Zone: internet Trusted Zone: mcafee.com FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\iwbl11w4.default\ FF - prefs.js: network.proxy.type - 4 FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\kSolo\npAVX.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - SafeBoot-mcmscsvc SafeBoot-MCODS ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-29 12:28 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8712B618]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf7534f28 \Driver\ACPI -> ACPI.sys @ 0xf73c7cb8 \Driver\iaStor -> iaStor.sys @ 0xf72e2f80 IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: Intel® 82562V 10/100 Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf71c3bb0 PacketIndicateHandler -> NDIS.sys @ 0xf71b2a0d SendHandler -> NDIS.sys @ 0xf71c6b40 user & kernel MBR OK ************************************************************************** [HKEY_LOCAL_MACHINE\System\controlset003\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\16E.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(664) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(728) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3648) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-11-29 12:33 ComboFix-quarantined-files.txt 2009-11-29 17:33 ComboFix2.txt 2009-11-29 15:35 ComboFix3.txt 2009-11-28 22:12 Pre-Run: 104,840,798,208 bytes free Post-Run: 104,781,590,528 bytes free Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - 85FC113E5A8494B2E06BA6C192FEE56B
  10. ComboFix 09-11-28.01 - Bob 11/28/2009 16:52.3.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.351 [GMT -5:00] Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 ))))))))))))))))))))))))))))))) . 2009-11-28 17:36 . 2009-11-28 17:36 -------- d-----w- c:\program files\QuickTime 2009-11-28 17:22 . 2008-04-25 01:05 33088 ----a-w- c:\documents and settings\Bob\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-11-28 17:13 . 2009-11-28 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan 2009-11-28 17:13 . 2009-11-28 17:13 -------- d-----w- c:\program files\McAfee Security Scan 2009-11-28 16:53 . 2009-11-28 16:52 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-28 16:52 . 2009-11-28 16:52 152576 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-28 16:51 . 2009-11-28 16:51 79488 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-11-27 22:06 . 2009-11-28 03:33 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\wlrmac 2009-11-27 21:07 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys 2009-11-27 21:07 . 2009-11-27 21:07 -------- d-----w- c:\program files\Common Files\McAfee 2009-11-27 21:07 . 2009-11-27 21:07 -------- d-----w- c:\program files\McAfee.com 2009-11-25 02:50 . 2009-11-25 02:50 -------- d-sh--w- c:\documents and settings\Visitor\IECompatCache 2009-11-24 22:24 . 2009-11-24 22:24 130 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\fusioncache.dat 2009-11-24 22:24 . 2009-11-24 22:24 -------- d-----w- c:\documents and settings\Visitor\Application Data\Malwarebytes 2009-11-24 21:39 . 2009-11-24 22:17 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\mwrsno 2009-11-23 03:24 . 2009-11-23 03:24 -------- d-----w- c:\program files\Trend Micro 2009-11-22 05:46 . 2009-11-22 05:46 -------- d-----w- C:\2955debf4329043d5977 2009-11-22 05:46 . 2009-11-28 20:56 -------- d-----w- c:\program files\MS Malicious SW Remover 2009-11-12 13:16 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-12 13:16 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-12 13:16 . 2009-11-12 13:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-12 01:45 . 2009-11-12 13:54 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\esddko 2009-11-08 21:38 . 2009-11-08 21:38 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\Mozilla 2009-11-08 16:43 . 2009-11-08 16:43 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\Yahoo 2009-11-06 02:16 . 2009-11-06 02:16 73728 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe 2009-11-05 14:09 . 2009-11-05 14:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2009-10-31 17:11 . 2009-10-31 17:11 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo! . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-28 17:31 . 2008-07-14 23:49 -------- d-----w- c:\program files\Safari 2009-11-28 16:52 . 2007-06-22 21:58 -------- d-----w- c:\program files\Java 2009-11-28 04:14 . 2009-02-02 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-11-28 02:26 . 2009-10-22 18:21 -------- d-----w- c:\program files\McAfee 2009-11-27 21:18 . 2009-10-22 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-11-27 20:31 . 2007-07-01 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2009-11-27 20:31 . 2007-07-01 15:05 -------- d-----w- c:\program files\Viewpoint 2009-11-15 00:45 . 2008-07-17 11:52 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-11-12 02:30 . 2007-06-22 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-11-11 18:17 . 2007-07-04 15:22 -------- d-----w- c:\program files\Activision Value 2009-11-11 18:17 . 2007-06-22 22:02 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-11-11 18:14 . 2009-07-20 15:28 -------- d-----w- c:\program files\Coupons 2009-11-08 22:54 . 2007-07-01 16:25 35240 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-07 17:38 . 2009-07-03 13:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore 2009-11-04 21:54 . 2009-10-22 18:21 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2009-11-04 21:54 . 2009-10-22 18:21 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys 2009-11-04 21:54 . 2009-10-22 18:21 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2009-11-04 21:54 . 2009-09-16 14:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2009-10-22 18:25 . 2009-10-22 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor 2009-10-22 15:36 . 2007-08-11 03:26 -------- d-----w- c:\documents and settings\Bob\Application Data\Apple Computer 2009-10-22 00:50 . 2009-10-22 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix 2009-10-21 15:58 . 2009-10-21 15:58 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan 2009-10-21 15:58 . 2009-10-21 15:58 -------- d-----w- c:\documents and settings\Bob\Application Data\Canon 2009-10-16 01:36 . 2009-10-13 19:01 -------- d-----w- c:\documents and settings\Bob\Application Data\Canon Easy-WebPrint EX 2009-10-13 19:54 . 2009-10-13 18:53 -------- d-----w- c:\program files\Canon 2009-10-13 19:54 . 2009-10-13 19:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ 2009-10-13 19:54 . 2009-10-13 19:54 -------- d--h--w- c:\program files\CanonBJ 2009-10-13 19:00 . 2009-10-13 19:00 -------- d-----w- c:\program files\Common Files\CANON 2009-09-04 21:03 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\msasn1.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "easylinkadvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "dellsupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304] "iaanotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "hotkeyscmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016] "dmxlauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "dla"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816] "applesyncnotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792] c:\documents and settings\Visitor\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] c:\documents and settings\Bob\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-22 24576] Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Easy PC Transfer\\mDNSResponder.exe"= "c:\\Program Files\\Easy PC Transfer\\ProgressionDesktop.exe"= "c:\\Program Files\\Easy PC Transfer\\ProgressionDesktopCore.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/27/2009 4:09 PM 203280] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\16E.tmp --> c:\windows\system32\16E.tmp [?] . Contents of the 'Scheduled Tasks' folder 2009-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-11-28 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-02 23:32] 2009-11-27 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-27 17:22] 2009-11-27 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-27 17:22] 2009-11-28 c:\windows\Tasks\User_Feed_Synchronization-{734BD70F-F5F2-4B79-A903-9BE24F998783}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31] . . ------- Supplementary Scan ------- . mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070622 uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s Trusted Zone: internet Trusted Zone: mcafee.com FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\iwbl11w4.default\ FF - prefs.js: network.proxy.type - 4 FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\kSolo\npAVX.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-28 17:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x87125618]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf7534f28 \Driver\ACPI -> ACPI.sys @ 0xf73c7cb8 \Driver\iaStor -> iaStor.sys @ 0xf72e2f80 IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: Intel® 82562V 10/100 Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf71c3bb0 PacketIndicateHandler -> NDIS.sys @ 0xf71b2a0d SendHandler -> NDIS.sys @ 0xf71c6b40 user & kernel MBR OK ************************************************************************** [HKEY_LOCAL_MACHINE\System\controlset003\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\16E.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(684) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(748) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(1544) c:\windows\system32\WININET.dll c:\program files\McAfee\SiteAdvisor\saHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-11-28 17:11 ComboFix-quarantined-files.txt 2009-11-28 22:11 Pre-Run: 104,548,184,064 bytes free Post-Run: 104,649,621,504 bytes free Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - F8D463013893ED65C2B836F085182D06
  11. Hmm...I was having trouble. I cannot locate the file using Firefox and the download was being prevented by a virus check using IE. Finally worked. I'll get back shortly.
  12. I took care of that yesterday. IE and Firefox start OK but I'm getting some search redirects again. Here are recent HJT and GMER files. McAfee was reinstalled yesterday...didn't have another AV active. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:47:29 PM, on 11/28/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\WINDOWS\system32\msiexec.exe C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe C:\WINDOWS\system32\MsiExec.exe C:\WINDOWS\system32\MsiExec.exe C:\Program Files\iTunes\iTunes.exe c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070622 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s O2 - BHO: (no name) - AutorunsDisabled - (no file) O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [iaanotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [hotkeyscmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [dmxlauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [applesyncnotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [easylinkadvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKCU\..\Run: [dellsupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: McAfee Security Scan.lnk = ? O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O15 - Trusted Zone: http://*.mcafee.com O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.toontown.com/sv1.0.38.38/ttinst.cab O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 10043 bytes GMER 1.0.15.15252 - http://www.gmer.net Rootkit scan 2009-11-28 15:36:20 Windows 5.1.2600 Service Pack 3 Running: Nov22gmer1.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\pwliapod.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA5B5F78A] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA5B5F821] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA5B5F738] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA5B5F74C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA5B5F835] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA5B5F861] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA5B5F8CF] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA5B5F8B9] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA5B5F7CA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA5B5F8FB] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA5B5F80D] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA5B5F710] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA5B5F724] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA5B5F79E] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA5B5F937] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA5B5F8A3] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA5B5F88D] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA5B5F84B] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA5B5F923] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA5B5F90F] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA5B5F776] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA5B5F762] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA5B5F877] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA5B5F7F9] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA5B5F8E5] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA5B5F7E0] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA5B5F7B4] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A5B5F7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A5B5F78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A5B5F7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A5B5F7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A5B5F7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP A5B5F714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP A5B5F728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP A5B5F766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A5B5F750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A5B5F73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP A5B5F77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A5B5F7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP A5B5F891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP A5B5F87B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 7 Bytes JMP A5B5F8E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP A5B5F8A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP A5B5F84F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 5 Bytes JMP A5B5F825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP A5B5F839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP A5B5F865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 7 Bytes JMP A5B5F8D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP A5B5F8BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP A5B5F811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP A5B5F93B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 5 Bytes JMP A5B5F913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 5 Bytes JMP A5B5F927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625978 5 Bytes JMP A5B5F8FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ---- User code sections - GMER 1.0.15 ---- .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[380] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[380] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00050000 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00050F6D .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0005006C .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0005005B .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00050F9E .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00050FD4 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0005009A .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00050F52 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000500C6 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00050F2D .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00050F12 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00050FAF .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00050FEF .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0005007D .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00050040 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00050025 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000500B5 .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00040014 .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0004004D .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00040FC3 .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00040FD4 .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00040F86 .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00040FEF .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00040F97 .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [24, 88] {AND AL, 0x88} .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00040FA8 .text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0FD9 .text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0064 .text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0038 .text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0000 .text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0053 .text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE001D .text C:\WINDOWS\system32\services.exe[736] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00060FE5 .text C:\WINDOWS\system32\services.exe[736] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0006000A .text C:\WINDOWS\system32\services.exe[736] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00060FD4 .text C:\WINDOWS\system32\services.exe[736] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00060FC3 .text C:\WINDOWS\system32\services.exe[736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00070FE5 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E60000 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E60F92 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E6007D .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E6006C .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E60FB9 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E60047 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E600C9 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E60F81 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E600FF .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E600E4 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E60F4B .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E60FCA .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E60FE5 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E600AC .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E60036 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E60025 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E60F66 .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D90FB9 .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D90F8A .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D9000A .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D90FD4 .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D90051 .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D90FEF .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D90040 .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D90025 .text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0116006B .text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!system 77C293C7 5 Bytes JMP 01160050 .text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0116002E .text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01160000 .text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0116003F .text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0116001D .text C:\WINDOWS\system32\lsass.exe[748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01150FEF .text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0000 .text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF0FE5 .text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0011 .text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FF0022 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02600000 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02600058 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0260003D .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0260002C .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02600011 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02600F8A .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02600F10 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02600F2D .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02600EDA .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02600EEB .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0260008E .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02600F6F .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02600FE5 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02600F48 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02600FAF .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02600FCA .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02600069 .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 025D0FC3 .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 025D005B .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 025D0FDE .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 025D0014 .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 025D0F9E .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 025D0FEF .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 025D0040 .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 025D002F .text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02630FBC .text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 0263003D .text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02630011 .text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02630FEF .text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0263002C .text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02630000 .text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02610000 .text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0261001B .text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02610FE5 .text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02610040 .text C:\WINDOWS\system32\svchost.exe[964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02620FE5 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FE5 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0078 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0F83 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F94 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0051 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0FAF .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0F4B .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0093 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00BF .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE00A4 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0F15 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0036 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0000 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F68 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FC0 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0011 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F30 .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FA0FC0 .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FA0F80 .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FA001B .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FA0FEF .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FA0047 .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FA000A .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FA002C .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FA0FA5 .text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD003D .text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD002C .text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD0FC6 .text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0FEF .text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD001B .text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0000 .text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FB000A .text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FB0FEF .text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FB002F .text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FB0FD4 .text C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FC0000 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03750000 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03750F7C .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03750F97 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03750FA8 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03750065 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03750FC3 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03750F44 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0375008C .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 037500C2 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 037500A7 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 037500DD .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0375004A .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0375001B .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03750F6B .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03750FD4 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03750FE5 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03750F29 .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03740F94 .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03740025 .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03740FB9 .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03740FCA .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03740F68 .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03740FEF .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03740F83 .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [94, 8B] .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03740000 .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03730064 .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 03730049 .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03730027 .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03730000 .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03730038 .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03730FE3 .text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 03710FE5 .text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 03710FD4 .text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03710000 .text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 03710011 .text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03720000 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00970000 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009700AC .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0097009B .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00970080 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00970FC3 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00970051 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00970F70 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00970F81 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00970F3D .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00970F4E .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00970F2C .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00970FD4 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0097001B .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00970F9C .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00970FEF .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00970040 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00970F5F .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00960FD4 .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00960F7C .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00960FE5 .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0096001B .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00960F8D .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0096000A .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00960FA8 .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [b6, 88] {MOV DH, 0x88} .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00960FB9 .text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00950FC3 .text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!system 77C293C7 5 Bytes JMP 0095004E .text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00950FEF .text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0095000C .text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00950FDE .text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00950029 .text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00940FEF .text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00940FDE .text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00940FC3 .text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00940014 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10FE5 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B10089 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B1006E .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B10051 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10040 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B10FA8 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10F4D .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B10F5E .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B10F17 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B10F32 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B100CB .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B1002F .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B10FD4 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B10F79 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B10FB9 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B1000A .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B100B0 .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B00FB9 .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B0004A .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B00FCA .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B00FE5 .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B00025 .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B00000 .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B00F8D .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D0, 88] .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B00F9E .text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF0053 .text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0038 .text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF001D .text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0000 .text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0FD2 .text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0FE3 .text C:\WINDOWS\system32\svchost.exe[1364] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00AD0FE5 .text C:\WINDOWS\system32\svchost.exe[1364] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00AD0FD4 .text C:\WINDOWS\system32\svchost.exe[1364] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00AD0FB9 .text C:\WINDOWS\system32\svchost.exe[1364] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00AD000A .text C:\WINDOWS\system32\svchost.exe[1364] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE0000 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10FEF .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10F86 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10F97 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10065 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D1004A .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10FBC .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D100BD .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D100A2 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10F49 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F5A .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D10F38 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D10039 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D1000A .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F75 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D10FCD .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10FDE .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D100CE .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D00FB9 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D00F83 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D00000 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D00FCA .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D00040 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00FEF .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D00025 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00F9E .text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0070 .text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF005F .text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF0029 .text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0FEF .text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF004E .text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0018 .text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CD000A .text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CD0FEF .text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CD0025 .text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CD0036 .text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE0FEF .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80FE5 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80F5E .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E8005D .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80036 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80F79 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80F9E .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E8007A .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E80F32 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E80F06 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E80F17 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E800BA .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E80025 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E80FD4 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9] .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E80F43 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E80014 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E80FC3 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E80095 .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C40FB9 .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C4006F .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C4000A .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C40FD4 .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40FA8 .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C40FE5 .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C4004A .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C4002F .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30F81 .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30F9C .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C30FC1 .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30FEF .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C3000C .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C30FDE .text C:\WINDOWS\system32\svchost.exe[1724] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C1000A .text C:\WINDOWS\system32\svchost.exe[1724] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C10FEF .text C:\WINDOWS\system32\svchost.exe[1724] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C1001B .text C:\WINDOWS\system32\svchost.exe[1724] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C10FCA .text C:\WINDOWS\system32\svchost.exe[1724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20000 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D9000A .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D90091 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D90FA6 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90080 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D9006F .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D90FC3 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D90F6E .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D900B6 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D90F5D .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D900F6 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D90107 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D9004A .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D90025 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D90F8B .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D90FD4 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D90FEF .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D900D1 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D80FE5 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D80FB2 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80036 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80025 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D80FC3 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D8000A .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D80065 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D80FD4 .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D70FA6 .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70FB7 .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70FD2 .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70FEF .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70027 .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D7000C .text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D60FEF .text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D60FD4 .text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D6000A .text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D60FAF .text C:\WINDOWS\system32\SearchIndexer.exe[2200] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00ED1B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation) .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E5000A .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E50F94 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E50093 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E50076 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E50FB9 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E50036 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E500AE .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E50F66 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E500E4 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E50F41 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E50F30 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E50051 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E5001B .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E50F83 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E50FD4 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E50FE5 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E500BF .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E40FDE .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E40054 .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E4002F .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E4000A .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E40F97 .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E40FEF .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E40FA8 .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [04, 89] {ADD AL, 0x89} .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E40FC3 .text C:\WINDOWS\Explorer.EXE[2532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E3003F .text C:\WINDOWS\Explorer.EXE[2532] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30FBE .text C:\WINDOWS\Explorer.EXE[2532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E30FD9 .text C:\WINDOWS\Explorer.EXE[2532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30000 .text C:\WINDOWS\Explorer.EXE[2532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E3002E .text C:\WINDOWS\Explorer.EXE[2532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E3001D .text C:\WINDOWS\Explorer.EXE[2532] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E10FEF .text C:\WINDOWS\Explorer.EXE[2532] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E10FD4 .text C:\WINDOWS\Explorer.EXE[2532] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E1000A .text C:\WINDOWS\Explorer.EXE[2532] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E1001B .text C:\WINDOWS\Explorer.EXE[2532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E2000A ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) Device \FileSystem\Fastfat \Fat 9BBD4D20 AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions) Device -> \Driver\iaStor \Device\Harddisk0\DR0 87129618 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start 1 Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type 1 Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group file system Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSliqh.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSbrsr.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfuu.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSljwp.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhym.log Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStkdv.log Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV\EncryptedDirectories@ ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification ---- EOF - GMER 1.0.15 ----
  13. Just saw this during a program download (update): McAfee has automatically blocked and removed a Trojan. About this Trojan Detected: Artemis!1A336E097D9C (Trojan), Artemis!1A336E097D9C (Trojan) Location: C:\Documents and Settings\Bob\Local Settings\Temp\NX5YlXEm.exe.part
  14. I didn't really do any surfing, although I did have to download Mcafee again. Just checked and am getting some redirects.
  15. Arrgghh....this is getting old. I was almost immediately reinfected last night. I don't know if it was not truly cleaned or if something snuck in while McAfee was disabled for ComboFix. It's under control at the moment but I have not run ComboFix again. Malwarebytes' Anti-Malware 1.41 Database version: 3201 Windows 5.1.2600 Service Pack 3 11/27/2009 10:33:28 PM mbam-log-2009-11-27 (22-33-28).txt Scan type: Quick Scan Objects scanned: 130912 Time elapsed: 27 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cblbfthk (Trojan.FakeAlert.N) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Visitor\Local Settings\Application Data\wlrmac\rhgysysguard.exe (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.