Jump to content

Can't get RootRepeal to run! help!


vandy
 Share

Recommended Posts

While attempting to follow the generic instructions that were posted from an administrator regarding the problem of MBAM not running, I downloaded and tried to run RootRepeal in order to find that evil rootkit driver that MBAM can't get. When I tried to run RootRepeal, it says "initializing, please wait....." I had let it run like that for almost 48 hours with nothing happening. Am I doing something wrong? Is there another way to attack this rootkit driver problem. I have read the description in the instructions and am pretty sure that this is the same bug that I have on my computer. Please help!!

Thank you in advance!

Link to post
Share on other sites

Did you temporarily disable all antivirus, antispyware, and firewalls?

Anyway, you can use an alternative...

  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

[*]Close any and all open programs, as this process may crash your computer.

[*]Double click gmerRandomIcon.png or gmerDesktopIcon.png on your desktop.

[*]Allow the gmer.sys driver to load if asked.

[*]You may see this window. If you do, click No :

gmerNoDialog.png

[*]Click on btnScan.png and wait for the scan to finish.

[*]If you see a rootkit warning window, click OK.

[*]Push btnSave.png and save the logfile to your desktop.

[*]Copy and Paste the contents of that file in your next post.

Link to post
Share on other sites

Here is the GMER logfile: ( I deleted all of the thread descriptions because it kept telling me that the message was too long to post on here.)

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit scan 2009-12-01 22:22:35

Windows 5.1.2600 Service Pack 2

Running: 48fbcpi1.exe; Driver: C:\DOCUME~1\poonjab1\LOCALS~1\Temp\awldapog.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF4FFE0B0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF4F4178A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF4F41821]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF4F41738]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF4F4174C]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF4F41835]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF4F41861]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF4F418CF]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF4F418B9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF4F417CA]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF4F418FB]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF4F4180D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF4F41710]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF4F41724]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF4F4179E]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF4F41937]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF4F418A3]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF4F4188D]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF4F4184B]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF4F41923]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF4F4190F]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF4F41776]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF4F41762]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF4F41877]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF4F417F9]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF4F418E5]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF4F417E0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF4F417B4]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F8B8D 7 Bytes JMP F4F417B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwOpenKey 80567D6B 5 Bytes JMP F4F41811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwQueryValueKey 8056B173 4 Bytes JMP F4F41891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwQueryValueKey + 5 8056B178 2 Bytes [90, 90] {NOP ; NOP }

PAGE ntoskrnl.exe!NtSetInformationProcess 8056BDBD 5 Bytes JMP F4F41766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwCreateKey 8056E819 5 Bytes JMP F4F41825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwQueryKey 8056EC29 7 Bytes JMP F4F4193B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF20 7 Bytes JMP F4F418D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtCreateFile 8056FC68 5 Bytes JMP F4F4178E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571F61 5 Bytes JMP F4F417E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtMapViewOfSection 805723DC 7 Bytes JMP F4F417CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtOpenProcess 80572D76 5 Bytes JMP F4F41714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80573125 7 Bytes JMP F4F417A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwSetValueKey 80573CFD 7 Bytes JMP F4F4187B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwEnumerateValueKey 8057FBF4 7 Bytes JMP F4F418BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwCreateProcessEx 80581EFE 7 Bytes JMP F4F41750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwTerminateProcess 805847BC 5 Bytes JMP F4F417FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!NtOpenThread 8058C882 5 Bytes JMP F4F41728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwNotifyChangeKey 80590E92 5 Bytes JMP F4F418FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwDeleteValueKey 80593B28 7 Bytes JMP F4F41865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwDeleteKey 805951B2 7 Bytes JMP F4F41839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwCreateProcess 805B0B24 5 Bytes JMP F4F4173C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwSetContextThread 8062C4EB 5 Bytes JMP F4F4177A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwRestoreKey 8064C122 5 Bytes JMP F4F41913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwUnloadKey 8064C3F7 7 Bytes JMP F4F418E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064CCC4 7 Bytes JMP F4F418A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwRenameKey 8064D109 7 Bytes JMP F4F4184F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

PAGE ntoskrnl.exe!ZwReplaceKey 8064D5FE 5 Bytes JMP F4F41927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF762E380]

? 002985AB The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0004000A

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00040F6B

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00040F86

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00040F97

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00040FA8

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00040FCD

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00040087

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00040F3F

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00040F10

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 000400A9

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 000400C4

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00040054

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00040FEF

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00040F5A

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00040FDE

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00040025

.text C:\WINDOWS\system32\services.exe[572] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00040098

.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00B70FAF

.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00B70051

.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00B70FC0

.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00B70000

.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00B70F94

.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00B70FEF

.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00B70036

.text C:\WINDOWS\system32\services.exe[572] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00B70025

.text C:\WINDOWS\system32\services.exe[572] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070F78

.text C:\WINDOWS\system32\services.exe[572] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070F89

.text C:\WINDOWS\system32\services.exe[572] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070FB5

.text C:\WINDOWS\system32\services.exe[572] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070FE3

.text C:\WINDOWS\system32\services.exe[572] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070FA4

.text C:\WINDOWS\system32\services.exe[572] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070FC6

.text C:\WINDOWS\system32\services.exe[572] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00050FE5

.text C:\WINDOWS\system32\services.exe[572] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00050000

.text C:\WINDOWS\system32\services.exe[572] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00050011

.text C:\WINDOWS\system32\services.exe[572] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00050FB6

.text C:\WINDOWS\system32\services.exe[572] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00060FE5

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F40FEF

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F40034

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F40F49

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F40F5A

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F40F6B

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F40F97

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F40067

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F40056

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F40EE9

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F40F04

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00F40ED8

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00F40F86

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00F40FDE

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00F40045

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00F40FBC

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00F40FCD

.text C:\WINDOWS\system32\lsass.exe[584] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00F40082

.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00F30FCA

.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00F3005B

.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00F3001B

.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00F3000A

.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00F3004A

.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00F30FEF

.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00F30FA8

.text C:\WINDOWS\system32\lsass.exe[584] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00F30FB9

.text C:\WINDOWS\system32\lsass.exe[584] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F20FAD

.text C:\WINDOWS\system32\lsass.exe[584] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F20FC8

.text C:\WINDOWS\system32\lsass.exe[584] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F2001D

.text C:\WINDOWS\system32\lsass.exe[584] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F20FEF

.text C:\WINDOWS\system32\lsass.exe[584] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F20038

.text C:\WINDOWS\system32\lsass.exe[584] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F2000C

.text C:\WINDOWS\system32\lsass.exe[584] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F10FEF

.text C:\WINDOWS\system32\lsass.exe[584] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00F00FE5

.text C:\WINDOWS\system32\lsass.exe[584] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00F00000

.text C:\WINDOWS\system32\lsass.exe[584] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00F0001B

.text C:\WINDOWS\system32\lsass.exe[584] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00F0002C

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E20000

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E2006C

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E20F77

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E20F88

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E20FA5

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E20047

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E20093

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E20F4B

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E200B5

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E200A4

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00E200C6

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00E20FC0

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00E20011

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00E20F5C

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00E20FDB

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00E2002C

.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00E20F26

.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00E10025

.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00E10F9E

.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00E10FD4

.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00E1000A

.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00E1005B

.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00E10FE5

.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00E1004A

.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00E10FB9

.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00055

.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FD4

.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E00029

.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E0000C

.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E00044

.text C:\WINDOWS\system32\svchost.exe[744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E00FEF

.text C:\WINDOWS\system32\svchost.exe[744] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DE0FE5

.text C:\WINDOWS\system32\svchost.exe[744] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DE0000

.text C:\WINDOWS\system32\svchost.exe[744] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DE0FCA

.text C:\WINDOWS\system32\svchost.exe[744] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00DE001B

.text C:\WINDOWS\system32\svchost.exe[744] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00DF0FEF

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00AF000A

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00AF0F94

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00AF007F

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00AF0FA5

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00AF0062

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00AF0036

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00AF0F57

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00AF0F68

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00AF0F32

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00AF00CB

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00AF0F17

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00AF0051

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00AF0FE5

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00AF0F79

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00AF0FCA

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00AF001B

.text C:\WINDOWS\system32\svchost.exe[816] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00AF00BA

.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00AE0FD4

.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00AE0F9E

.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00AE0025

.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00AE0FE5

.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00AE005B

.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00AE0000

.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00AE0FAF

.text C:\WINDOWS\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00AE0036

.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AD0F81

.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AD0F9C

.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AD0FC1

.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AD0FEF

.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AD000C

.text C:\WINDOWS\system32\svchost.exe[816] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AD0FDE

.text C:\WINDOWS\system32\svchost.exe[816] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 009E0FEF

.text C:\WINDOWS\system32\svchost.exe[816] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 009E000A

.text C:\WINDOWS\system32\svchost.exe[816] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 009E0025

.text C:\WINDOWS\system32\svchost.exe[816] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 009E0036

.text C:\WINDOWS\system32\svchost.exe[816] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00AC0FE5

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02B90FEF

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02B90F74

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02B90069

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02B9004E

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02B90F9B

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02B90FB6

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02B900B0

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetStartupInfoA 7C801EEE 3 Bytes JMP 02B9009F

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetStartupInfoA + 4 7C801EF2 1 Byte [86]

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02B900E3

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02B900D2

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 02B900F4

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02B9003D

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02B90000

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 02B90084

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 02B9002C

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 02B9001B

.text C:\WINDOWS\System32\svchost.exe[904] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 02B900C1

.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 028F0FC7

.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 028F0FAC

.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 028F0022

.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 028F0011

.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 028F0069

.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 028F0000

.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 028F0058

.text C:\WINDOWS\System32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 028F003D

.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0140002E

.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!system 77C293C7 5 Bytes JMP 0140001D

.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01400FD2

.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0140000C

.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01400FB7

.text C:\WINDOWS\System32\svchost.exe[904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01400FEF

.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 013E0FE5

.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 013E0FCA

.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 013E0FB9

.text C:\WINDOWS\System32\svchost.exe[904] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 013E0F9E

.text C:\WINDOWS\System32\svchost.exe[904] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 013F0FE5

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00970FEF

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00970067

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00970F72

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0097004C

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0097002F

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0097000A

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00970F4B

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00970093

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00970F30

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009700C9

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009700E4

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00970F83

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00970FDE

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00970082

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00970FA8

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00970FB9

.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 009700B8

.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00960039

.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0096009B

.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0096001E

.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00960FDE

.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00960080

.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00960FEF

.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0096005B

.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0096004A

.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00950066

.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!system 77C293C7 5 Bytes JMP 00950055

.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00950FEF

.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0095000C

.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0095003A

.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0095001D

.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00940000

.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00940FE5

.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00940025

.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00940FD4

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A90FE5

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A90050

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A9003F

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A9002E

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A90011

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A90F83

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A90092

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A90F4A

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A90F25

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A900BE

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A90F0A

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A90000

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A90FCA

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A90075

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A90F9E

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A90FAF

.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A900AD

.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00A80025

.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00A80062

.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00A8000A

.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00A80FD4

.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00A80FA5

.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00A80FEF

.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00A80047

.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00A80036

.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A7006E

.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A70053

.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A70FE3

.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A7000C

.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A70038

.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A7001D

.text C:\WINDOWS\System32\svchost.exe[1056] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A50000

.text C:\WINDOWS\System32\svchost.exe[1056] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A50FE5

.text C:\WINDOWS\System32\svchost.exe[1056] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A5001B

.text C:\WINDOWS\System32\svchost.exe[1056] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00A50036

.text C:\WINDOWS\System32\svchost.exe[1056] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A6000A

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C20FEF

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C2009D

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C20FA8

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C20082

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C2005B

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C2002F

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C20F83

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C200CB

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C20101

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C200F0

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00C2011C

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00C20040

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00C20FDE

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00C200AE

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00C20FCD

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00C2001E

.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00C20F72

.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00C10040

.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00C10FCA

.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00C10FEF

.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00C10025

.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00C1007D

.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00C10000

.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00C10062

.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00C10051

.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00FC8

.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00FD9

.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C0002E

.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00000

.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00049

.text C:\WINDOWS\System32\svchost.exe[1148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C0001D

.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00950FEF

.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00950FD4

.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00950FB9

.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00950FA8

.text C:\WINDOWS\System32\svchost.exe[1148] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00960FE5

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A60FEF

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 7C801A5D 1 Byte [E9]

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A60F61

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A60056

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A60045

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A60F7C

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A60FA8

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A60F46

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A60082

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A60F1A

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A60F2B

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A60EFF

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A60F8D

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A6000A

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A60067

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A60FC3

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A60FD4

.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A600A9

.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00970FB9

.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00970F68

.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0097000A

.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00970FD4

.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00970F79

.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00970FEF

.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00970F94

.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0097001B

.text C:\WINDOWS\System32\svchost.exe[1344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00960029

.text C:\WINDOWS\System32\svchost.exe[1344] msvcrt.dll!system 77C293C7 5 Bytes JMP 00960FA8

.text C:\WINDOWS\System32\svchost.exe[1344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00960FC3

.text C:\WINDOWS\System32\svchost.exe[1344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00960FEF

.text C:\WINDOWS\System32\svchost.exe[1344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00960018

.text C:\WINDOWS\System32\svchost.exe[1344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00960FDE

.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00940FEF

.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00940FD4

.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00940014

.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00940FC3

.text C:\WINDOWS\System32\svchost.exe[1344] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00950FE5

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B5000A

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B50071

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B50056

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B50F7C

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B50F8D

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B50025

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B50093

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B50F57

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B50F1C

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B500BF

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00B50F0B

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00B50F9E

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00B50FEF

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00B50082

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00B50FC3

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00B50FD4

.text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00B500AE

.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00B4001E

.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00B40065

.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00B40FC3

.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00B40FDE

.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00B4004A

.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00B40FEF

.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00B40039

.text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00B40FB2

.text C:\WINDOWS\System32\svchost.exe[1956] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00960FC8

.text C:\WINDOWS\System32\svchost.exe[1956] msvcrt.dll!system 77C293C7 5 Bytes JMP 00960053

.text C:\WINDOWS\System32\svchost.exe[1956] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0096001D

.text C:\WINDOWS\System32\svchost.exe[1956] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00960FEF

.text C:\WINDOWS\System32\svchost.exe[1956] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0096002E

.text C:\WINDOWS\System32\svchost.exe[1956] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0096000C

.text C:\WINDOWS\System32\svchost.exe[1956] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00950000

.text C:\WINDOWS\System32\svchost.exe[1956] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00950FEF

.text C:\WINDOWS\System32\svchost.exe[1956] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00950FD4

.text C:\WINDOWS\System32\svchost.exe[1956] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00950025

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2008] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2008] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001D0000

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001D007A

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001D0069

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001D0058

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001D0F9B

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001D0FC7

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001D00B2

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001D0F6A

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001D0F23

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001D0F34

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001D00D7

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001D0FB6

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001D0011

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001D0095

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001D003D

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001D002C

.text C:\WINDOWS\system32\wuauclt.exe[2964] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001D0F59

.text C:\WINDOWS\system32\wuauclt.exe[2964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0042

.text C:\WINDOWS\system32\wuauclt.exe[2964] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FB7

.text C:\WINDOWS\system32\wuauclt.exe[2964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FD2

.text C:\WINDOWS\system32\wuauclt.exe[2964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000

.text C:\WINDOWS\system32\wuauclt.exe[2964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0027

.text C:\WINDOWS\system32\wuauclt.exe[2964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FE3

.text C:\WINDOWS\system32\wuauclt.exe[2964] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 002C0F9E

.text C:\WINDOWS\system32\wuauclt.exe[2964] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 002C0040

.text C:\WINDOWS\system32\wuauclt.exe[2964] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 002C0FB9

.text C:\WINDOWS\system32\wuauclt.exe[2964] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 002C0FDE

.text C:\WINDOWS\system32\wuauclt.exe[2964] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 002C0025

.text C:\WINDOWS\system32\wuauclt.exe[2964] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 002C0FEF

.text C:\WINDOWS\system32\wuauclt.exe[2964] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 002C0014

.text C:\WINDOWS\system32\wuauclt.exe[2964] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 002C0F8D

.text C:\WINDOWS\system32\wuauclt.exe[2964] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0093000A

.text C:\WINDOWS\system32\wuauclt.exe[2964] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00930FEF

.text C:\WINDOWS\system32\wuauclt.exe[2964] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00930FCA

.text C:\WINDOWS\system32\wuauclt.exe[2964] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0093001B

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001C0FEF

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001C0078

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001C0F83

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001C0067

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001C0F9E

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001C0FB9

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001C00B0

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001C0F5E

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001C00CB

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001C0F32

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001C0F17

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001C0040

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001C0FD4

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001C0089

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001C001B

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001C000A

.text C:\WINDOWS\Explorer.EXE[3904] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001C0F43

.text C:\WINDOWS\Explorer.EXE[3904] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 002A0FDE

.text C:\WINDOWS\Explorer.EXE[3904] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 002A0FA8

.text C:\WINDOWS\Explorer.EXE[3904] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 002A002F

.text C:\WINDOWS\Explorer.EXE[3904] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 002A0014

.text C:\WINDOWS\Explorer.EXE[3904] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 002A0065

.text C:\WINDOWS\Explorer.EXE[3904] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 002A0FEF

.text C:\WINDOWS\Explorer.EXE[3904] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 002A0FC3

.text C:\WINDOWS\Explorer.EXE[3904] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 002A004A

.text C:\WINDOWS\Explorer.EXE[3904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0F97

.text C:\WINDOWS\Explorer.EXE[3904] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FB2

.text C:\WINDOWS\Explorer.EXE[3904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FCD

.text C:\WINDOWS\Explorer.EXE[3904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000

.text C:\WINDOWS\Explorer.EXE[3904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0022

.text C:\WINDOWS\Explorer.EXE[3904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0011

.text C:\WINDOWS\Explorer.EXE[3904] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002D0FEF

.text C:\WINDOWS\Explorer.EXE[3904] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002D0000

.text C:\WINDOWS\Explorer.EXE[3904] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002D0011

.text C:\WINDOWS\Explorer.EXE[3904] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002D0022

.text C:\WINDOWS\Explorer.EXE[3904] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BC000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F76219F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device \Driver\atapi \Device\Ide\IdePort0 [F76219F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device \Driver\atapi \Device\Ide\IdePort1 [F76219F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F76219F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\giwrwsxnbk \Device\{9DD6AFA1-8646-4720-836B-EDCB1085864A} 002985AB

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Threads - GMER 1.0.15 ----

Thread 48fbcpi1.exe [5724:4112] SSDT 0x8200D138 != 0x804E26A8

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwDeleteValueKey [0xF22D9517]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwEnumerateKey [0xF22D91C7]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwEnumerateValueKey [0xF22D92D3]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwOpenKey [0xF22D910F]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwOpenProcess [0xF22D8E79]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwOpenThread [0xF22D8F01]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwProtectVirtualMemory [0xF22D96DB]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwQueryDirectoryFile [0xF22D8CA0]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwQuerySystemInformation [0xF22D8D73]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwReadVirtualMemory [0xF22D960F]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwSetContextThread [0xF22D90AC]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwSetValueKey [0xF22D9413]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwSuspendThread [0xF22D9049]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwTerminateThread [0xF22D8FE6]

SSDT 002985AB 48fbcpi1.exe [5724.4112] ZwWriteVirtualMemory [0xF22D9675]

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\rkavvkffv.sys (*** hidden *** ) [AUTO] giwrwsxnbk <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\giwrwsxnbk

Reg HKLM\SYSTEM\CurrentControlSet\Services\giwrwsxnbk@Type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\giwrwsxnbk@Start 2

Reg HKLM\SYSTEM\CurrentControlSet\Services\giwrwsxnbk@ErrorControl 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\giwrwsxnbk@ImagePath \??\C:\WINDOWS\system32\drivers\rkavvkffv.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\giwrwsxnbk@DisplayName giwrwsxnbk

Reg HKLM\SYSTEM\CurrentControlSet\Services\giwrwsxnbk@RulesData 0x03 0x00 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\giwrwsxnbk@krnl_sleepfreq 0x58 0x02 0x00 0x00

Reg HKLM\SYSTEM\CurrentControlSet\Services\giwrwsxnbk@krnl_servers_list 0x68 0x74 0x74 0x70 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\giwrwsxnbk\Security

Reg HKLM\SYSTEM\CurrentControlSet\Services\giwrwsxnbk\Security@Security 0x01 0x00 0x14 0x80 ...

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\rkavvkffv.sys 78720 bytes executable <-- ROOTKIT !!!

File C:\WINDOWS\system32\drivers\str.sys 237600 bytes

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

  • Root Admin

Hello Vandy,

Jason2 will be away for while from the forums so I'll take over for him.

Please run the following.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

First of all, thank you for the help. Ok, so I ran Combo-Fix and it discovered (and presumably deleted) several files and a few folders. The problem is that sometime between it 'creating a logfile' and the next time I checked my PC, Windows had rebooted because of a 'critical security update that required a restart of my computer'. Now, IF ComboFix created a logfile, I am not sure where to find it. It is not in the ComboFix folder and it did not put it on my desktop. Please let me know where to find it so that I can get it posted on here for you. Thanks again.

Link to post
Share on other sites

Here you go:

ComboFix 09-12-08.03 - poonjab1 12/08/2009 21:32:04.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.384.128 [GMT -6:00]

Running from: c:\documents and settings\poonjab1\Desktop\Combo-Fix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\LOG.TXT

c:\windows\AUTOLNCH.REG

c:\windows\bundles

c:\windows\bundles\58kd52fg.exe

c:\windows\bundles\activeshopper.exe

c:\windows\bundles\adl_hl.exe

c:\windows\bundles\AdSmartMedia_bundle.exe

c:\windows\bundles\adv0ltc0m.exe

c:\windows\bundles\ast_5_adsav.exe

c:\windows\bundles\b2s-162813.exe

c:\windows\bundles\Beryllium.exe

c:\windows\bundles\bs5-goodyr1.exe

c:\windows\bundles\cxt_big.exe

c:\windows\bundles\cxt_wmg.exe

c:\windows\bundles\d_ic.exe

c:\windows\bundles\Decade.exe

c:\windows\bundles\e2g51.exe

c:\windows\bundles\gogotoolsSILAWO8pi.exe

c:\windows\bundles\HLInstaller.exe

c:\windows\bundles\icmedia2_56.exe

c:\windows\bundles\ICMMedia_1cmm3d1a.exe

c:\windows\bundles\iehost.exe

c:\windows\bundles\installcasino.exe

c:\windows\bundles\KnNe1.exe

c:\windows\bundles\newmb.exe

c:\windows\bundles\NzI0MDo4OjEy.exe

c:\windows\bundles\package8033_MARKETING5.exe

c:\windows\bundles\pounder.exe

c:\windows\bundles\rop_marketing_1_168.exe

c:\windows\bundles\ropbundle.exe

c:\windows\bundles\runsearch.exe

c:\windows\bundles\sahagent-dectest1001.exe

c:\windows\bundles\sahagent-seedcorn1002.exe

c:\windows\bundles\setup_Incredifind_TrafficSpec.exe

c:\windows\bundles\setupactiv2.exe

c:\windows\bundles\ssee.exe

c:\windows\bundles\stlb2_seed.exe

c:\windows\bundles\vrinstall_icmedia.exe

c:\windows\bundles\winversion.exe

c:\windows\bundles\wrapperouter.exe

c:\windows\netdx.dat

c:\windows\patch.exe

c:\windows\run.log

c:\windows\system32\Cache

c:\windows\system32\drivers\rkavvkffv.sys

c:\windows\system32\drivers\str.sys

c:\windows\system32\P2P Networking

c:\windows\system32\P2P Networking\Cache\Database\index256.dbb

c:\windows\system32\P2P Networking\P2P Networking.eng

c:\windows\system32\stlbdist.XML

c:\windows\system32\tdlcmd.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it :(

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_GIWRWSXNBK

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 )))))))))))))))))))))))))))))))

.

2009-11-29 18:20 . 2009-11-29 18:20 117760 ----a-w- c:\documents and settings\poonjab1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-11-29 18:19 . 2009-11-29 18:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com

2009-11-29 18:19 . 2009-11-29 18:19 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-11-29 18:19 . 2009-11-29 18:19 -------- d-----w- c:\documents and settings\poonjab1\Application Data\SUPERAntiSpyware.com

2009-11-29 18:18 . 2009-11-29 18:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-11-28 19:47 . 2006-09-01 21:53 110592 ----a-w- c:\documents and settings\Guest\Application Data\U3\temp\cleanup.exe

2009-11-28 19:47 . 2004-08-04 06:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2009-11-28 19:47 . 2004-08-04 06:56 21504 ----a-w- c:\windows\system32\hidserv.dll

2009-11-28 19:46 . 2004-08-04 05:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2009-11-28 19:46 . 2004-08-04 05:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2009-11-28 19:45 . 2009-11-28 19:47 -------- d-----w- c:\documents and settings\Guest\Application Data\U3

2009-11-28 19:36 . 2009-11-28 19:36 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes

2009-11-23 02:13 . 2009-12-05 13:19 4844296 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-11-22 15:18 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-22 15:17 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-22 15:17 . 2009-12-05 13:22 -------- d-----w- c:\program files\Malwaebytes' Anti-Malware

2009-11-21 00:44 . 2009-11-21 00:44 -------- d-----w- C:\Combo-Fix

2009-11-19 05:58 . 2009-11-19 21:36 1763360 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-11-17 04:08 . 2009-11-17 04:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2009-11-17 04:08 . 2009-11-17 04:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-11-17 03:32 . 2009-11-17 04:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

2009-11-17 03:32 . 2009-11-17 04:06 -------- d-----w- c:\documents and settings\Administrator

2009-11-13 05:45 . 2009-11-13 05:45 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore

2009-11-11 17:29 . 2009-09-30 18:11 288096 ----a-r- c:\documents and settings\poonjab1\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll

2009-11-11 17:26 . 2009-11-11 17:26 -------- d-----w- c:\documents and settings\poonjab1\Application Data\McAfee

2009-11-11 17:18 . 2009-11-11 17:18 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Application Data\SACore

2009-11-11 17:01 . 2009-11-11 17:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SiteAdvisor

2009-11-11 16:49 . 2009-09-16 16:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-11-11 16:49 . 2009-09-16 16:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-11-11 16:49 . 2009-09-16 16:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-11-11 16:48 . 2009-07-16 18:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2009-11-11 16:45 . 2009-12-03 02:51 -------- d-----w- c:\program files\McAfee

2009-11-11 16:45 . 2009-11-11 16:49 -------- d-----w- c:\program files\Common Files\McAfee

2009-11-11 16:38 . 2009-09-16 16:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-11-11 16:30 . 2009-11-14 00:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-09 02:52 . 2007-09-25 02:14 -------- d-----w- c:\documents and settings\poonjab1\Application Data\U3

2009-11-19 05:58 . 2009-11-19 05:58 32 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-11-11 17:06 . 2005-04-15 01:49 -------- d-----w- c:\program files\McAfee.com

2009-11-11 17:06 . 2005-01-20 06:48 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee.com

2009-10-22 03:31 . 2009-10-22 03:31 -------- d-----w- c:\program files\BearShare

2009-09-16 16:22 . 2009-09-16 16:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-09-11 14:33 . 2001-08-23 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll

2004-01-27 21:23 . 2004-05-20 16:43 3149 -c--a-w- c:\program files\Common Files\remove_tools.html

2001-04-11 10:51 . 2001-04-11 10:51 21952 -c-ha-w- c:\program files\folder.htt

2004-05-16 00:44 . 2004-05-16 00:44 2814 -csha-w- c:\windows\system32\sfgex.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]

"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-08-07 155648]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/11/2009 11:01 AM 210216]

R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [6/29/2004 5:30 PM 96256]

S2 giwrwsxnbk;giwrwsxnbk;\??\c:\windows\system32\drivers\rkavvkffv.sys --> c:\windows\system32\drivers\rkavvkffv.sys [?]

S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [6/29/2004 5:30 PM 148352]

S3 CIF USB CAMERA Service;CIF USB CAMERA;c:\windows\system32\drivers\pfc027.sys [11/11/2005 4:04 PM 112380]

S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\ntapm.sys [8/17/2001 7:47 AM 9344]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: internet

Trusted Zone: mcafee.com

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKLM-Run-WCSE Mgr - (no file)

HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe

HKU-Default-Run-ttool - c:\windows\9129837.exe

ShellExecuteHooks-{DB0855E9-B6AF-4840-A69A-F045B0422755} - c:\windows\nmdqbur.dll

AddRemove-HP PrecisionScan LTX - c:\windows\IsUninst.exe -fc:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan LTX\Uninst.isu -cc:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan LTX\HPUninstallIs.dll

AddRemove-MDS Search Booster - c:\documents and settings\poonjab1\Local Settings\Temporary Internet Files\Content.IE5\CPGB47G7\install[1].exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-08 22:25

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3764)

c:\windows\system32\WININET.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\windows\System32\nvsvc32.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\progra~1\mcafee\msc\mcupdmgr.exe

.

**************************************************************************

.

Completion time: 2009-12-08 22:34:26 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-09 04:34

Pre-Run: 1,934,745,600 bytes free

Post-Run: 2,941,886,464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 5898E47116695D28E9D99B11A3D48A82

Link to post
Share on other sites

  • Root Admin

Sorry for the delay. You should be a lot better off now I hope, but we still need to do some more.

STEP 01

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

Driver::
giwrwsxnbk
File::
c:\windows\system32\drivers\rkavvkffv.sys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 03

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Link to post
Share on other sites

I apologize for the late response. I was without internet connectivity for the past few days and couldn't run the Kapersky scan. Here are all three logs:

ComboFix 09-12-15.01 - poonjab1 12/16/2009 6:47.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.384.124 [GMT -6:00]

Running from: c:\documents and settings\poonjab1\Desktop\Kitty-Fix.exe

Command switches used :: c:\documents and settings\poonjab1\Desktop\CFscript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"c:\windows\system32\drivers\rkavvkffv.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_giwrwsxnbk

((((((((((((((((((((((((( Files Created from 2009-11-16 to 2009-12-16 )))))))))))))))))))))))))))))))

.

2009-11-29 18:20 . 2009-11-29 18:20 117760 ----a-w- c:\documents and settings\poonjab1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-11-29 18:19 . 2009-11-29 18:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com

2009-11-29 18:19 . 2009-11-29 18:19 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-11-29 18:19 . 2009-11-29 18:19 -------- d-----w- c:\documents and settings\poonjab1\Application Data\SUPERAntiSpyware.com

2009-11-29 18:18 . 2009-11-29 18:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-11-28 19:47 . 2006-09-01 21:53 110592 ----a-w- c:\documents and settings\Guest\Application Data\U3\temp\cleanup.exe

2009-11-28 19:47 . 2004-08-04 06:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2009-11-28 19:47 . 2004-08-04 06:56 21504 ----a-w- c:\windows\system32\hidserv.dll

2009-11-28 19:46 . 2004-08-04 05:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2009-11-28 19:46 . 2004-08-04 05:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2009-11-28 19:45 . 2009-11-28 19:47 -------- d-----w- c:\documents and settings\Guest\Application Data\U3

2009-11-28 19:36 . 2009-11-28 19:36 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes

2009-11-23 02:13 . 2009-12-05 13:19 4844296 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-11-22 15:18 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-22 15:17 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-22 15:17 . 2009-12-05 13:22 -------- d-----w- c:\program files\Malwaebytes' Anti-Malware

2009-11-21 00:44 . 2009-12-11 07:12 -------- d-----w- C:\Combo-Fix

2009-11-19 05:58 . 2009-11-19 21:36 1763360 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-11-17 04:08 . 2009-11-17 04:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2009-11-17 04:08 . 2009-11-17 04:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-11-17 03:32 . 2009-11-17 04:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

2009-11-17 03:32 . 2009-11-17 04:06 -------- d-----w- c:\documents and settings\Administrator

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-16 00:26 . 2007-09-25 02:14 -------- d-----w- c:\documents and settings\poonjab1\Application Data\U3

2009-12-03 02:51 . 2009-11-11 16:45 -------- d-----w- c:\program files\McAfee

2009-11-19 05:58 . 2009-11-19 05:58 32 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-11-14 00:53 . 2009-11-11 16:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee

2009-11-13 05:45 . 2009-11-13 05:45 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore

2009-11-11 17:26 . 2009-11-11 17:26 -------- d-----w- c:\documents and settings\poonjab1\Application Data\McAfee

2009-11-11 17:18 . 2009-11-11 17:18 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Application Data\SACore

2009-11-11 17:06 . 2005-04-15 01:49 -------- d-----w- c:\program files\McAfee.com

2009-11-11 17:06 . 2005-01-20 06:48 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee.com

2009-11-11 17:01 . 2009-11-11 17:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SiteAdvisor

2009-11-11 16:49 . 2009-11-11 16:45 -------- d-----w- c:\program files\Common Files\McAfee

2009-10-22 03:31 . 2009-10-22 03:31 -------- d-----w- c:\program files\BearShare

2009-10-21 06:00 . 2005-03-31 15:30 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-21 06:00 . 2005-03-31 15:30 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-20 14:58 . 2005-03-31 15:31 263552 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:53 . 2001-08-23 12:00 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54 . 2001-08-23 12:00 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54 . 2001-08-23 12:00 112128 ----a-w- c:\windows\system32\rastls.dll

2009-09-30 18:11 . 2009-11-11 17:29 288096 ----a-r- c:\documents and settings\poonjab1\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll

2004-01-27 21:23 . 2004-05-20 16:43 3149 -c--a-w- c:\program files\Common Files\remove_tools.html

2001-04-11 10:51 . 2001-04-11 10:51 21952 -c-ha-w- c:\program files\folder.htt

2004-05-16 00:44 . 2004-05-16 00:44 2814 -csha-w- c:\windows\system32\sfgex.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]

"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-08-07 155648]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/11/2009 11:01 AM 210216]

R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [6/29/2004 5:30 PM 96256]

S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [6/29/2004 5:30 PM 148352]

S3 CIF USB CAMERA Service;CIF USB CAMERA;c:\windows\system32\drivers\pfc027.sys [11/11/2005 4:04 PM 112380]

S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\ntapm.sys [8/17/2001 7:47 AM 9344]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: internet

Trusted Zone: mcafee.com

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-16 07:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2736)

c:\windows\system32\WININET.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\windows\System32\nvsvc32.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

.

**************************************************************************

.

Completion time: 2009-12-16 07:19:32 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-16 13:19

ComboFix2.txt 2009-12-09 04:34

Pre-Run: 2,525,474,816 bytes free

Post-Run: 2,783,506,432 bytes free

- - End Of File - - F6CA838F823C4EDE78B4E43564190375

Malwarebytes' Anti-Malware 1.42

Database version: 3379

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

12/17/2009 6:56:54 AM

mbam-log-2009-12-17 (06-56-54).txt

Scan type: Quick Scan

Objects scanned: 176907

Time elapsed: 14 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Malwarebytes' Anti-Malware 1.42

Database version: 3379

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

12/17/2009 6:56:54 AM

mbam-log-2009-12-17 (06-56-54).txt

Scan type: Quick Scan

Objects scanned: 176907

Time elapsed: 14 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Friday, December 18, 2009

Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, December 17, 2009 11:32:04

Records in database: 3381807

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

A:\

C:\

D:\

Scan statistics

Objects scanned 44034

Threats found 1

Infected objects found 1

Suspicious objects found 0

Scan duration 05:14:06

File name Threat Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.u 1

Selected area has been scanned.

Link to post
Share on other sites

  • Root Admin

That looks good. We just need to do some clean up now.

Click on START - RUN and type in Combofix /uninstall which will reset a few things and remove the files used during it's running.

Great, all looks good now. Unless you have some other sign of infection please review the following.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is

:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from here

Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol

Download it from here

Here you can find information about how WinPatrol works here

Install FireTrust SiteHound

You can find information and download it from here

Install hpHosts

Download it from here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1: If you are running Windows XP SP2, you should upgrade to SP3.

Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions

Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help

If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.