rstev3

Mieke -- Wonderful. Thank you again for all your help! -- Bob

OK, that was completed. Things look good , but how can we tell if we're finished?

Mieke, Yes, I completed those steps. Here is the new result: SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 10:26 on 30/11/2009 by Bob (Administrator - Elevation successful) ========== filefind ========== Searching for "*iastor.sys*" C:\drivers\storage\R130118\iastor.sys --a--- 246784 bytes [21:43 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A C:\i386\iaStor.sys --a--c 246784 bytes [16:32 01/07/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 484864 bytes [22:02 22/06/2007] [11:01 06/07/2006] 6A3C354BFC163B81F6EF2FC421280DB5 C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A C:\WINDOWS\iastor.sys --a--- 246784 bytes [20:44 29/11/2009] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A C:\WINDOWS\system32\drivers\iastor.sys --a--- 246784 bytes [09:32 30/11/2009] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A C:\WINDOWS\system32\drivers\iaStor.sys.bad --a--- 246784 bytes [21:43 22/06/2007] [10:59 06/07/2006] 40B0DDEC8AA55004C92A20A20C03C410 C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A -=End Of File=-

OK, the Hiren site was back up today. I completed all the steps...what's next?

The Hiren download site seems to be down, unless I have an issue at this end. I thought I had a boot CD around here from a previous adventure but I can't find it. Is there another site to try?

The Recovery Console was installed during the first ComboFix process. SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 15:51 on 29/11/2009 by Bob (Administrator - Elevation successful) ========== filefind ========== Searching for "*iastor.sys*" C:\drivers\storage\R130118\iastor.sys --a--- 246784 bytes [21:43 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A C:\i386\iaStor.sys --a--c 246784 bytes [16:32 01/07/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 484864 bytes [22:02 22/06/2007] [11:01 06/07/2006] 6A3C354BFC163B81F6EF2FC421280DB5 C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A C:\WINDOWS\iastor.sys --a--- 246784 bytes [20:44 29/11/2009] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A C:\WINDOWS\system32\drivers\iaStor.sys --a--- 246784 bytes [21:43 22/06/2007] [10:59 06/07/2006] D042881CC82E83708C647E51FB19A2B7 C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A -=End Of File=-

Mieke -- I was a bit nervous because it hung while booting the first time. Second attempt worked normally though. Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\utppfafc ******************* Script file located at: \??\C:\WINDOWS\system32\wwabownd.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File c:\windows\system32\calc.dll deleted successfully. Completed script processing. ******************* Finished! Terminate. Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: could not move file "C:\drivers\storage\R130118\iastor.sys" File move operation "C:\drivers\storage\R130118\iastor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" failed! Status: 0xc0000022 (STATUS_ACCESS_DENIED) Completed script processing. ******************* Finished! Terminate.

SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 14:23 on 29/11/2009 by Bob (Administrator - Elevation successful) ========== filefind ========== Searching for "*iastor.sys*" C:\drivers\storage\R130118\iastor.sys --a--- 246784 bytes [21:43 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A C:\i386\iaStor.sys --a--c 246784 bytes [16:32 01/07/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 484864 bytes [22:02 22/06/2007] [11:01 06/07/2006] 6A3C354BFC163B81F6EF2FC421280DB5 C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A C:\WINDOWS\system32\drivers\iaStor.sys --a--- 246784 bytes [21:43 22/06/2007] [10:59 06/07/2006] D042881CC82E83708C647E51FB19A2B7 C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A -=End Of File=-

Mieke, Here it is with McAfee uninstalled. It doesn't look any different to me. What is catchme.sys? Bob ComboFix 09-11-28.04 - Bob 11/29/2009 12:11.5.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.649 [GMT -5:00] Running from: c:\documents and settings\Bob\My Documents\Downloads\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 ))))))))))))))))))))))))))))))) . 2009-11-28 17:36 . 2009-11-28 17:36 -------- d-----w- c:\program files\QuickTime 2009-11-28 17:22 . 2008-04-25 01:05 33088 ----a-w- c:\documents and settings\Bob\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-11-28 17:13 . 2009-11-28 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan 2009-11-28 16:53 . 2009-11-28 16:52 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-28 16:52 . 2009-11-28 16:52 152576 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-28 16:51 . 2009-11-28 16:51 79488 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-11-27 22:06 . 2009-11-28 03:33 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\wlrmac 2009-11-25 02:50 . 2009-11-25 02:50 -------- d-sh--w- c:\documents and settings\Visitor\IECompatCache 2009-11-24 22:24 . 2009-11-24 22:24 130 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\fusioncache.dat 2009-11-24 22:24 . 2009-11-24 22:24 -------- d-----w- c:\documents and settings\Visitor\Application Data\Malwarebytes 2009-11-24 21:39 . 2009-11-24 22:17 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\mwrsno 2009-11-23 03:24 . 2009-11-23 03:24 -------- d-----w- c:\program files\Trend Micro 2009-11-22 05:46 . 2009-11-22 05:46 -------- d-----w- C:\2955debf4329043d5977 2009-11-22 05:46 . 2009-11-29 16:40 -------- d-----w- c:\program files\MS Malicious SW Remover 2009-11-12 13:16 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-12 13:16 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-12 13:16 . 2009-11-12 13:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-12 01:45 . 2009-11-12 13:54 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\esddko 2009-11-08 21:38 . 2009-11-08 21:38 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\Mozilla 2009-11-08 16:43 . 2009-11-08 16:43 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\Yahoo 2009-11-06 02:16 . 2009-11-06 02:16 73728 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe 2009-11-05 14:09 . 2009-11-05 14:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2009-10-31 17:11 . 2009-10-31 17:11 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo! . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-29 16:57 . 2009-10-22 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-11-29 16:56 . 2009-10-22 18:21 -------- d-----w- c:\program files\McAfee 2009-11-29 13:59 . 2009-02-02 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-11-28 17:31 . 2008-07-14 23:49 -------- d-----w- c:\program files\Safari 2009-11-28 16:52 . 2007-06-22 21:58 -------- d-----w- c:\program files\Java 2009-11-27 20:31 . 2007-07-01 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2009-11-27 20:31 . 2007-07-01 15:05 -------- d-----w- c:\program files\Viewpoint 2009-11-15 00:45 . 2008-07-17 11:52 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-11-12 02:30 . 2007-06-22 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-11-11 18:17 . 2007-07-04 15:22 -------- d-----w- c:\program files\Activision Value 2009-11-11 18:17 . 2007-06-22 22:02 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-11-11 18:14 . 2009-07-20 15:28 -------- d-----w- c:\program files\Coupons 2009-11-08 22:54 . 2007-07-01 16:25 35240 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-07 17:38 . 2009-07-03 13:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore 2009-11-04 21:54 . 2009-10-22 18:21 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2009-11-04 21:54 . 2009-10-22 18:21 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys 2009-11-04 21:54 . 2009-10-22 18:21 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2009-11-04 21:54 . 2009-09-16 14:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2009-10-22 18:25 . 2009-10-22 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor 2009-10-22 15:36 . 2007-08-11 03:26 -------- d-----w- c:\documents and settings\Bob\Application Data\Apple Computer 2009-10-22 00:50 . 2009-10-22 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix 2009-10-21 15:58 . 2009-10-21 15:58 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan 2009-10-21 15:58 . 2009-10-21 15:58 -------- d-----w- c:\documents and settings\Bob\Application Data\Canon 2009-10-16 01:36 . 2009-10-13 19:01 -------- d-----w- c:\documents and settings\Bob\Application Data\Canon Easy-WebPrint EX 2009-10-13 19:54 . 2009-10-13 18:53 -------- d-----w- c:\program files\Canon 2009-10-13 19:54 . 2009-10-13 19:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ 2009-10-13 19:54 . 2009-10-13 19:54 -------- d--h--w- c:\program files\CanonBJ 2009-10-13 19:00 . 2009-10-13 19:00 -------- d-----w- c:\program files\Common Files\CANON 2009-09-04 21:03 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\msasn1.dll . ((((((((((((((((((((((((((((( SnapShot@2009-11-28_22.06.52 ))))))))))))))))))))))))))))))))))))))))) . + 2009-11-29 17:02 . 2009-11-29 17:02 16384 c:\windows\temp\Perflib_Perfdata_6b0.dat - 2009-11-27 22:26 . 2009-11-28 21:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-11-27 22:26 . 2009-11-29 17:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2007-07-01 02:10 . 2009-11-29 17:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2007-07-01 02:10 . 2009-11-28 21:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-11-27 22:26 . 2009-11-29 17:02 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-11-27 22:26 . 2009-11-28 21:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-05-04 07:22 . 2009-11-28 21:04 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2009-05-04 07:22 . 2009-11-29 17:02 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "easylinkadvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "dellsupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304] "iaanotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "hotkeyscmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016] "dmxlauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "dla"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816] "applesyncnotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] c:\documents and settings\Visitor\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] c:\documents and settings\Bob\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-22 24576] Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "MSK80Service"=2 (0x2) "MpfService"=2 (0x2) "McShield"=2 (0x2) "McProxy"=2 (0x2) "McODS"=3 (0x3) "McNASvc"=2 (0x2) "mcmscsvc"=2 (0x2) "McAfee SiteAdvisor Service"=2 (0x2) "MBackMonitor"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Easy PC Transfer\\mDNSResponder.exe"= "c:\\Program Files\\Easy PC Transfer\\ProgressionDesktop.exe"= "c:\\Program Files\\Easy PC Transfer\\ProgressionDesktopCore.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\16E.tmp --> c:\windows\system32\16E.tmp [?] . Contents of the 'Scheduled Tasks' folder 2009-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-11-29 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-02 23:32] 2009-11-29 c:\windows\Tasks\User_Feed_Synchronization-{734BD70F-F5F2-4B79-A903-9BE24F998783}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31] . . ------- Supplementary Scan ------- . mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070622 uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s Trusted Zone: internet Trusted Zone: mcafee.com FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\iwbl11w4.default\ FF - prefs.js: network.proxy.type - 4 FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\kSolo\npAVX.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - SafeBoot-mcmscsvc SafeBoot-MCODS ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-29 12:28 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8712B618]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf7534f28 \Driver\ACPI -> ACPI.sys @ 0xf73c7cb8 \Driver\iaStor -> iaStor.sys @ 0xf72e2f80 IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: Intel® 82562V 10/100 Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf71c3bb0 PacketIndicateHandler -> NDIS.sys @ 0xf71b2a0d SendHandler -> NDIS.sys @ 0xf71c6b40 user & kernel MBR OK ************************************************************************** [HKEY_LOCAL_MACHINE\System\controlset003\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\16E.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(664) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(728) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3648) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-11-29 12:33 ComboFix-quarantined-files.txt 2009-11-29 17:33 ComboFix2.txt 2009-11-29 15:35 ComboFix3.txt 2009-11-28 22:12 Pre-Run: 104,840,798,208 bytes free Post-Run: 104,781,590,528 bytes free Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - 85FC113E5A8494B2E06BA6C192FEE56B

ComboFix 09-11-28.01 - Bob 11/28/2009 16:52.3.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.351 [GMT -5:00] Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 ))))))))))))))))))))))))))))))) . 2009-11-28 17:36 . 2009-11-28 17:36 -------- d-----w- c:\program files\QuickTime 2009-11-28 17:22 . 2008-04-25 01:05 33088 ----a-w- c:\documents and settings\Bob\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-11-28 17:13 . 2009-11-28 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan 2009-11-28 17:13 . 2009-11-28 17:13 -------- d-----w- c:\program files\McAfee Security Scan 2009-11-28 16:53 . 2009-11-28 16:52 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-28 16:52 . 2009-11-28 16:52 152576 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-28 16:51 . 2009-11-28 16:51 79488 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-11-27 22:06 . 2009-11-28 03:33 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\wlrmac 2009-11-27 21:07 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys 2009-11-27 21:07 . 2009-11-27 21:07 -------- d-----w- c:\program files\Common Files\McAfee 2009-11-27 21:07 . 2009-11-27 21:07 -------- d-----w- c:\program files\McAfee.com 2009-11-25 02:50 . 2009-11-25 02:50 -------- d-sh--w- c:\documents and settings\Visitor\IECompatCache 2009-11-24 22:24 . 2009-11-24 22:24 130 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\fusioncache.dat 2009-11-24 22:24 . 2009-11-24 22:24 -------- d-----w- c:\documents and settings\Visitor\Application Data\Malwarebytes 2009-11-24 21:39 . 2009-11-24 22:17 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\mwrsno 2009-11-23 03:24 . 2009-11-23 03:24 -------- d-----w- c:\program files\Trend Micro 2009-11-22 05:46 . 2009-11-22 05:46 -------- d-----w- C:\2955debf4329043d5977 2009-11-22 05:46 . 2009-11-28 20:56 -------- d-----w- c:\program files\MS Malicious SW Remover 2009-11-12 13:16 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-12 13:16 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-12 13:16 . 2009-11-12 13:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-12 01:45 . 2009-11-12 13:54 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\esddko 2009-11-08 21:38 . 2009-11-08 21:38 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\Mozilla 2009-11-08 16:43 . 2009-11-08 16:43 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\Yahoo 2009-11-06 02:16 . 2009-11-06 02:16 73728 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe 2009-11-05 14:09 . 2009-11-05 14:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2009-10-31 17:11 . 2009-10-31 17:11 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo! . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-28 17:31 . 2008-07-14 23:49 -------- d-----w- c:\program files\Safari 2009-11-28 16:52 . 2007-06-22 21:58 -------- d-----w- c:\program files\Java 2009-11-28 04:14 . 2009-02-02 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-11-28 02:26 . 2009-10-22 18:21 -------- d-----w- c:\program files\McAfee 2009-11-27 21:18 . 2009-10-22 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-11-27 20:31 . 2007-07-01 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2009-11-27 20:31 . 2007-07-01 15:05 -------- d-----w- c:\program files\Viewpoint 2009-11-15 00:45 . 2008-07-17 11:52 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-11-12 02:30 . 2007-06-22 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-11-11 18:17 . 2007-07-04 15:22 -------- d-----w- c:\program files\Activision Value 2009-11-11 18:17 . 2007-06-22 22:02 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-11-11 18:14 . 2009-07-20 15:28 -------- d-----w- c:\program files\Coupons 2009-11-08 22:54 . 2007-07-01 16:25 35240 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-07 17:38 . 2009-07-03 13:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore 2009-11-04 21:54 . 2009-10-22 18:21 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2009-11-04 21:54 . 2009-10-22 18:21 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys 2009-11-04 21:54 . 2009-10-22 18:21 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2009-11-04 21:54 . 2009-09-16 14:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2009-10-22 18:25 . 2009-10-22 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor 2009-10-22 15:36 . 2007-08-11 03:26 -------- d-----w- c:\documents and settings\Bob\Application Data\Apple Computer 2009-10-22 00:50 . 2009-10-22 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix 2009-10-21 15:58 . 2009-10-21 15:58 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan 2009-10-21 15:58 . 2009-10-21 15:58 -------- d-----w- c:\documents and settings\Bob\Application Data\Canon 2009-10-16 01:36 . 2009-10-13 19:01 -------- d-----w- c:\documents and settings\Bob\Application Data\Canon Easy-WebPrint EX 2009-10-13 19:54 . 2009-10-13 18:53 -------- d-----w- c:\program files\Canon 2009-10-13 19:54 . 2009-10-13 19:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ 2009-10-13 19:54 . 2009-10-13 19:54 -------- d--h--w- c:\program files\CanonBJ 2009-10-13 19:00 . 2009-10-13 19:00 -------- d-----w- c:\program files\Common Files\CANON 2009-09-04 21:03 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\msasn1.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "easylinkadvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "dellsupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304] "iaanotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "hotkeyscmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016] "dmxlauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "dla"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816] "applesyncnotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792] c:\documents and settings\Visitor\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] c:\documents and settings\Bob\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-22 24576] Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Easy PC Transfer\\mDNSResponder.exe"= "c:\\Program Files\\Easy PC Transfer\\ProgressionDesktop.exe"= "c:\\Program Files\\Easy PC Transfer\\ProgressionDesktopCore.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/27/2009 4:09 PM 203280] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\16E.tmp --> c:\windows\system32\16E.tmp [?] . Contents of the 'Scheduled Tasks' folder 2009-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-11-28 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-02 23:32] 2009-11-27 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-27 17:22] 2009-11-27 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-27 17:22] 2009-11-28 c:\windows\Tasks\User_Feed_Synchronization-{734BD70F-F5F2-4B79-A903-9BE24F998783}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31] . . ------- Supplementary Scan ------- . mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070622 uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s Trusted Zone: internet Trusted Zone: mcafee.com FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\iwbl11w4.default\ FF - prefs.js: network.proxy.type - 4 FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\kSolo\npAVX.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll ---- FIREFOX POLICIES ---- FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-28 17:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x87125618]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf7534f28 \Driver\ACPI -> ACPI.sys @ 0xf73c7cb8 \Driver\iaStor -> iaStor.sys @ 0xf72e2f80 IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: Intel® 82562V 10/100 Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf71c3bb0 PacketIndicateHandler -> NDIS.sys @ 0xf71b2a0d SendHandler -> NDIS.sys @ 0xf71c6b40 user & kernel MBR OK ************************************************************************** [HKEY_LOCAL_MACHINE\System\controlset003\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\16E.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(684) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(748) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(1544) c:\windows\system32\WININET.dll c:\program files\McAfee\SiteAdvisor\saHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-11-28 17:11 ComboFix-quarantined-files.txt 2009-11-28 22:11 Pre-Run: 104,548,184,064 bytes free Post-Run: 104,649,621,504 bytes free Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - F8D463013893ED65C2B836F085182D06

Hmm...I was having trouble. I cannot locate the file using Firefox and the download was being prevented by a virus check using IE. Finally worked. I'll get back shortly.

I took care of that yesterday. IE and Firefox start OK but I'm getting some search redirects again. Here are recent HJT and GMER files. McAfee was reinstalled yesterday...didn't have another AV active. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:47:29 PM, on 11/28/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\WINDOWS\system32\msiexec.exe C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe C:\WINDOWS\system32\MsiExec.exe C:\WINDOWS\system32\MsiExec.exe C:\Program Files\iTunes\iTunes.exe c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070622 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s O2 - BHO: (no name) - AutorunsDisabled - (no file) O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [iaanotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [hotkeyscmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [dmxlauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [applesyncnotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [easylinkadvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKCU\..\Run: [dellsupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: McAfee Security Scan.lnk = ? O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O15 - Trusted Zone: http://*.mcafee.com O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.toontown.com/sv1.0.38.38/ttinst.cab O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 10043 bytes GMER 1.0.15.15252 - http://www.gmer.net Rootkit scan 2009-11-28 15:36:20 Windows 5.1.2600 Service Pack 3 Running: Nov22gmer1.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\pwliapod.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA5B5F78A] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA5B5F821] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA5B5F738] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA5B5F74C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA5B5F835] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA5B5F861] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA5B5F8CF] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA5B5F8B9] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA5B5F7CA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA5B5F8FB] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA5B5F80D] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA5B5F710] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA5B5F724] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA5B5F79E] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA5B5F937] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA5B5F8A3] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA5B5F88D] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA5B5F84B] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA5B5F923] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA5B5F90F] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA5B5F776] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA5B5F762] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA5B5F877] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA5B5F7F9] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA5B5F8E5] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA5B5F7E0] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA5B5F7B4] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A5B5F7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A5B5F78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A5B5F7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A5B5F7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A5B5F7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP A5B5F714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP A5B5F728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP A5B5F766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A5B5F750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A5B5F73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP A5B5F77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A5B5F7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP A5B5F891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP A5B5F87B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 7 Bytes JMP A5B5F8E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP A5B5F8A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP A5B5F84F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 5 Bytes JMP A5B5F825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP A5B5F839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP A5B5F865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 7 Bytes JMP A5B5F8D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP A5B5F8BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP A5B5F811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP A5B5F93B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 5 Bytes JMP A5B5F913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 5 Bytes JMP A5B5F927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625978 5 Bytes JMP A5B5F8FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ---- User code sections - GMER 1.0.15 ---- .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[380] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[380] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00050000 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00050F6D .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0005006C .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0005005B .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00050F9E .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00050FD4 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0005009A .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00050F52 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000500C6 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00050F2D .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00050F12 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00050FAF .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00050FEF .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0005007D .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00050040 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00050025 .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000500B5 .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00040014 .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0004004D .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00040FC3 .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00040FD4 .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00040F86 .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00040FEF .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00040F97 .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [24, 88] {AND AL, 0x88} .text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00040FA8 .text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0FD9 .text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0064 .text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0038 .text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0000 .text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0053 .text C:\WINDOWS\system32\services.exe[736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE001D .text C:\WINDOWS\system32\services.exe[736] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00060FE5 .text C:\WINDOWS\system32\services.exe[736] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0006000A .text C:\WINDOWS\system32\services.exe[736] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00060FD4 .text C:\WINDOWS\system32\services.exe[736] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00060FC3 .text C:\WINDOWS\system32\services.exe[736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00070FE5 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E60000 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E60F92 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E6007D .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E6006C .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E60FB9 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E60047 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E600C9 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E60F81 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E600FF .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E600E4 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E60F4B .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E60FCA .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E60FE5 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E600AC .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E60036 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E60025 .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E60F66 .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D90FB9 .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D90F8A .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D9000A .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D90FD4 .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D90051 .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D90FEF .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D90040 .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D90025 .text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0116006B .text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!system 77C293C7 5 Bytes JMP 01160050 .text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0116002E .text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01160000 .text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0116003F .text C:\WINDOWS\system32\lsass.exe[748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0116001D .text C:\WINDOWS\system32\lsass.exe[748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01150FEF .text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0000 .text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF0FE5 .text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0011 .text C:\WINDOWS\system32\lsass.exe[748] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FF0022 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02600000 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02600058 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0260003D .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0260002C .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02600011 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02600F8A .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02600F10 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02600F2D .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02600EDA .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02600EEB .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0260008E .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02600F6F .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02600FE5 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02600F48 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02600FAF .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02600FCA .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02600069 .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 025D0FC3 .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 025D005B .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 025D0FDE .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 025D0014 .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 025D0F9E .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 025D0FEF .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 025D0040 .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 025D002F .text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02630FBC .text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 0263003D .text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02630011 .text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02630FEF .text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0263002C .text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02630000 .text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02610000 .text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0261001B .text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02610FE5 .text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02610040 .text C:\WINDOWS\system32\svchost.exe[964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02620FE5 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FE5 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0078 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0F83 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F94 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0051 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0FAF .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0F4B .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE0093 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00BF .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE00A4 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0F15 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0036 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0000 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F68 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FC0 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0011 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F30 .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FA0FC0 .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FA0F80 .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FA001B .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FA0FEF .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FA0047 .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FA000A .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FA002C .text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FA0FA5 .text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD003D .text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD002C .text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD0FC6 .text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0FEF .text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD001B .text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0000 .text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FB000A .text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FB0FEF .text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FB002F .text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FB0FD4 .text C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FC0000 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03750000 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03750F7C .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03750F97 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03750FA8 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03750065 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03750FC3 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03750F44 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0375008C .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 037500C2 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 037500A7 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 037500DD .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0375004A .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0375001B .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03750F6B .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03750FD4 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03750FE5 .text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03750F29 .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03740F94 .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03740025 .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03740FB9 .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03740FCA .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03740F68 .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03740FEF .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03740F83 .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [94, 8B] .text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03740000 .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03730064 .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 03730049 .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03730027 .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03730000 .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03730038 .text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03730FE3 .text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 03710FE5 .text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 03710FD4 .text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03710000 .text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 03710011 .text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03720000 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00970000 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009700AC .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0097009B .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00970080 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00970FC3 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00970051 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00970F70 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00970F81 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00970F3D .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00970F4E .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00970F2C .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00970FD4 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0097001B .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00970F9C .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00970FEF .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00970040 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00970F5F .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00960FD4 .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00960F7C .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00960FE5 .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0096001B .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00960F8D .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0096000A .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00960FA8 .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [b6, 88] {MOV DH, 0x88} .text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00960FB9 .text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00950FC3 .text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!system 77C293C7 5 Bytes JMP 0095004E .text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00950FEF .text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0095000C .text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00950FDE .text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00950029 .text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00940FEF .text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00940FDE .text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00940FC3 .text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00940014 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10FE5 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B10089 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B1006E .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B10051 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10040 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B10FA8 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10F4D .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B10F5E .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B10F17 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B10F32 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B100CB .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B1002F .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B10FD4 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B10F79 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B10FB9 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B1000A .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B100B0 .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B00FB9 .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B0004A .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B00FCA .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B00FE5 .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B00025 .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B00000 .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B00F8D .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D0, 88] .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B00F9E .text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF0053 .text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0038 .text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF001D .text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0000 .text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0FD2 .text C:\WINDOWS\system32\svchost.exe[1364] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0FE3 .text C:\WINDOWS\system32\svchost.exe[1364] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00AD0FE5 .text C:\WINDOWS\system32\svchost.exe[1364] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00AD0FD4 .text C:\WINDOWS\system32\svchost.exe[1364] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00AD0FB9 .text C:\WINDOWS\system32\svchost.exe[1364] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00AD000A .text C:\WINDOWS\system32\svchost.exe[1364] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE0000 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10FEF .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10F86 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10F97 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10065 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D1004A .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10FBC .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D100BD .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D100A2 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10F49 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F5A .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D10F38 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D10039 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D1000A .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F75 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D10FCD .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10FDE .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D100CE .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D00FB9 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D00F83 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D00000 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D00FCA .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D00040 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00FEF .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D00025 .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00F9E .text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0070 .text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF005F .text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF0029 .text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0FEF .text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF004E .text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0018 .text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CD000A .text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CD0FEF .text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CD0025 .text C:\WINDOWS\system32\svchost.exe[1520] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CD0036 .text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE0FEF .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80FE5 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80F5E .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E8005D .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80036 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80F79 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80F9E .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E8007A .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E80F32 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E80F06 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E80F17 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E800BA .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E80025 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E80FD4 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9] .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E80F43 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E80014 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E80FC3 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E80095 .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C40FB9 .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C4006F .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C4000A .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C40FD4 .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C40FA8 .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C40FE5 .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C4004A .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C4002F .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30F81 .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30F9C .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C30FC1 .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30FEF .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C3000C .text C:\WINDOWS\system32\svchost.exe[1724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C30FDE .text C:\WINDOWS\system32\svchost.exe[1724] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C1000A .text C:\WINDOWS\system32\svchost.exe[1724] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C10FEF .text C:\WINDOWS\system32\svchost.exe[1724] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C1001B .text C:\WINDOWS\system32\svchost.exe[1724] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C10FCA .text C:\WINDOWS\system32\svchost.exe[1724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20000 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D9000A .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D90091 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D90FA6 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90080 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D9006F .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D90FC3 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D90F6E .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D900B6 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D90F5D .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D900F6 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D90107 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D9004A .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D90025 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D90F8B .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D90FD4 .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D90FEF .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D900D1 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D80FE5 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D80FB2 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80036 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80025 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D80FC3 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D8000A .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D80065 .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D80FD4 .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D70FA6 .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70FB7 .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70FD2 .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70FEF .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70027 .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D7000C .text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D60FEF .text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D60FD4 .text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D6000A .text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D60FAF .text C:\WINDOWS\system32\SearchIndexer.exe[2200] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00ED1B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation) .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E5000A .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E50F94 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E50093 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E50076 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E50FB9 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E50036 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E500AE .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E50F66 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E500E4 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E50F41 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E50F30 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E50051 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E5001B .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E50F83 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E50FD4 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E50FE5 .text C:\WINDOWS\Explorer.EXE[2532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E500BF .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E40FDE .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E40054 .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E4002F .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E4000A .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E40F97 .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E40FEF .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E40FA8 .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [04, 89] {ADD AL, 0x89} .text C:\WINDOWS\Explorer.EXE[2532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E40FC3 .text C:\WINDOWS\Explorer.EXE[2532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E3003F .text C:\WINDOWS\Explorer.EXE[2532] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30FBE .text C:\WINDOWS\Explorer.EXE[2532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E30FD9 .text C:\WINDOWS\Explorer.EXE[2532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30000 .text C:\WINDOWS\Explorer.EXE[2532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E3002E .text C:\WINDOWS\Explorer.EXE[2532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E3001D .text C:\WINDOWS\Explorer.EXE[2532] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E10FEF .text C:\WINDOWS\Explorer.EXE[2532] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E10FD4 .text C:\WINDOWS\Explorer.EXE[2532] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E1000A .text C:\WINDOWS\Explorer.EXE[2532] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E1001B .text C:\WINDOWS\Explorer.EXE[2532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E2000A ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) Device \FileSystem\Fastfat \Fat 9BBD4D20 AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions) Device -> \Driver\iaStor \Device\Harddisk0\DR0 87129618 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start 1 Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type 1 Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group file system Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSliqh.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSbrsr.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfuu.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSljwp.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhym.log Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStkdv.log Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV\EncryptedDirectories@ ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification ---- EOF - GMER 1.0.15 ----

Just saw this during a program download (update): McAfee has automatically blocked and removed a Trojan. About this Trojan Detected: Artemis!1A336E097D9C (Trojan), Artemis!1A336E097D9C (Trojan) Location: C:\Documents and Settings\Bob\Local Settings\Temp\NX5YlXEm.exe.part

I didn't really do any surfing, although I did have to download Mcafee again. Just checked and am getting some redirects.

Arrgghh....this is getting old. I was almost immediately reinfected last night. I don't know if it was not truly cleaned or if something snuck in while McAfee was disabled for ComboFix. It's under control at the moment but I have not run ComboFix again. Malwarebytes' Anti-Malware 1.41 Database version: 3201 Windows 5.1.2600 Service Pack 3 11/27/2009 10:33:28 PM mbam-log-2009-11-27 (22-33-28).txt Scan type: Quick Scan Objects scanned: 130912 Time elapsed: 27 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cblbfthk (Trojan.FakeAlert.N) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Visitor\Local Settings\Application Data\wlrmac\rhgysysguard.exe (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Dear Mieke, I've completed all the items and everything looks good! I cannot thank you enough for your help. My cable connection did crash during the McAfee download but that may be hardware related. The txt file you identified only contained this and was deleted: Files to delete: c:\windows\system32\calc.dll Sincere thanks, Bob

Whew...uninstalled McAfee completely was not easy...took numerous attempts. ComboFix 09-11-26.02 - Bob 11/27/2009 11:59.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.735 [GMT -5:00] Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm c:\documents and settings\Bob\Application Data\alot c:\documents and settings\Guest\Application Data\alot c:\documents and settings\Visitor\Application Data\alot c:\windows\Downloaded Program Files\ODCTOOLS c:\windows\Install.txt c:\windows\system32\4F3X c:\windows\system32\Install.txt c:\windows\system32\tb.dr Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected Restored copy from - Kitty ate it . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 ))))))))))))))))))))))))))))))) . 2009-11-25 02:50 . 2009-11-25 02:50 -------- d-sh--w- c:\documents and settings\Visitor\IECompatCache 2009-11-24 22:24 . 2009-11-24 22:24 130 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\fusioncache.dat 2009-11-24 22:24 . 2009-11-24 22:24 -------- d-----w- c:\documents and settings\Visitor\Application Data\Malwarebytes 2009-11-23 03:24 . 2009-11-23 03:24 -------- d-----w- c:\program files\Trend Micro 2009-11-22 05:46 . 2009-11-22 05:46 -------- d-----w- C:\2955debf4329043d5977 2009-11-22 05:46 . 2009-11-24 22:16 -------- d-----w- c:\program files\MS Malicious SW Remover 2009-11-12 13:16 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-12 13:16 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-12 13:16 . 2009-11-12 13:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-12 01:45 . 2009-11-12 13:54 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\esddko 2009-11-08 21:38 . 2009-11-08 21:38 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\Mozilla 2009-11-08 16:43 . 2009-11-08 16:43 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\Yahoo 2009-11-05 14:09 . 2009-11-05 14:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2009-10-31 17:11 . 2009-10-31 17:11 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo! . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-27 16:30 . 2009-10-22 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-11-27 16:30 . 2009-10-22 18:21 -------- d-----w- c:\program files\McAfee 2009-11-27 03:13 . 2009-02-02 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-11-15 00:45 . 2008-07-17 11:52 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-11-12 02:30 . 2007-06-22 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-11-11 18:17 . 2007-07-04 15:22 -------- d-----w- c:\program files\Activision Value 2009-11-11 18:17 . 2007-06-22 22:02 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-11-11 18:14 . 2009-07-20 15:28 -------- d-----w- c:\program files\Coupons 2009-11-08 22:54 . 2007-07-01 16:25 35240 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-07 17:38 . 2009-07-03 13:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore 2009-10-22 18:25 . 2009-10-22 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor 2009-10-22 15:55 . 2009-10-22 15:55 100 ----a-w- c:\program files\iivmymrt.txt 2009-10-22 15:36 . 2007-08-11 03:26 -------- d-----w- c:\documents and settings\Bob\Application Data\Apple Computer 2009-10-22 00:50 . 2009-10-22 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix 2009-10-21 15:58 . 2009-10-21 15:58 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan 2009-10-21 15:58 . 2009-10-21 15:58 -------- d-----w- c:\documents and settings\Bob\Application Data\Canon 2009-10-16 01:36 . 2009-10-13 19:01 -------- d-----w- c:\documents and settings\Bob\Application Data\Canon Easy-WebPrint EX 2009-10-13 19:54 . 2009-10-13 18:53 -------- d-----w- c:\program files\Canon 2009-10-13 19:54 . 2009-10-13 19:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ 2009-10-13 19:54 . 2009-10-13 19:54 -------- d--h--w- c:\program files\CanonBJ 2009-10-13 19:00 . 2009-10-13 19:00 -------- d-----w- c:\program files\Common Files\CANON 2009-10-11 14:49 . 2009-10-11 14:49 -------- d-----w- c:\program files\Yontoo Layers Client 2009-10-11 14:49 . 2009-10-11 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer 2009-10-11 02:35 . 2009-09-16 23:45 32016 ---ha-w- c:\windows\system32\mlfcache.dat 2009-10-08 19:31 . 2007-07-01 02:43 35240 ----a-w- c:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-08 16:40 . 2008-04-25 01:06 -------- d-----w- c:\program files\Common Files\Adobe 2009-10-03 19:16 . 2009-05-19 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-10-01 17:57 . 2009-10-01 17:57 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo! 2009-09-29 01:30 . 2009-10-11 14:49 108032 --s-a-r- c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll 2009-09-29 01:30 . 2009-10-11 14:49 161792 --s-a-r- c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll 2009-09-16 14:22 . 2009-10-22 18:21 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2009-09-16 14:22 . 2009-10-22 18:21 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys 2009-09-16 14:22 . 2009-10-22 18:21 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2009-09-16 14:22 . 2009-09-16 14:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2009-09-16 14:22 . 2009-10-22 18:17 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys 2009-09-12 21:58 . 2009-09-12 21:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe 2009-09-11 14:18 . 2008-09-18 01:30 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 06:41 . 2009-10-11 14:49 224256 --s---r- c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe 2009-09-04 21:03 . 2004-08-10 16:51 58880 ----a-w- c:\windows\system32\msasn1.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "easylinkadvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "dellsupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304] "iaanotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "hotkeyscmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016] "dmxlauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "dla"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816] "applesyncnotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] c:\documents and settings\Visitor\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] c:\documents and settings\Bob\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-22 24576] Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Easy PC Transfer\\mDNSResponder.exe"= "c:\\Program Files\\Easy PC Transfer\\ProgressionDesktop.exe"= "c:\\Program Files\\Easy PC Transfer\\ProgressionDesktopCore.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/7/2007 10:30 AM 24652] S0 ajderxyl;ajderxyl;c:\windows\system32\drivers\aakyviyc.sys --> c:\windows\system32\drivers\aakyviyc.sys [?] S1 ff7aabc8;ff7aabc8;c:\windows\system32\drivers\ff7aabc8.sys --> c:\windows\system32\drivers\ff7aabc8.sys [?] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\324.tmp --> c:\windows\system32\324.tmp [?] . Contents of the 'Scheduled Tasks' folder 2009-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-11-27 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-02 23:32] 2009-11-27 c:\windows\Tasks\User_Feed_Synchronization-{734BD70F-F5F2-4B79-A903-9BE24F998783}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31] . . ------- Supplementary Scan ------- . mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070622 uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Emma\Start Menu\Programs\IMVU\Run IMVU.lnk Trusted Zone: internet Trusted Zone: mcafee.com FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\iwbl11w4.default\ FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\kSolo\npAVX.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - SafeBoot-mcmscsvc SafeBoot-MCODS AddRemove-CanonMyPrinter - c:\program files\Canon\MyPrinter\uninst.exe uninst.ini uinstrsc.dll AddRemove-CanonSolutionMenu - c:\program files\Canon\SolutionMenu\uninst.exe uninst.ini uinstrsc.dll AddRemove-Easy-PhotoPrint EX - c:\program files\Canon\Easy-PhotoPrint EX\uninst.exe Uninst.ini uinstrsc.dll AddRemove-Pdf995 - c:\program files\pdf995\setup.exe uninstall AddRemove-Sophos-AntiRootkit - c:\program files\Sophos\Sophos Anti-Rootkit\helper.exe remove ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-27 12:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\controlset003\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\324.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3472) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe c:\windows\system32\SearchIndexer.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-11-27 12:31 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-27 17:31 Pre-Run: 101,608,759,296 bytes free Post-Run: 102,053,515,264 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4 - - End Of File - - 2E946CFF99FD7B505CE55CEF73E5D6A2

Bumped...still need assistance. Now IE will not start up. Firefox still works. Log added: Malwarebytes' Anti-Malware 1.41 Database version: 3201 Windows 5.1.2600 Service Pack 3 11/24/2009 5:17:03 PM mbam-log-2009-11-24 (17-17-03).txt Scan type: Quick Scan Objects scanned: 140781 Time elapsed: 25 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fnfdxlmy (Trojan.FakeAlert.N) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fnfdxlmy (Trojan.FakeAlert.N) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Bob\Local Settings\Application Data\mwrsno\rebtsysguard.exe (Trojan.FakeAlert.N) -> Quarantined and deleted successfully. C:\Documents and Settings\Bob\Local Settings\Temp\e.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Hi, I would greatly appreciate your assistance. I have a similar rootkit problem to others - searches are redirected to ad sites. I use XP/SP3, and both IE and Foxfire. I normally run McAfee Security Center, but needed MalwareBytes to resolve the antivirus trojan that infected the system. Since discovering the redirect problem I tried MS Malicious SW Remover, Sophos, and GMER. None of them seem to detect a problem. The logs you request are below. Thanks, Bob Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:36:58 AM, on 11/23/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070622 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s O2 - BHO: (no name) - AutorunsDisabled - (no file) O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) O3 - Toolbar: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file) O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [iaanotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [hotkeyscmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [dmxlauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [applesyncnotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [ieServer] C:\WINDOWS\help\NvCpl.exe O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [easylinkadvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKCU\..\Run: [dellsupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKUS\S-1-5-19\..\Run: [nelewitefi] Rundll32.exe "C:\WINDOWS\system32\hutajebo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [nelewitefi] Rundll32.exe "C:\WINDOWS\system32\hutajebo.dll",s (User 'NETWORK SERVICE') O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Emma\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://*.mcafee.com O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.toontown.com/sv1.0.38.38/ttinst.cab O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 10657 bytes GMER 1.0.15.15252 - http://www.gmer.net Rootkit scan 2009-11-23 09:42:50 Windows 5.1.2600 Service Pack 3 Running: Nov22gmer1.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\pwliapog.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA0EDB78A] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA0EDB821] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA0EDB738] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA0EDB74C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA0EDB835] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA0EDB861] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA0EDB8CF] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA0EDB8B9] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA0EDB7CA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA0EDB8FB] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA0EDB80D] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA0EDB710] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA0EDB724] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA0EDB79E] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA0EDB937] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA0EDB8A3] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA0EDB88D] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA0EDB84B] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA0EDB923] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA0EDB90F] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA0EDB776] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA0EDB762] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA0EDB877] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA0EDB7F9] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA0EDB8E5] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA0EDB7E0] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA0EDB7B4] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A0EDB7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A0EDB78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A0EDB7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A0EDB7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A0EDB7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP A0EDB714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 805CB696 2 Bytes JMP A0EDB728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread + 3 805CB699 2 Bytes [91, 20] PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP A0EDB766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A0EDB750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A0EDB73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP A0EDB77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A0EDB7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP A0EDB891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP A0EDB87B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 7 Bytes JMP A0EDB8E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP A0EDB8A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP A0EDB84F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 5 Bytes JMP A0EDB825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP A0EDB839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP A0EDB865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 7 Bytes JMP A0EDB8D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP A0EDB8BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP A0EDB811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP A0EDB93B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 3 Bytes JMP A0EDB913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey + 4 8062516E 1 Byte [20] PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 3 Bytes JMP A0EDB927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey + 4 80625862 1 Byte [20] PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625978 3 Bytes JMP A0EDB8FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwNotifyChangeKey + 4 8062597C 1 Byte [20] .rsrc C:\WINDOWS\system32\drivers\iaStor.sys entry point in ".rsrc" section [0xF738E02C] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012F0FEF .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 012F0F7E .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 012F0073 .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012F0FA5 .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 012F0FB6 .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 012F0047 .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012F0F57 .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012F009F .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012F00D5 .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012F00C4 .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012F00E6 .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 012F0058 .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012F0000 .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 012F0084 .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 012F0036 .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 012F001B .text C:\WINDOWS\Explorer.EXE[532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012F0F3C .text C:\WINDOWS\Explorer.EXE[532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 012E002C .text C:\WINDOWS\Explorer.EXE[532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 012E0073 .text C:\WINDOWS\Explorer.EXE[532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 012E0FDB .text C:\WINDOWS\Explorer.EXE[532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 012E0011 .text C:\WINDOWS\Explorer.EXE[532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 012E0062 .text C:\WINDOWS\Explorer.EXE[532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 012E0000 .text C:\WINDOWS\Explorer.EXE[532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 012E0047 .text C:\WINDOWS\Explorer.EXE[532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 012E0FC0 .text C:\WINDOWS\Explorer.EXE[532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0FC8 .text C:\WINDOWS\Explorer.EXE[532] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0053 .text C:\WINDOWS\Explorer.EXE[532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF002E .text C:\WINDOWS\Explorer.EXE[532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF000C .text C:\WINDOWS\Explorer.EXE[532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0FD9 .text C:\WINDOWS\Explorer.EXE[532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF001D .text C:\WINDOWS\Explorer.EXE[532] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CF0FE5 .text C:\WINDOWS\Explorer.EXE[532] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CF0FD4 .text C:\WINDOWS\Explorer.EXE[532] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CF0000 .text C:\WINDOWS\Explorer.EXE[532] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CF0FAF .text C:\WINDOWS\Explorer.EXE[532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10000 .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[628] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[628] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01500000 .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01500068 .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01500F73 .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0150004D .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01500F90 .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01500FB2 .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0150008F .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01500F47 .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01500F18 .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015000B1 .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01500EFD .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01500FA1 .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01500FEF .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01500F58 .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01500FCD .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01500FDE .text C:\WINDOWS\system32\services.exe[724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 015000A0 .text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 014F0FCA .text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 014F0FA5 .text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 014F001B .text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 014F000A .text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 014F0062 .text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 014F0FEF .text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 014F0047 .text C:\WINDOWS\system32\services.exe[724] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 014F002C .text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_wsystem 77C2931E 3 Bytes JMP 014E004C .text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_wsystem + 4 77C29322 1 Byte [89] .text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!system 77C293C7 3 Bytes JMP 014E0FC1 .text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!system + 4 77C293CB 1 Byte [89] .text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_creat 77C2D40F 3 Bytes JMP 014E000C .text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_creat + 4 77C2D413 1 Byte [89] .text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 014E0FEF .text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_wcreat 77C2FC9B 3 Bytes JMP 014E0031 .text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_wcreat + 4 77C2FC9F 1 Byte [89] .text C:\WINDOWS\system32\services.exe[724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 014E0FD2 .text C:\WINDOWS\system32\services.exe[724] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FE0FE5 .text C:\WINDOWS\system32\services.exe[724] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FE0000 .text C:\WINDOWS\system32\services.exe[724] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FE0FC0 .text C:\WINDOWS\system32\services.exe[724] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FE0FA5 .text C:\WINDOWS\system32\services.exe[724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FE5 .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01160000 .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0116009D .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01160F9E .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0116006C .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01160FAF .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01160FCA .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011600D0 .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011600BF .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01160F37 .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01160F48 .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01160F1C .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01160051 .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0116001B .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011600AE .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01160FDB .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0116002C .text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01160F6D .text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01150FA8 .text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0115004D .text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01150FC3 .text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01150FDE .text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01150F86 .text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01150FEF .text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0115001E .text C:\WINDOWS\system32\lsass.exe[736] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01150F97 .text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01140FC6 .text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!system 77C293C7 5 Bytes JMP 01140047 .text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0114002C .text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01140000 .text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01140FD7 .text C:\WINDOWS\system32\lsass.exe[736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01140011 .text C:\WINDOWS\system32\lsass.exe[736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F20FEF .text C:\WINDOWS\system32\lsass.exe[736] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F10FE5 .text C:\WINDOWS\system32\lsass.exe[736] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F10FCA .text C:\WINDOWS\system32\lsass.exe[736] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F10000 .text C:\WINDOWS\system32\lsass.exe[736] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00F10FAF .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02680FEF .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02680F81 .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02680080 .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02680F9C .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02680FB9 .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02680FD4 .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 026800BD .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 026800A2 .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026800D8 .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02680F3F .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 026800F3 .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0268005B .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0268000A .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02680091 .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02680040 .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02680025 .text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02680F5A .text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02670025 .text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02670054 .text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02670FD4 .text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0267000A .text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02670F97 .text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02670FEF .text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02670FA8 .text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [87, 8A] .text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02670FC3 .text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02660FC8 .text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!system 77C293C7 5 Bytes JMP 02660049 .text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0266001D .text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02660000 .text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0266002E .text C:\WINDOWS\system32\svchost.exe[944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02660FE3 .text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02560000 .text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02560FE5 .text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02560025 .text C:\WINDOWS\system32\svchost.exe[944] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02560036 .text C:\WINDOWS\system32\svchost.exe[944] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02650FEF .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F52 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0F63 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0F74 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF003D .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FA5 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF006C .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF0F24 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0EE7 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F02 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF009B .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0022 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0000 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F41 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FC0 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0011 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F13 .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0FC3 .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0051 .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FD4 .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE000A .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0F94 .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FEF .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FE0040 .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE002F .text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0FA6 .text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0FB7 .text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD0016 .text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0FEF .text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0027 .text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0FD2 .text C:\WINDOWS\system32\svchost.exe[1068] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F20000 .text C:\WINDOWS\system32\svchost.exe[1068] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F20FE5 .text C:\WINDOWS\system32\svchost.exe[1068] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F20FCA .text C:\WINDOWS\system32\svchost.exe[1068] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00F20FAF .text C:\WINDOWS\system32\svchost.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F30000 .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D50FEF .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D50051 .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D50F5C .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D50F79 .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D50F8A .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D50025 .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D5007F .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D50F37 .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D500B5 .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D5009A .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02D50F01 .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02D50036 .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02D5000A .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02D50062 .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02D50FC3 .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02D50FD4 .text C:\WINDOWS\System32\svchost.exe[1168] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02D50F1C .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02D40FC3 .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02D4008A .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02D40FD4 .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02D4000A .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02D4006F .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02D40FEF .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02D4004A .text C:\WINDOWS\System32\svchost.exe[1168] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02D4002F .text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02D3005F .text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!system 77C293C7 5 Bytes JMP 02D30FD4 .text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02D3003A .text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02D3000C .text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02D30FE5 .text C:\WINDOWS\System32\svchost.exe[1168] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02D3001D .text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02790000 .text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0279001B .text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02790FE5 .text C:\WINDOWS\System32\svchost.exe[1168] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02790FCA .text C:\WINDOWS\System32\svchost.exe[1168] WS2_32.dll!socket 71AB4211 5 Bytes JMP 027A0FEF .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00950000 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0095005B .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00950F70 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00950F8D .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00950F9E .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00950FCA .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00950F13 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00950F3A .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00950ECC .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00950EE7 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00950EB1 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00950FB9 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00950011 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00950F4B .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00950FDB .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0095002C .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00950F02 .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00940FDB .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00940FAF .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0094002C .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00940011 .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00940FC0 .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00940000 .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0094006C .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00940047 .text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930042 .text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930027 .text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930FC1 .text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930FEF .text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930016 .text C:\WINDOWS\system32\svchost.exe[1208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930FD2 .text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00920FEF .text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0092000A .text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0092001B .text C:\WINDOWS\system32\svchost.exe[1208] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00920FCA .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B00FE5 .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B00090 .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B00075 .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B00064 .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B00047 .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B00FAF .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B00F54 .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B00F65 .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B00F03 .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B00F1E .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B00EE8 .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B00036 .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B00000 .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B00F80 .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B0001B .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B00FD4 .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B00F39 .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF0FD4 .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF006C .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF0FE5 .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF001B .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF005B .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF0000 .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AF004A .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF0FC3 .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AE0040 .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AE0FAB .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AE0FC6 .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AE0000 .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AE001B .text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AE0FE3 .text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00AC0FEF .text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00AC0000 .text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00AC0011 .text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00AC0FB6 .text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AD0FEF .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10000 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10080 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10065 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10F97 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10FB2 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D1004A .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D100A5 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D10F53 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D100C0 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F27 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D10F16 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D10FC3 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D1001B .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F70 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D10FD4 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10FEF .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D10F42 .text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D00FDB .text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D00051 .text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D00022 .text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D00011 .text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D00F94 .text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00000 .text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D00FB9 .text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F0, 88] .text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00FCA .text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0F93 .text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0FA4 .text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF0FC6 .text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0000 .text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF0FB5 .text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0FD7 .text C:\WINDOWS\system32\svchost.exe[1484] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CD0000 .text C:\WINDOWS\system32\svchost.exe[1484] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CD001B .text C:\WINDOWS\system32\svchost.exe[1484] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CD002C .text C:\WINDOWS\system32\svchost.exe[1484] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CD003D .text C:\WINDOWS\system32\svchost.exe[1484] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE0FEF .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00980000 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00980FA6 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00980FB7 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00980091 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00980FD4 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0098005B .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00980F78 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009800C0 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0098010A .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009800E5 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0098011B .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00980076 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00980FE5 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00980F95 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00980036 .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0098001B .text C:\WINDOWS\system32\svchost.exe[1688] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00980F67 .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00950FAF .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00950F79 .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00950FCA .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0095000A .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00950036 .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00950FE5 .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00950F94 .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [b5, 88] {MOV CH, 0x88} .text C:\WINDOWS\system32\svchost.exe[1688] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00950025 .text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00940062 .text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!system 77C293C7 5 Bytes JMP 00940FCD .text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00940018 .text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00940FEF .text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00940033 .text C:\WINDOWS\system32\svchost.exe[1688] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00940FDE .text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00920FEF .text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0092000A .text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0092001B .text C:\WINDOWS\system32\svchost.exe[1688] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0092002C .text C:\WINDOWS\system32\svchost.exe[1688] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930FEF .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DE0FE5 .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DE0F83 .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DE0F94 .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DE0FA5 .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DE0062 .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DE003D .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DE0F52 .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DE009A .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DE00BF .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DE0F30 .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DE00D0 .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DE0FC0 .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DE000A .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DE0089 .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DE002C .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DE001B .text C:\WINDOWS\system32\svchost.exe[1816] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DE0F41 .text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DD0FD4 .text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DD005B .text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DD0025 .text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DD0FE5 .text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DD0F9E .text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DD0000 .text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DD0FAF .text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FD, 88] .text C:\WINDOWS\system32\svchost.exe[1816] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DD0036 .text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DC0069 .text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DC0FDE .text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DC0029 .text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DC0FEF .text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DC004E .text C:\WINDOWS\system32\svchost.exe[1816] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DC000C .text C:\WINDOWS\system32\svchost.exe[1816] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C60000 .text C:\WINDOWS\system32\svchost.exe[1816] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C60FDB .text C:\WINDOWS\system32\svchost.exe[1816] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C60FCA .text C:\WINDOWS\system32\svchost.exe[1816] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C60FB9 .text C:\WINDOWS\system32\SearchIndexer.exe[2384] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 01121B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) Device \FileSystem\Fastfat \Fat 9FC8FD20 AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions) Device \Driver\00000827 -> \Driver\iaStor \Device\Harddisk0\DR0 8712B50C ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start 1 Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type 1 Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group file system Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSliqh.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSbrsr.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfuu.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSljwp.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhym.log Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStkdv.log Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7 Reg HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256 Reg HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV\EncryptedDirectories@ ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification ---- EOF - GMER 1.0.15 ----