Jump to content

phoppe

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I ran them all as "Hoppenjans Administrator." This is the one that I had to run while in Safe Mode, because it locks up...although it isn't the original profile that got infected and that led me to purchase the Malwarbytes software...that one was the "Lucas" profile. I didn't know it mattered which profile, because it appears that the machine itself is infected. Do you recommend that I simply go to a system restore point earlier than the infection occurred? Perhaps that and the enabled software could prevent re-infection?
  2. Also, I checked the original profile that first exhibited the infection. When loading a browser (Firefox or IE), I still get an "open with" dialog box and although the browser will eventually load, I get a dialog box that references a file called something like jlsnotify.exe. That profile doesn't lock up like the one I have been using to try these various fixes has locked up. Additionally, the wireless internet connection seems to cut in and out, like something is trying to disable it and then it get re-enabled...continuously.
  3. After rebooting the computer, it still locks up when in regular mode. I had to bail out by holding down the power button, and then rebooted in Safe Mode...so no, it still appears to be infected or something.
  4. I will try it when I get back to that computer tonight at about 7pm EST; and I'll report back then...thank you.
  5. Sorry. Here you go. ComboFix 11-02-27.01 - Hoppenjans Admin 02/27/2011 19:37:34.1.2 - x86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3006.2625 [GMT -5:00] Running from: c:\documents and settings\Hoppenjans Admin\Desktop\Combo-Fix.exe AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Hoppenjans Admin\GoToAssistDownloadHelper.exe c:\windows\system32\_000003_.tmp.dll c:\windows\system32\_000006_.tmp.dll c:\windows\system32\_000007_.tmp.dll c:\windows\system32\_000008_.tmp.dll c:\windows\system32\SET33D.tmp . ((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 ))))))))))))))))))))))))))))))) . 2011-02-25 23:34 . 2011-02-25 23:34 -------- d-----w- c:\documents and settings\Kathleen Hoppenjans\Local Settings\Application Data\Apple 2011-02-24 12:33 . 2011-02-24 12:33 -------- d-----w- c:\documents and settings\Hoppenjans Admin\Application Data\Malwarebytes 2011-02-24 12:33 . 2011-02-24 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-02-24 12:33 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-02-24 12:33 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-24 12:33 . 2011-02-24 12:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-02-05 01:20 . 2011-02-05 01:20 -------- d-----w- c:\program files\iPod 2011-02-05 01:20 . 2011-02-05 01:21 -------- d-----w- c:\program files\iTunes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-21 14:44 . 2004-08-10 17:51 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09 . 2004-08-10 17:50 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2004-08-10 17:51 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2004-08-10 17:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2004-08-10 17:51 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42 . 2004-08-10 17:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-10-14 03:28 . 2010-08-04 20:13 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 68856] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848] "nwiz"="nwiz.exe" [2006-08-23 1617920] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-21 169984] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-06 185896] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] c:\documents and settings\Lucas Hoppenjans\Start Menu\Programs\Startup\ OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000] c:\documents and settings\Hoppenjans Admin\Start Menu\Programs\Startup\ OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000] c:\documents and settings\All Users\Start Menu\Programs\Startup\ McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2007-11-06 12:27 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/4/2010 3:13 PM 84072] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/4/2010 3:12 PM 271480] R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/4/2010 3:13 PM 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [8/4/2010 3:13 PM 141792] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/4/2010 3:13 PM 313288] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/4/2010 3:13 PM 88544] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 7:15 PM 135664] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/24/2011 7:33 AM 363344] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/3/2010 5:42 AM 203280] S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/4/2010 3:12 PM 271480] S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/4/2010 3:13 PM 55840] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/24/2011 7:33 AM 20952] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/4/2010 3:13 PM 88544] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/4/2010 3:13 PM 84264] . Contents of the 'Scheduled Tasks' folder 2011-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 00:15] 2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 00:15] 2011-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1901776298-3590923216-799600055-1007Core.job - c:\documents and settings\Lucas Hoppenjans\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 16:35] 2011-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1901776298-3590923216-799600055-1007UA.job - c:\documents and settings\Lucas Hoppenjans\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 16:35] . . ------- Supplementary Scan ------- . uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070721 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - ProfilePath - c:\documents and settings\Hoppenjans Admin\Application Data\Mozilla\Firefox\Profiles\helee9iz.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p= FF - prefs.js: browser.search.selectedEngine - Amazon.com FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p= FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-02-27 19:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1188) c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll . Completion time: 2011-02-27 19:42:05 ComboFix-quarantined-files.txt 2011-02-28 00:42 Pre-Run: 57,116,016,640 bytes free Post-Run: 57,752,002,560 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - BA13F3A8E044FF5C0F5EBA3767A136C7
  6. Thank you. The Combo-fix.txt file is attached. ComboFix.txt
  7. OK, the new MBAM log and DDS log are below. Also, please note that the computer will now boot up properly...after logging in to the user account and after I get the systray message that an wireless internet connection has been established, the computer completely freezes. I had to reboot in Safe Mode in order to run MBAM and DDS. Also, in disabling TeaTimer, I unchecked the TeaTimer and SD Helper boxes and they both seemed to "take," however I never got to the "allow change" dialog box. I did reboot after unchecking the boxes, however. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5892 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 8.0.6001.18702 2/27/2011 8:11:27 AM mbam-log-2011-02-27 (08-11-27).txt Scan type: Quick scan Objects scanned: 180152 Time elapsed: 4 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS (Ver_10-12-12.02) - NTFSx86 NETWORK Run by Hoppenjans Admin at 8:14:45.23 on Sun 02/27/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3006.2540 [GMT -5:00] AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: Norton Internet Worm Protection *Disabled* FW: McAfee Firewall *Enabled* ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Mozilla Firefox\firefox.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Documents and Settings\Hoppenjans Admin\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070721 uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070721 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101107085258.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe" mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray dRunOnce: [RunNarrator] Narrator.exe StartupFolder: c:\docume~1\hoppen~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxps://support.dell.com/systemprofiler/SysPro.CAB DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188070646546 DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll Hosts: 127.0.0.1 www.spywareinfo.com ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\hoppen~1\applic~1\mozilla\firefox\profiles\helee9iz.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p= FF - prefs.js: browser.search.selectedEngine - Amazon.com FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p= FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\lucas hoppenjans\application data\move networks\plugins\npqmp071705000014.dll FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff ============= SERVICES / DRIVERS =============== R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-4 386840] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-4 84072] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-4 271480] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-4 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-4 141792] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-4 313288] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-4 88544] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664] S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-24 363344] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-5-3 203280] S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-4 271480] S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-4 271480] S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-4 171168] S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-7-21 1247600] S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-4 55840] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-24 20952] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232] S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-4 152960] S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-4 52104] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-4 88544] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-4 84264] =============== Created Last 30 ================ 2011-02-24 12:33:55 -------- d-----w- c:\docume~1\hoppen~1\applic~1\Malwarebytes 2011-02-24 12:33:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-02-24 12:33:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2011-02-24 12:33:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-24 12:33:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-02-05 01:20:34 -------- d-----w- c:\program files\iPod 2011-02-05 01:20:29 -------- d-----w- c:\program files\iTunes ==================== Find3M ==================== 2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts ============= FINISH: 8:15:21.39 ===============
  8. Hello and thanks in advance. My kids' computer running Windows XP recently got infected with the "XP Antivirus" program. McAfee real-time scanning did not catch it, so I downloaded, ran, and installed Malwarebytes. The scan removed the infection temporarily. I purchased the full program and enabled real-time protection. However, one of the Windows user profiles (the one that was the source of the infection) again became infected. Short cuts (even those on the Windows programs memu) lead to an "Open with" window, which, if I choose the appropriate program (such as firefox.exe), leads to a "security warning" dialog box about using the program (such as firefox.exe). Closing the window allows the browser to load with no apparent problems. Below are the Malaware logs (several) and protection logs; and the GMER log. Thanks for your assistance. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5867 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 2/24/2011 8:41:48 AM mbam-log-2011-02-24 (08-41-48).txt Scan type: Full scan (C:\|) Objects scanned: 248670 Time elapsed: 1 hour(s), 5 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 2 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\g043oqxanu (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (Trojan.FakeAlert) -> Value: SunJavaUpdateSched -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tcnlntbe (Trojan.FakeAlert.Gen) -> Value: tcnlntbe -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\program files\common files\Java\java update\jusched.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\documents and settings\all users\start menu\Programs\Startup\new text document.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\documents and settings\lucas hoppenjans\local settings\application data\bcf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5867 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 2/25/2011 12:18:55 AM mbam-log-2011-02-25 (00-18-55).txt Scan type: Quick scan Objects scanned: 181052 Time elapsed: 9 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5874 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 2/25/2011 6:56:41 AM mbam-log-2011-02-25 (06-56-41).txt Scan type: Flash scan Objects scanned: 127866 Time elapsed: 1 minute(s), 27 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5874 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 2/25/2011 8:01:23 AM mbam-log-2011-02-25 (08-01-23).txt Scan type: Full scan (C:\|) Objects scanned: 247958 Time elapsed: 1 hour(s), 4 minute(s), 25 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) PROTECTION LOGS: 2-24-11 08:50:29 Hoppenjans Admin MESSAGE Protection started successfully 08:50:38 Hoppenjans Admin MESSAGE IP Protection started successfully 2-25-11 00:08:19 Hoppenjans Admin MESSAGE Protection started successfully 00:08:30 Hoppenjans Admin MESSAGE IP Protection started successfully 06:49:18 Lucas Hoppenjans MESSAGE Scheduled update executed successfully 06:54:40 Hoppenjans Admin MESSAGE Protection started successfully 06:54:48 Hoppenjans Admin MESSAGE IP Protection started successfully 06:54:49 Hoppenjans Admin MESSAGE IP Protection stopped 06:54:55 Hoppenjans Admin MESSAGE Database updated successfully 06:55:02 Hoppenjans Admin MESSAGE IP Protection started successfully 08:24:49 Hoppenjans Admin MESSAGE Protection started successfully 08:24:59 Hoppenjans Admin MESSAGE IP Protection started successfully 11:48:26 Hoppenjans Admin IP-BLOCK 212.95.55.76 (Type: outgoing) 11:48:29 Hoppenjans Admin IP-BLOCK 212.95.55.76 (Type: outgoing) 11:48:35 Hoppenjans Admin IP-BLOCK 212.95.55.76 (Type: outgoing) 2-26-11 06:20:39 Hoppenjans Admin MESSAGE Scheduled update executed successfully 06:20:39 Hoppenjans Admin MESSAGE IP Protection stopped 06:21:09 Hoppenjans Admin MESSAGE Database updated successfully 06:21:19 Hoppenjans Admin MESSAGE IP Protection started successfully 09:11:46 Hoppenjans Admin IP-BLOCK 174.36.243.14 (Type: outgoing) DDS (Ver_10-12-12.02) - NTFSx86 Run by Hoppenjans Admin at 8:30:12.98 on Fri 02/25/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3006.2170 [GMT -5:00] AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: Norton Internet Worm Protection *Disabled* FW: McAfee Firewall *Enabled* ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Hoppenjans Admin\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070721 uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070721 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101107085258.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe" mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray dRunOnce: [RunNarrator] Narrator.exe StartupFolder: c:\docume~1\hoppen~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxps://support.dell.com/systemprofiler/SysPro.CAB DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188070646546 DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll Hosts: 127.0.0.1 www.spywareinfo.com ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\hoppen~1\applic~1\mozilla\firefox\profiles\helee9iz.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p= FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p= FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\lucas hoppenjans\application data\move networks\plugins\npqmp071705000014.dll FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff ============= SERVICES / DRIVERS =============== R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-4 386840] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-4 84072] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-24 363344] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-5-3 203280] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-4 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-4 271480] R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-4 271480] R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-4 171168] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-4 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-4 141792] R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-7-21 1247600] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-4 55840] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-24 20952] R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-4 152960] R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-4 52104] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-4 313288] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-4 88544] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-4 88544] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-4 84264] =============== Created Last 30 ================ 2011-02-24 12:33:55 -------- d-----w- c:\docume~1\hoppen~1\applic~1\Malwarebytes 2011-02-24 12:33:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-02-24 12:33:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2011-02-24 12:33:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-24 12:33:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-02-05 01:20:34 -------- d-----w- c:\program files\iPod 2011-02-05 01:20:29 -------- d-----w- c:\program files\iTunes ==================== Find3M ==================== 2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts ============= FINISH: 8:31:53.21 =============== GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-02-26 02:39:53 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\0000006c ST380815AS rev.3.ADA Running: 9sen6lhd.exe; Driver: C:\DOCUME~1\HOPPEN~1\LOCALS~1\Temp\pwldypod.sys ---- System - GMER 1.0.15 ---- Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9E8B0E0] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9E8B0F4] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9E8B120] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9E8B176] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9E8B0CC] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9E8B0A4] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9E8B0B8] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9E8B10A] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9E8B14C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9E8B136] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9E8B1A0] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9E8B18C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9E8B160] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9E8B164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB92C2360, 0x2456AE, 0xE8000020] ? C:\DOCUME~1\HOPPEN~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\svchost.exe[420] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A1000A .text C:\WINDOWS\system32\svchost.exe[420] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A10FEF .text C:\WINDOWS\system32\svchost.exe[420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1001B .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A0000A .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00F8D .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00082 .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00065 .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00FA8 .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00FCD .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00F4D .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00F68 .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A00F06 .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00F21 .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A00EF5 .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A0004A .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00025 .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00093 .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00FDE .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A00FEF .text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00F3C .text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CF0FB9 .text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CF005E .text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CF0FCA .text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CF0FE5 .text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CF0F97 .text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CF0000 .text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CF0039 .text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CF0FA8 .text C:\WINDOWS\system32\svchost.exe[420] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0FB2 .text C:\WINDOWS\system32\svchost.exe[420] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE003D .text C:\WINDOWS\system32\svchost.exe[420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE0011 .text C:\WINDOWS\system32\svchost.exe[420] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE0000 .text C:\WINDOWS\system32\svchost.exe[420] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE0022 .text C:\WINDOWS\system32\svchost.exe[420] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE0FD7 .text C:\WINDOWS\system32\svchost.exe[420] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A2000A .text C:\WINDOWS\system32\svchost.exe[420] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A20FE5 .text C:\WINDOWS\system32\svchost.exe[420] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A2001B .text C:\WINDOWS\system32\svchost.exe[420] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00A20FD4 .text C:\WINDOWS\system32\svchost.exe[420] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A30FEF .text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.) .text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CF0000 .text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CF002F .text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF0FEF .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0FEF .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0042 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0F4D .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0025 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0014 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0F8D .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0F15 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE005D .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE0F04 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0093 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00C2 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0F72 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0FDE .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F32 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0FA8 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FB9 .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0082 .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D10FCA .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D10F83 .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D1001B .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D1000A .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D1004A .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D10FE5 .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D10F9E .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F1, 88] .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D10FB9 .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00051 .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00036 .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00FC6 .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00000 .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D0001B .text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D00FE3 .text C:\WINDOWS\Explorer.EXE[1068] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D00FEF .text C:\WINDOWS\Explorer.EXE[1068] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D00FB9 .text C:\WINDOWS\Explorer.EXE[1068] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D00FD4 .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0FEF .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F52 .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0051 .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0F83 .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0F94 .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0025 .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF007F .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF006E .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF0F12 .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF00AB .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF00C6 .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF0036 .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0FD4 .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0F41 .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0014 .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF0FC3 .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF009A .text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D60FAF .text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D60F8A .text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D60FCA .text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D60000 .text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D60047 .text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60FEF .text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D60036 .text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D6001B .text C:\WINDOWS\Explorer.EXE[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40F7A .text C:\WINDOWS\Explorer.EXE[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40F8B .text C:\WINDOWS\Explorer.EXE[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40FB7 .text C:\WINDOWS\Explorer.EXE[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40FEF .text C:\WINDOWS\Explorer.EXE[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40FA6 .text C:\WINDOWS\Explorer.EXE[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40FD2 .text C:\WINDOWS\Explorer.EXE[1068] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D10FEF .text C:\WINDOWS\Explorer.EXE[1068] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D10FDE .text C:\WINDOWS\Explorer.EXE[1068] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D10FCD .text C:\WINDOWS\Explorer.EXE[1068] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00D10014 .text C:\WINDOWS\Explorer.EXE[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D30FEF .text C:\WINDOWS\system32\services.exe[1332] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00940000 .text C:\WINDOWS\system32\services.exe[1332] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00940FC0 .text C:\WINDOWS\system32\services.exe[1332] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00940FDB .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00000 .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F87 .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C0007C .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C0006B .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00FA2 .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00033 .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C00F45 .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F62 .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00F08 .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00F19 .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C000BC .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00044 .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C00011 .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C0008D .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00022 .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00FDB .text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C00F2A .text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0097002C .text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00970FAF .text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0097001B .text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0097000A .text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0097006C .text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00970FE5 .text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00970FCA .text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [b7, 88] {MOV BH, 0x88} .text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00970047 .text C:\WINDOWS\system32\services.exe[1332] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00960042 .text C:\WINDOWS\system32\services.exe[1332] msvcrt.dll!system 77C293C7 5 Bytes JMP 00960027 .text C:\WINDOWS\system32\services.exe[1332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00960FC1 .text C:\WINDOWS\system32\services.exe[1332] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00960FEF .text C:\WINDOWS\system32\services.exe[1332] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00960016 .text C:\WINDOWS\system32\services.exe[1332] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00960FD2 .text C:\WINDOWS\system32\services.exe[1332] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0095000A .text C:\WINDOWS\system32\lsass.exe[1344] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BA0FEF .text C:\WINDOWS\system32\lsass.exe[1344] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA0FCD .text C:\WINDOWS\system32\lsass.exe[1344] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA0FDE .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0089 .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F94 .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0062 .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0051 .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE001B .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F66 .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F77 .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00F5 .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00E4 .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0110 .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0040 .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FD4 .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE00A4 .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FAF .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE000A .text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00D3 .text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0036 .text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F94 .text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD001B .text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD000A .text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0FA5 .text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FE5 .text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0FC0 .text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88] .text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0051 .text C:\WINDOWS\system32\lsass.exe[1344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0036 .text C:\WINDOWS\system32\lsass.exe[1344] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0FA1 .text C:\WINDOWS\system32\lsass.exe[1344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FC6 .text C:\WINDOWS\system32\lsass.exe[1344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FE3 .text C:\WINDOWS\system32\lsass.exe[1344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0011 .text C:\WINDOWS\system32\lsass.exe[1344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0000 .text C:\WINDOWS\system32\lsass.exe[1344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0FE5 .text C:\WINDOWS\system32\svchost.exe[1532] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 024E0FEF .text C:\WINDOWS\system32\svchost.exe[1532] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 024E0FCD .text C:\WINDOWS\system32\svchost.exe[1532] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 024E0FDE .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02520FEF .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02520F57 .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0252004C .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02520F72 .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0252002F .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02520F8D .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02520F2B .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02520F3C .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02520F06 .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0252009F .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025200BA .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02520014 .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02520FD4 .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02520067 .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02520F9E .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02520FB9 .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0252008E .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02510FB9 .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02510054 .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02510FCA .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0251000A .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02510039 .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02510FEF .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02510F8D .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [71, 8A] {JNO 0xffffffffffffff8c} .text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02510F9E .text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02500FB2 .text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!system 77C293C7 5 Bytes JMP 0250003D .text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02500FD7 .text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02500000 .text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0250002C .text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02500011 .text C:\WINDOWS\system32\svchost.exe[1532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 024F0FEF .text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B50FEF .text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B5001E .text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B50FDE .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B40FEF .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B40F6E .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40059 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40F7F .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40F90 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B40028 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B40F3D .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B40085 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B40F07 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B400A0 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B40EF6 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B40FA1 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B40FDE .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B40074 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B40FB2 .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B40FCD .text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B40F22 .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D10040 .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D10FB9 .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D10025 .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D10014 .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D10076 .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D10FEF .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D10FD4 .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F1, 88] .text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D1005B .text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70FAF .text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B7003A .text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B70018 .text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70FEF .text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70029 .text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70FDE .text C:\WINDOWS\system32\svchost.exe[1580] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B60000 .text C:\WINDOWS\System32\svchost.exe[1624] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02CD0FEF .text C:\WINDOWS\System32\svchost.exe[1624] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02CD000A .text C:\WINDOWS\System32\svchost.exe[1624] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02CD0FD4 .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02CC0FEF .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02CC0F55 .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02CC004A .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02CC0F7C .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02CC0F8D .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02CC0FB9 .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02CC0076 .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02CC0F2E .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02CC0F13 .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02CC00AC .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02CC00C7 .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02CC0F9E .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02CC000A .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02CC0065 .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02CC0FCA .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02CC0025 .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02CC0087 .text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0ABB0FD4 .text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0ABB0F9E .text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0ABB0025 .text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0ABB000A .text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0ABB005B .text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0ABB0FEF .text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0ABB0040 .text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0ABB0FB9 .text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0ABA002A .text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!system 77C293C7 5 Bytes JMP 0ABA0F95 .text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0ABA0FC1 .text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0ABA0FE3 .text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0ABA0FA6 .text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0ABA0FD2 .text C:\WINDOWS\System32\svchost.exe[1624] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0AB90FEF .text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0AB8000A .text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0AB8001B .text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0AB80FEF .text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 0AB80036 .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 008D0000 .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008D002F .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008D0FEF .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008C0000 .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008C009A .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008C007F .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008C0FA5 .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008C0062 .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008C002C .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008C0F5C .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008C0F6D .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008C00DA .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008C00BF .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008C0F26 .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008C0051 .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008C0FDB .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008C0F8A .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008C0011 .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008C0FCA .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008C0F41 .text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00900FDB .text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00900062 .text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00900036 .text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00900025 .text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00900FAF .text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00900000 .text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00900FC0 .text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [b0, 88] {MOV AL, 0x88} .text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00900047 .text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008F0025 .text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!system 77C293C7 5 Bytes JMP 008F0F9A .text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008F0FC6 .text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008F0000 .text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008F0FAB .text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008F0FD7 .text C:\WINDOWS\system32\svchost.exe[1776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008E000A .text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D7000A .text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D7002F .text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D70FEF .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60000 .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60F9C .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60091 .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60076 .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60FB9 .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60FCA .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D600C4 .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D600B3 .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600E6 .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D60F57 .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D60101 .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60051 .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60FEF .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D600A2 .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D60040 .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60025 .text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D600D5 .text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DA0FE5 .text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DA006C .text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DA0036 .text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DA001B .text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DA0FAF .text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DA0000 .text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DA0FCA .text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FA, 88] .text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DA005B .text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D9007A .text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D9005F .text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D90033 .text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D90FEF .text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D9004E .text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D90018 .text C:\WINDOWS\system32\svchost.exe[1804] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D80FEF .text C:\Program Files\Mozilla Firefox\firefox.exe[2208] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\WINDOWS\System32\svchost.exe[3804] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 003D0FEF .text C:\WINDOWS\System32\svchost.exe[3804] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 003D001B .text C:\WINDOWS\System32\svchost.exe[3804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 003D000A .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 003C0FE5 .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 003C003D .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 003C002C .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003C0F5E .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 003C0F79 .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 003C0F9E .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 003C0EFF .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 003C0F1C .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003C0076 .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 003C0EDD .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 003C0EC2 .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 003C001B .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 003C0000 .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 003C0F2D .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 003C0FB9 .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 003C0FCA .text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 003C0EEE .text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00760036 .text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00760065 .text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00760025 .text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0076000A .text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00760FA8 .text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00760FEF .text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00760FB9 .text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [96, 88] .text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00760FD4 .text C:\WINDOWS\System32\svchost.exe[3804] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00750FB9 .text C:\WINDOWS\System32\svchost.exe[3804] msvcrt.dll!system 77C293C7 5 Bytes JMP 00750044 .text C:\WINDOWS\System32\svchost.exe[3804] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00750FE5 .text C:\WINDOWS\System32\svchost.exe[3804] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0075000C .text C:\WINDOWS\System32\svchost.exe[3804] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00750FD4 .text C:\WINDOWS\System32\svchost.exe[3804] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00750029 .text C:\WINDOWS\System32\svchost.exe[3804] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AC0FEF ---- Devices - GMER 1.0.15 ---- Device Ntfs.sys (NT File System Driver/Microsoft Corporation) Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions) ---- EOF - GMER 1.0.15 ----
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.